From jcholast at redhat.com Tue Mar 1 07:57:39 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 1 Mar 2016 08:57:39 +0100 Subject: [Freeipa-devel] [PATCHES] 0772-0774 Python3 fixes in for client installation In-Reply-To: <56D46E6A.2050600@redhat.com> References: <56CAF30F.7010306@redhat.com> <56D079F2.2020501@redhat.com> <56D3EF5C.1090008@redhat.com> <56D46E6A.2050600@redhat.com> Message-ID: <56D54B73.6000500@redhat.com> On 29.2.2016 17:14, Petr Viktorin wrote: > On 02/29/2016 08:12 AM, Jan Cholasta wrote: >> Hi, >> >> On 26.2.2016 17:14, Petr Viktorin wrote: >>> On 02/22/2016 12:37 PM, Petr Viktorin wrote: >>>> Hello, >>>> These fixes are needed for the "happy path" of ipa-client-install >>>> --server on Python 3. >>> >>> Hello, >>> Could someone please look at these patches? >> >> Patch 0772: It seems this bit: + [cn] = lres.raw['cn'] + lrealms.append(cn.decode('utf-8')) breaks ipa-client-install: Traceback (most recent call last): File "/sbin/ipa-client-install", line 3099, in sys.exit(main()) File "/sbin/ipa-client-install", line 3080, in main rval = install(options, env, fstore, statestore) File "/sbin/ipa-client-install", line 2769, in install delete_persistent_client_session_data(host_principal) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 145, in delete_persistent_client_session_data kernel_keyring.del_key(keyname) File "/usr/lib/python2.7/site-packages/ipapython/kernel_keyring.py", line 130, in del_key assert isinstance(key, str) AssertionError because realm is returned as unicode from ipadiscovery. >> >> 1) Instead of decoding when the type is bytes in get_ipa_basedn(), read >> attribute values from 'entry.raw' rather than 'entry' and decode always. > > Done. > >> 2) get_ipa_basedn() is used only in ipadiscovery, perhaps we should move >> it there? > > I did that in an extra patch, mainly to make the diff more meaningful. OK. The patch needs a rebase for ipa-4-3, there is a stray get_ipa_basedn import in install/migration/migration.py. > >> Patch 0773: ACK, but the patch does not apply on ipa-4-3. >> >> >> Patch 0774: ACK. -- Jan Cholasta From pvoborni at redhat.com Tue Mar 1 09:30:21 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 1 Mar 2016 10:30:21 +0100 Subject: [Freeipa-devel] [PATCH] 952 cookie parser: do not fail on cookie with empty value Message-ID: <56D5612D.1050807@redhat.com> -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0952-cookie-parser-do-not-fail-on-cookie-with-empty-value.patch Type: text/x-patch Size: 2153 bytes Desc: not available URL: From pvoborni at redhat.com Tue Mar 1 09:32:37 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 1 Mar 2016 10:32:37 +0100 Subject: [Freeipa-devel] [PATCH] 952 cookie parser: do not fail on cookie with empty value In-Reply-To: <56D5612D.1050807@redhat.com> References: <56D5612D.1050807@redhat.com> Message-ID: <56D561B5.2040401@redhat.com> Forgot to attach ticket number. https://fedorahosted.org/freeipa/ticket/5709 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0952-1-cookie-parser-do-not-fail-on-cookie-with-empty-value.patch Type: text/x-patch Size: 2198 bytes Desc: not available URL: From pvoborni at redhat.com Tue Mar 1 09:36:10 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 1 Mar 2016 10:36:10 +0100 Subject: [Freeipa-devel] [PATCH] 953 advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins In-Reply-To: <56D06151.7040007@redhat.com> References: <56CF3352.3060400@redhat.com> <56D06151.7040007@redhat.com> Message-ID: <56D5628A.7090804@redhat.com> On 02/26/2016 03:29 PM, Petr Spacek wrote: > On 25.2.2016 18:01, Petr Vobornik wrote: >> I did not add --enableldapstarttls to config_redhat_nss_ldap because I'm not >> sure if it is present on el5 (IMO it is not). >> >> authconfig in: >> * config_redhat_nss_ldap got >> * --enableldaptls >> >> * config_redhat_nss_pam_ldapd got >> * --enableldaptls >> * --enableldapstarttls >> options > > Shouldn't it get only one of them? > > It seems weird to enable both at the same time. > > Petr^2 Spacek > >> https://fedorahosted.org/freeipa/ticket/5654 > Updated patch attached. It uses only --enableldaptls in both commands. --enableldapstarttls is an alias for enableldaptls. After testing and checking /etc/openldap/ldap.conf, I don't think that these options have any effect on el6. There is no 'ssl no' or 'ssl start_tls' in any combination or lack of the options. Maybe they have effect somewhere else. Anyway it shouldn't do any harm. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0953-1-advise-configure-TLS-in-redhat_nss_pam_ldapd-and-red.patch Type: text/x-patch Size: 3324 bytes Desc: not available URL: From lslebodn at redhat.com Tue Mar 1 11:06:59 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 1 Mar 2016 12:06:59 +0100 Subject: [Freeipa-devel] [PATCH 0390] Fix build with GCC 4.9+ In-Reply-To: <56CF166F.1010003@redhat.com> References: <56C710B0.3020005@redhat.com> <56CF166F.1010003@redhat.com> Message-ID: <20160301110658.GA31766@mail.corp.redhat.com> On (25/02/16 15:57), Petr Spacek wrote: >On 19.2.2016 13:55, Petr Spacek wrote: >> Hello, >> >> Fix build with GCC 4.9+. >> >> GCC 4.9+ is too aggressive when optimizing functions with nonnull >> attributes. This removes most of asserts() in the plugin. >> GCC 6 adds warnings for these cases. >> >> We are disabling the unwanted condition pruning by adding >> -fno-delete-null-pointer-checks argument. >> BIND 9 did the same in its commit 603a78708343f063b44affb882ef93bb19a5142a. >> >> Additionally we silence warnings to prevent build failures when -Werror >> is used. >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1307346 > >Updated version is attached. It contains less autotools magic because it >enables attribute nonnull only under Clang static analyzer and Coverity - as a >result we do not have to silence GCC warnings from -Wnonnull. > >Please review so I can fix build in Fedora 24. > >Thank you. > >-- >Petr^2 Spacek >From 4732fe9f4e525c44b46e7ed0734ccaec94fba49e Mon Sep 17 00:00:00 2001 >From: Petr Spacek >Date: Fri, 19 Feb 2016 13:39:27 +0100 >Subject: [PATCH] Fix build with GCC 4.9+. > >GCC 4.9+ is too aggressive when optimizing functions with nonnull >attributes. This removes most of asserts() in the plugin. >GCC 6 adds warnings for these cases. > >We are disabling the unwanted condition pruning by adding >-fno-delete-null-pointer-checks argument. >BIND 9 did the same in its commit 603a78708343f063b44affb882ef93bb19a5142a. > >Additionally we enable nonnull attribute only when the build is running under >Clang static analyzer or Coverity. > >https://bugzilla.redhat.com/show_bug.cgi?id=1307346 >--- > configure.ac | 13 +++++++++++++ > src/util.h | 8 ++++++-- > 2 files changed, 19 insertions(+), 2 deletions(-) > >diff --git a/configure.ac b/configure.ac >index a06708b1a5ee64bb64c80272c10ed1a35670c8d0..a0123ac0a62b5acd5238f028d8c42e83af4060db 100644 >--- a/configure.ac >+++ b/configure.ac >@@ -39,6 +39,19 @@ AC_TRY_COMPILE([ > [CFLAGS="$SAVED_CFLAGS" > AC_MSG_RESULT([no])]) > >+# Check if build chain supports -fno-delete-null-pointer-checks >+# this flag avoids too agressive optimizations which would remove some asserts >+# BIND 9 did the same in its commit 603a78708343f063b44affb882ef93bb19a5142a >+AC_MSG_CHECKING([for -fno-delete-null-pointer-checks compiler flag]) >+SAVED_CFLAGS="$CFLAGS" >+CFLAGS="$CFLAGS -fno-delete-null-pointer-checks" >+AC_TRY_COMPILE([ >+ extern int fdef(void); >+],[], >+[AC_MSG_RESULT([yes])], >+[CFLAGS="$SAVED_CFLAGS" >+ AC_MSG_RESULT([no])]) >+ NACK. It failes with clang. configure:12982: checking for -fno-delete-null-pointer-checks compiler flag configure:12999: clang -c -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -fvisibility=hidden -fno-delete-null-pointer-checks conftest.c >&5 clang-3.8: warning: optimization flag '-fno-delete-null-pointer-checks' is not supported clang-3.8: warning: argument unused during compilation: '-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1' configure:12999: $? = 0 configure:13000: result: yes Reproducer: autoreconf -if && CC=clang ./configure && make LS From mbasti at redhat.com Tue Mar 1 11:08:37 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 1 Mar 2016 12:08:37 +0100 Subject: [Freeipa-devel] Design: Automatic Empty Zone handling in bind-dyndb-ldap In-Reply-To: <56C6CE2F.9020009@redhat.com> References: <568FDC52.4050704@redhat.com> <568FEE66.8010600@redhat.com> <5695087B.5010408@redhat.com> <56950946.9030703@redhat.com> <56C6CE2F.9020009@redhat.com> Message-ID: <56D57835.2010706@redhat.com> On 19.02.2016 09:11, Petr Spacek wrote: > On 12.1.2016 15:10, Martin Basti wrote: >> >> On 12.01.2016 15:06, Petr Spacek wrote: >>> On 8.1.2016 18:14, Martin Basti wrote: >>>> On 08.01.2016 16:57, Petr Spacek wrote: >>>>> Hello, >>>>> >>>>> recent improvements in FreeIPA 4.3.0 (finally) prevent FreeIPA installer from >>>>> creating made-up DNS reverse zones, which already exist on some other DNS >>>>> server. >>>>> >>>>> This change uncovered a well-hidden automatic empty zones in BIND 9.9+, which >>>>> is now causing problem to users. >>>>> >>>>> It seems that this can be fixed by change to the code which handles forward >>>>> DNS zones. Short design document with necessary background is available on: >>>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/AutomaticEmptyZones >>>>> >>>>> >>>>> Please be so kind and review it ASAP, so I can write the patch quickly and >>>>> make life of our QE guys easier. >>>>> >>>>> Have a nice Friday. >>>>> >>>> Hello, >>>> >>>> IIUC, the differences between default bind behaviour and bind-dyndb-ldap >>>> behaviour are: >>>> >>>> * disable automatic empty zone when policy is 'first' or 'only', instead of >>>> just 'only' >>>> I liked it more than default behaviour of named, but could be this somehow >>>> unexpected by users, or they will be happy that it works better (?) than in >>>> named? >>> I hope users will appreciate it :-) >>> >>>> * bind-dyndb-ldap will not recreate automate empty zone >>>> IMO this should not harm at all >>>> >>>> so design LGTM, I will thinking about it over this weekend >>> Did you find any problem? >>> >>> >>> Petr^2 Spacek >> My mind did not pop out any issue during weekend. >> It should work :) > I was discussing this further with BIND upstream and Mark Andrews do not like > it. IMHO we should respect his opinion and do that same what BIND 9.11 is > going to do. > > For this reason I've updated design page > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/AutomaticEmptyZones > with the new approach. > > Please review it again. It contains new sections Configuration and Upgrade. > > Thank you! > If bind wants to have it in this way, LGTM. From mbasti at redhat.com Tue Mar 1 11:32:46 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 1 Mar 2016 12:32:46 +0100 Subject: [Freeipa-devel] [PATCH 016 - 017] First part of the replica promotion tests + testplan In-Reply-To: <56D43687.10502@redhat.com> References: <5640A90B.6030906@redhat.com> <564CA530.3060006@redhat.com> <5655D741.4010402@redhat.com> <56560124.4060904@redhat.com> <5656CB3B.8010000@redhat.com> <5656D5EE.7010208@redhat.com> <565862E6.4020100@redhat.com> <56586807.9080805@redhat.com> <565870D6.40908@redhat.com> <56587616.5030609@redhat.com> <565DB7D3.5040500@redhat.com> <565F0BDD.8080206@redhat.com> <565F17EE.3020701@redhat.com> <5666DC18.2040906@redhat.com> <56675E31.3050203@redhat.com> <5667F49B.5020709@redhat.com> <5667FEFB.6090904@redhat.com> <56680C2E.7060805@redhat.com> <56680DDD.2000106@redhat.com> <566FDD80.7030805@redhat.com> <56717785.4020304@redhat.com> <567195B9.9070104@redhat.com> <56727AA7.2030809@redhat.com> <5675E08C.7030109@redhat.com> <56D43687.10502@redhat.com> Message-ID: <56D57DDE.3020306@redhat.com> On 29.02.2016 13:16, Oleg Fayans wrote: > Hi all, > > Finally the tests pass. > > The patch 0024 applies on top of patch 0022 (please, consider reviewing > it also). Besides, the whole functionality depends on Martin's patch N 0421 > > All patches pass pylint. hello, I cannot apply patches on master branch Martin^2 > > > On 12/19/2015 11:56 PM, Martin Basti wrote: >> >> On 17.12.2015 10:04, Oleg Fayans wrote: >>> Hi Martin, >>> >>> I am sorry, in my previous email I attached the old version of patch >>> 0016. The correct on is attached. >>> >>> On 12/16/2015 05:47 PM, Martin Basti wrote: >>>> On 16.12.2015 15:39, Martin Basti wrote: >>>>> On 15.12.2015 10:29, Oleg Fayans wrote: >>>>>> Hi Martin, >>>>>> >>>>>> The updated patches are attached. Patch 0017 includes all changes from >>>>>> patch 0018, so, if you approve this one, there would be no need to >>>>>> continue with the review of 0018. This one contains all changes >>>>>> related >>>>>> to you remarks from 0018 review. Please see my explanation on the >>>>>> stdout+stderr part in the thread from patch 0018. >>>>>> With these two patches applied one of the tests fails due this bug: >>>>>> https://fedorahosted.org/freeipa/ticket/5550 >>>>>> >>>>>> On 12/09/2015 12:17 PM, Martin Basti wrote: >>>>>>> On 09.12.2015 12:10, Martin Basti wrote: >>>>>>>> On 09.12.2015 11:14, Oleg Fayans wrote: >>>>>>>>> Hi Martin >>>>>>>>> >>>>>>>>> On 12/09/2015 10:30 AM, Martin Basti wrote: >>>>>>>>>> On 08.12.2015 23:48, Oleg Fayans wrote: >>>>>>>>>>> Substituted a hardcoded suffix name with a constant >>>>>>>>>>> DOMAIN_SUFFIX_NAME >>>>>>>>>>> >>>>>>>>>>> On 12/08/2015 02:33 PM, Oleg Fayans wrote: >>>>>>>>>>>> Hi all, >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> The patches are rebased against the current master. >>>>>>>>>>>> >>>>>>>>>>>> On 12/02/2015 05:10 PM, Martin Basti wrote: >>>>>>>>>>>>> On 02.12.2015 16:18, Oleg Fayans wrote: >>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 12/01/2015 04:08 PM, Martin Basti wrote: >>>>>>>>>>>>>>> On 27.11.2015 16:26, Oleg Fayans wrote: >>>>>>>>>>>>>>>> And patch N 16 passes lint too: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 11/27/2015 04:03 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 11/27/2015 03:26 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>> On 27.11.2015 15:04, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> All your suggestions were taken into account. Both >>>>>>>>>>>>>>>>>>> patches are >>>>>>>>>>>>>>>>>>> updated. Thank you for your help! >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On 11/26/2015 10:50 AM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>> On 26.11.2015 10:04, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> I agree to all your points but one. please, see my >>>>>>>>>>>>>>>>>>>>> comment >>>>>>>>>>>>>>>>>>>>> below >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On 11/25/2015 07:42 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> 0) Note >>>>>>>>>>>>>>>>>>>>>> Please be aware of >>>>>>>>>>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5469 >>>>>>>>>>>>>>>>>>>>>> during >>>>>>>>>>>>>>>>>>>>>> KRA testing >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>> Please do not use MIN and MAX_DOMAIN_LEVEL constants, >>>>>>>>>>>>>>>>>>>>>> this may >>>>>>>>>>>>>>>>>>>>>> change >>>>>>>>>>>>>>>>>>>>>> over time, use DOMAIN_LEVEL_0 and DOMAIN_LEVEL_1 for >>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>> level 0 >>>>>>>>>>>>>>>>>>>>>> and 1 >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>> Why uninstall KRA then server, is not enough just >>>>>>>>>>>>>>>>>>>>>> uninstall >>>>>>>>>>>>>>>>>>>>>> server >>>>>>>>>>>>>>>>>>>>>> which >>>>>>>>>>>>>>>>>>>>>> covers KRA uninstall? >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> + def teardown_method(self, method): >>>>>>>>>>>>>>>>>>>>>> + for host in self.replicas: >>>>>>>>>>>>>>>>>>>>>> + host.run_command(self.kra_uninstall, >>>>>>>>>>>>>>>>>>>>>> raiseonerr=False) >>>>>>>>>>>>>>>>>>>>>> + tasks.uninstall_master(host) >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>> Can be this function more generic? It should allow >>>>>>>>>>>>>>>>>>>>>> specify >>>>>>>>>>>>>>>>>>>>>> host >>>>>>>>>>>>>>>>>>>>>> where >>>>>>>>>>>>>>>>>>>>>> KRA should be installed not just master >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> + def test_kra_install_master(self): >>>>>>>>>>>>>>>>>>>>>> + self.master.run_command(self.kra_install) >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> TestLevel0(Dummy): >>>>>>>>>>>>>>>>>>>>>> Can be the test name more specific, something like >>>>>>>>>>>>>>>>>>>>>> TestReplicaPromotionLevel0 >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> 5) >>>>>>>>>>>>>>>>>>>>>> please remove this, the patch is on review and it >>>>>>>>>>>>>>>>>>>>>> will be >>>>>>>>>>>>>>>>>>>>>> pushed >>>>>>>>>>>>>>>>>>>>>> sooner >>>>>>>>>>>>>>>>>>>>>> than tests >>>>>>>>>>>>>>>>>>>>>> + @pytest.mark.xfail # Ticket N 5455 >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> and as I mentioned in ticket #5455, I cannot reproduce >>>>>>>>>>>>>>>>>>>>>> it with >>>>>>>>>>>>>>>>>>>>>> ipa-kra-install, so please provide steps to >>>>>>>>>>>>>>>>>>>>>> reproduce if >>>>>>>>>>>>>>>>>>>>>> you >>>>>>>>>>>>>>>>>>>>>> insist >>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>> this still does not work as expected with KRA. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> 6) This is completely wrong, it removes everything >>>>>>>>>>>>>>>>>>>>>> that we >>>>>>>>>>>>>>>>>>>>>> tried to >>>>>>>>>>>>>>>>>>>>>> achieve with previous patches with domain level in CI >>>>>>>>>>>>>>>>>>>>> Actually, being able to configure domain level per >>>>>>>>>>>>>>>>>>>>> class >>>>>>>>>>>>>>>>>>>>> is WAY >>>>>>>>>>>>>>>>>>>>> more >>>>>>>>>>>>>>>>>>>>> convenient, than to always have to think which domain >>>>>>>>>>>>>>>>>>>>> level is >>>>>>>>>>>>>>>>>>>>> appropriate for which particular test during jenkins >>>>>>>>>>>>>>>>>>>>> job >>>>>>>>>>>>>>>>>>>>> configuration. In fact, I should have thought about it >>>>>>>>>>>>>>>>>>>>> from the >>>>>>>>>>>>>>>>>>>>> very >>>>>>>>>>>>>>>>>>>>> beginning. For example, in test_replica_promotion.py we >>>>>>>>>>>>>>>>>>>>> have on >>>>>>>>>>>>>>>>>>>>> class, >>>>>>>>>>>>>>>>>>>>> which intiates with domain level = 1, while others - >>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>> 0. With config-based approach, we would have to >>>>>>>>>>>>>>>>>>>>> implement a >>>>>>>>>>>>>>>>>>>>> separate >>>>>>>>>>>>>>>>>>>>> step that raises domain level. Overall, I am against >>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>> approach, >>>>>>>>>>>>>>>>>>>>> when you have to remember to set certain domain >>>>>>>>>>>>>>>>>>>>> level in >>>>>>>>>>>>>>>>>>>>> config >>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>> any particular test. The tests themselves should be >>>>>>>>>>>>>>>>>>>>> aware of >>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>> domain level they need. >>>>>>>>>>>>>>>>>>>> I do not say that we should not have something that >>>>>>>>>>>>>>>>>>>> overrides >>>>>>>>>>>>>>>>>>>> settings >>>>>>>>>>>>>>>>>>>> in from config in a particular test case, I say your >>>>>>>>>>>>>>>>>>>> patch is >>>>>>>>>>>>>>>>>>>> doing it >>>>>>>>>>>>>>>>>>>> wrong. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I agree it is useful to have param domain_level in >>>>>>>>>>>>>>>>>>>> install_master, >>>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>>> intall_topo methods, but is cannot be >>>>>>>>>>>>>>>>>>>> MAX_DOMAIN_LEVEL by >>>>>>>>>>>>>>>>>>>> default, >>>>>>>>>>>>>>>>>>>> because with your current patch the domain_level in >>>>>>>>>>>>>>>>>>>> config is >>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>> used >>>>>>>>>>>>>>>>>>>> at all, it will be always MAX_DOMAIN_LEVEL >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> For example I want to achieve this goal: >>>>>>>>>>>>>>>>>>>> test_vault.py, this test suite can run on domain level1 >>>>>>>>>>>>>>>>>>>> and on >>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>> level0, so with one test we can test 2 domain levels >>>>>>>>>>>>>>>>>>>> just >>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>> putting >>>>>>>>>>>>>>>>>>>> domain level into config file. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I agree that with extraordinary test like replica >>>>>>>>>>>>>>>>>>>> promotion test >>>>>>>>>>>>>>>>>>>> is, we >>>>>>>>>>>>>>>>>>>> need something that allows override the config file. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> As I said bellow, domain_level default value should be >>>>>>>>>>>>>>>>>>>> None in >>>>>>>>>>>>>>>>>>>> install_master and install_topo plugin. If domain level >>>>>>>>>>>>>>>>>>>> was >>>>>>>>>>>>>>>>>>>> specified >>>>>>>>>>>>>>>>>>>> use the specified one, if not (value is None) use the >>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>>>> config file. >>>>>>>>>>>>>>>>>>> Agreed :) >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Martin >>>>>>>>>>>>>>>>>>>>>> [PATCH] Enabled setting domain_level per class >>>>>>>>>>>>>>>>>>>>>> derived from >>>>>>>>>>>>>>>>>>>>>> TestIntegration >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> When I configure domain level 0 in yaml config, how >>>>>>>>>>>>>>>>>>>>>> is this >>>>>>>>>>>>>>>>>>>>>> supposed to >>>>>>>>>>>>>>>>>>>>>> get into install methods when you removed that code? >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> - "--domain-level=%i" % >>>>>>>>>>>>>>>>>>>>>> host.config.domain_level >>>>>>>>>>>>>>>>>>>>>> + "--domain-level=%i" % domain_level >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> You always use MAX_DOMAIN_LEVEL in this case or >>>>>>>>>>>>>>>>>>>>>> whatever is >>>>>>>>>>>>>>>>>>>>>> specified in >>>>>>>>>>>>>>>>>>>>>> domain_level option. >>>>>>>>>>>>>>>>>>>>>> I suggest to use domain_level=None, and when it is >>>>>>>>>>>>>>>>>>>>>> None use >>>>>>>>>>>>>>>>>>>>>> 'host.config.domain_level', if it is not None, use >>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> With this we can specify domain level in config >>>>>>>>>>>>>>>>>>>>>> file for >>>>>>>>>>>>>>>>>>>>>> test >>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>> can >>>>>>>>>>>>>>>>>>>>>> be used for both domain levels and you can manually >>>>>>>>>>>>>>>>>>>>>> specify >>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>> for test that requires specific domain level. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Also this should go away >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> @classmethod >>>>>>>>>>>>>>>>>>>>>> def install(cls, mh): >>>>>>>>>>>>>>>>>>>>>> + if hasattr(cls, "domain_level") and >>>>>>>>>>>>>>>>>>>>>> cls.master: >>>>>>>>>>>>>>>>>>>>>> + cls.master.config.domain_level = cls.domain_level >>>>>>>>>>>>>>>>>>>>>> if cls.topology is None: >>>>>>>>>>>>>>>>>>>>>> return >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> I do not see reason why test should override >>>>>>>>>>>>>>>>>>>>>> configuration in >>>>>>>>>>>>>>>>>>>>>> config in >>>>>>>>>>>>>>>>>>>>>> this case. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Martin >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> On 25.11.2015 16:44, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Here is the updated version of the patch (more >>>>>>>>>>>>>>>>>>>>>>> tests + >>>>>>>>>>>>>>>>>>>>>>> fixed the >>>>>>>>>>>>>>>>>>>>>>> issues of the first one) + patch 0017, that >>>>>>>>>>>>>>>>>>>>>>> implements the >>>>>>>>>>>>>>>>>>>>>>> necessary >>>>>>>>>>>>>>>>>>>>>>> changes in the background code, i. e. patch 16 >>>>>>>>>>>>>>>>>>>>>>> does not >>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>> without >>>>>>>>>>>>>>>>>>>>>>> patch 17 >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> On 11/18/2015 05:20 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>> On 09.11.2015 15:09, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>> Hi guys, >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Here are first two automated testcases from this >>>>>>>>>>>>>>>>>>>>>>>>> (so far >>>>>>>>>>>>>>>>>>>>>>>>> incomplete) >>>>>>>>>>>>>>>>>>>>>>>>> testplan: >>>>>>>>>>>>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Testplan review is highly appreciated >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> PATCH 16: NACK >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>>> What is the reason to add an unused parameter to >>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' to >>>>>>>>>>>>>>>>>>>>>>>> install_topo()? >>>>>>>>>>>>>>>>>>>>>>>> Also it is good practise to add new option as the >>>>>>>>>>>>>>>>>>>>>>>> last >>>>>>>>>>>>>>>>>>>>>>>> parameter. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>>> cab you in both tests specify a domain level with >>>>>>>>>>>>>>>>>>>>>>>> constant >>>>>>>>>>>>>>>>>>>>>>>> instead of >>>>>>>>>>>>>>>>>>>>>>>> number literal? >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>>> both test call install_topo with custom domain >>>>>>>>>>>>>>>>>>>>>>>> level, >>>>>>>>>>>>>>>>>>>>>>>> but it >>>>>>>>>>>>>>>>>>>>>>>> cannot >>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>> because 1) (did you run the test?) >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>>> How the test "TestLevel1" is supposed to work? >>>>>>>>>>>>>>>>>>>>>>>> Respectively why there is call of install_topo() >>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>> installs >>>>>>>>>>>>>>>>>>>>>>>> replica. >>>>>>>>>>>>>>>>>>>>>>>> As this test just tests that ipa-replica-prepare is >>>>>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>>>>> working >>>>>>>>>>>>>>>>>>>>>>>> anymore, >>>>>>>>>>>>>>>>>>>>>>>> is it worth to spend 20 minutes with installing >>>>>>>>>>>>>>>>>>>>>>>> replica and >>>>>>>>>>>>>>>>>>>>>>>> then >>>>>>>>>>>>>>>>>>>>>>>> just no >>>>>>>>>>>>>>>>>>>>>>>> tot use it? IMO to install master in install step is >>>>>>>>>>>>>>>>>>>>>>>> enough. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> ./make-lint >>>>>>>>>>>>>>>>>> ************* Module ipatests.test_integration.base >>>>>>>>>>>>>>>>>> ipatests/test_integration/base.py:66: [E1101(no-member), >>>>>>>>>>>>>>>>>> IntegrationTest.install] Class 'IntegrationTest' has no >>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>> ************* Module >>>>>>>>>>>>>>>>>> ipatests.test_integration.test_replica_promotion >>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:16: >>>>>>>>>>>>>>>>>> [E1101(no-member), Dummy.install] Class 'Dummy' has no >>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:117: >>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>> TestCAInstall.test_ca_install_without_replica_file] >>>>>>>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no >>>>>>>>>>>>>>>>>> 'setup_replica' >>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Is it so hard to run pylint before patch is posted for >>>>>>>>>>>>>>>>>> review? >>>>>>>>>>>>>>>>> Sorry, my bad. Fixed. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>> Why is this change in the patch? >>>>>>>>>>>>>>> - # Clean up the test directory >>>>>>>>>>>>>>> - host.run_command(['rm', '-rvf', host.config.test_dir]) >>>>>>>>>>>>>> Otherwise 2 out of 8 tests fail with IOError at line 78 of >>>>>>>>>>>>>> ipatests/test_integration/tasks.py >>>>>>>>>>>>>> >>>>>>>>>>>>>> I do not understand yet how does this happen, but if you >>>>>>>>>>>>>> remove >>>>>>>>>>>>>> ipatests folder once, it then fails to be created again. >>>>>>>>>>>>>> >>>>>>>>>>>>> So this should be in separated patch and investigated properly. >>>>>>>>>>>> Agree. Removed >>>>>>>>>>>>>>> - >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>> is enough to have this check only in install_master, >>>>>>>>>>>>>>> install_topo can >>>>>>>>>>>>>>> pass None to install_master >>>>>>>>>>>>>>> + if domain_level is None: >>>>>>>>>>>>>>> + domain_level = master.config.domain_level >>>>>>>>>>>>>> Done >>>>>>>>>>>>>> >>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>> IMO replica-manage del should cleanup hosts entry, so >>>>>>>>>>>>>>> following >>>>>>>>>>>>>>> code >>>>>>>>>>>>>>> should not be needed. >>>>>>>>>>>>>>> + if cleanhost: >>>>>>>>>>>>>>> + kinit_admin(master) >>>>>>>>>>>>>>> + master.run_command(["ipa", "host-del", >>>>>>>>>>>>>>> "--updatedns", >>>>>>>>>>>>>>> replica.hostname], >>>>>>>>>>>>>>> + raiseonerr=False) >>>>>>>>>>>>>> Well, in fact it does not. At least the corresponding dns >>>>>>>>>>>>>> record >>>>>>>>>>>>>> stays >>>>>>>>>>>>>> and causes the subsequent ipa-client-install to fail. Probably >>>>>>>>>>>>>> it's a >>>>>>>>>>>>>> bug. On the other hand, if I promote an existing client to >>>>>>>>>>>>>> replica and >>>>>>>>>>>>>> then delete this replica, then, I probably want the host >>>>>>>>>>>>>> record >>>>>>>>>>>>>> (that >>>>>>>>>>>>>> was created during client-install) to stay in the system. So, >>>>>>>>>>>>>> does not >>>>>>>>>>>>>> look like a bug to me. >>>>>>>>>>>>> No you don't, because replica uninstallation also removes the >>>>>>>>>>>>> client. >>>>>>>>>>>>> >>>>>>>>>>>>> I tried it with ipa42, ipa-replica-manage del removes host >>>>>>>>>>>>> entry, >>>>>>>>>>>>> and >>>>>>>>>>>>> DNS A records, only SSHFP records stay there (I'm not sure >>>>>>>>>>>>> if it >>>>>>>>>>>>> is bug >>>>>>>>>>>>> or feature) >>>>>>>>>>>>> >>>>>>>>>>>>> Also I received this message >>>>>>>>>>>>> """ >>>>>>>>>>>>> Failed to cleanup replica1.ipa.test DNS entries: no matching >>>>>>>>>>>>> entry >>>>>>>>>>>>> found >>>>>>>>>>>>> You may need to manually remove them from the tree >>>>>>>>>>>>> """ >>>>>>>>>>>>> But, A record has been removed, so this is probably false >>>>>>>>>>>>> positive and >>>>>>>>>>>>> it needs to have a ticket. >>>>>>>>>>>> Agree, that was an issue with my setup. >>>>>>>>>>>> Removed >>>>>>>>>>>> >>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>> This variable is not used >>>>>>>>>>>>>>> + kra_uninstall = ["ipa-kra-install", "--uninstall", "-U"] >>>>>>>>>>>>>> Removed >>>>>>>>>>>>>> >>>>>>>>>>>>>>> 5) >>>>>>>>>>>>>>> Why do you need this >>>>>>>>>>>>>>> + kra_install = ["ipa-kra-install", "-U", "-p", >>>>>>>>>>>>>>> config.dirman_password] >>>>>>>>>>>>>>> when you implemented tasks.install_kra that returns the >>>>>>>>>>>>>>> exactly >>>>>>>>>>>>>>> the same >>>>>>>>>>>>>>> result? >>>>>>>>>>>>>> Right. Removed >>>>>>>>>>>>>> >>>>>>>>>>>>>>> 6) >>>>>>>>>>>>>>> PEP8 >>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:928:1: E302 expected 2 >>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:934:1: E302 expected 2 >>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:939:1: E302 expected 2 >>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:943:1: E302 expected 2 >>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:950:80: E501 line too >>>>>>>>>>>>>>> long >>>>>>>>>>>>>>> (80 > 79 >>>>>>>>>>>>>>> characters) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:29:80: >>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>> line >>>>>>>>>>>>>>> too long (85 > 79 characters) >>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:64:80: >>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>> line >>>>>>>>>>>>>>> too long (85 > 79 characters) >>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:67:80: >>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>> line >>>>>>>>>>>>>>> too long (88 > 79 characters) >>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:93:80: >>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>> line >>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:94:80: >>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>> line >>>>>>>>>>>>>>> too long (83 > 79 characters) >>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:118:80: >>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> line >>>>>>>>>>>>>>> too long (81 > 79 characters) >>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:128:80: >>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> line >>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:129:80: >>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> line >>>>>>>>>>>>>>> too long (82 > 79 characters) >>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:181:80: >>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> line >>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>> Most of these complaints are unrelated to the current patches. >>>>>>>>>>>>>> It's better to create a separate patch addressing PEP8 errors. >>>>>>>>>>>>>> >>>>>>>>>>>>> I beg for your pardon, those PEP8 errors have been >>>>>>>>>>>>> introduced by >>>>>>>>>>>>> your >>>>>>>>>>>>> patches. >>>>>>>>>>>> Fixed >>>>>>>>>>>> >>>>>>>>>>>>>>> 7) >>>>>>>>>>>>>>> Why this must be stored in instance? IMO to have it stored as >>>>>>>>>>>>>>> local >>>>>>>>>>>>>>> variable is perfect >>>>>>>>>>>>>>> TestKRAInstall, TestCAInstall >>>>>>>>>>>>>>> self.replica1_filename = >>>>>>>>>>>>>>> tasks.get_replica_filename(replica1) >>>>>>>>>>>>>>> self.replica2_filename = >>>>>>>>>>>>>>> tasks.get_replica_filename(replica2) >>>>>>>>>>>>>> Agree. Fixed >>>>>>>>>>>>>> >>>>>>>>>> This patch is missing something. >>>>>>>>> I am sorry, I forgot to revert my previous change. The correct >>>>>>>>> patch is >>>>>>>>> attached >>>>>>>>> >>>>>>>> ************* Module >>>>>>>> ipatests.test_integration.test_replica_promotion >>>>>>>> ipatests/test_integration/test_replica_promotion.py:15: >>>>>>>> [E1123(unexpected-keyword-arg), Dummy.install] Unexpected keyword >>>>>>>> argument 'domain_level' in function call) >>>>>>>> ipatests/test_integration/test_replica_promotion.py:15: >>>>>>>> [E1101(no-member), Dummy.install] Class 'Dummy' has no >>>>>>>> 'domain_level' >>>>>>>> member) >>>>>>>> ipatests/test_integration/test_replica_promotion.py:19: >>>>>>>> [E1101(no-member), Dummy.teardown_method] Module >>>>>>>> 'ipatests.test_integration.tasks' has no 'uninstall_replica' member) >>>>>>>> ipatests/test_integration/test_replica_promotion.py:67: >>>>>>>> [E1101(no-member), TestReplicaPromotionLevel0.test_backup_restore] >>>>>>>> Module 'ipatests.test_integration.tasks' has no 'ipa_backup' member) >>>>>>>> ipatests/test_integration/test_replica_promotion.py:72: >>>>>>>> [E1101(no-member), TestReplicaPromotionLevel0.test_backup_restore] >>>>>>>> Module 'ipatests.test_integration.tasks' has no 'ipa_restore' >>>>>>>> member) >>>>>>>> ipatests/test_integration/test_replica_promotion.py:120: >>>>>>>> [E1123(unexpected-keyword-arg), TestCAInstall.install] Unexpected >>>>>>>> keyword argument 'domain_level' in function call) >>>>>>>> >>>>>>> Sorry I forgot to apply patch 17, my bad, I'm continuing with review >>>>> LGTM, I haven't had time to test it, but if you are sure that test is >>>>> working, we may push this. >>>>> >>>> Is this expected due the bug you mentioned? >>>> _____ >>>> __________________________________________________________________________ >>>> >>>> TestReplicaPromotionLevel0.test_kra_install_master >>>> ________________________________________________________________________________ >>>> >>>> >>>> >>>> self = >>>> >>> >>>> object at 0x7f5071a59e50> >>>> >>>> def test_kra_install_master(self): >>>> result1 = tasks.install_kra(self.master, raiseonerr=False) >>>>> assert result1.returncode == 0, result1.stderr_text >>>> E AssertionError: Usage: ipa-kra-install [options] [replica_file] >>>> E >>>> E ipa-kra-install: error: Replica file >>>> /root/ipatests/replica-info.gpg does not exist >>>> E The ipa-kra-install command failed. See >>>> /var/log/ipaserver-kra-install.log for more information >>>> E >>>> E assert 2 == 0 >>>> E + where 2 = >>> 0x7f5071adbd50>.returncode >>>> >> IMO the test needs fix, KRA on replica file needs KRA related >> certificates in replica file >> >> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] RUN >> ['ipa-kra-install', '-U', '-p', 'Secret123', >> '/root/ipatests/replica-info.gpg'] >> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] RUN >> ['ipa-kra-install', '-U', '-p', 'Secret123', >> '/root/ipatests/replica-info.gpg'] >> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] Missing KRA >> certificates, please create a new replica file. >> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] The >> ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log >> for more information >> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] Exit code: 1 >> FAILED >> traceback >> >> self = > object at 0x7f660bc1a590> >> From mbasti at redhat.com Tue Mar 1 11:37:48 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 1 Mar 2016 12:37:48 +0100 Subject: [Freeipa-devel] [PATCH 016 - 017] First part of the replica promotion tests + testplan In-Reply-To: <56D57DDE.3020306@redhat.com> References: <5640A90B.6030906@redhat.com> <564CA530.3060006@redhat.com> <5655D741.4010402@redhat.com> <56560124.4060904@redhat.com> <5656CB3B.8010000@redhat.com> <5656D5EE.7010208@redhat.com> <565862E6.4020100@redhat.com> <56586807.9080805@redhat.com> <565870D6.40908@redhat.com> <56587616.5030609@redhat.com> <565DB7D3.5040500@redhat.com> <565F0BDD.8080206@redhat.com> <565F17EE.3020701@redhat.com> <5666DC18.2040906@redhat.com> <56675E31.3050203@redhat.com> <5667F49B.5020709@redhat.com> <5667FEFB.6090904@redhat.com> <56680C2E.7060805@redhat.com> <56680DDD.2000106@redhat.com> <566FDD80.7030805@redhat.com> <56717785.4020304@redhat.com> <567195B9.9070104@redhat.com> <56727AA7.2030809@redhat.com> <5675E08C.7030109@redhat.com> <56D43687.10502@redhat.com> <56D57DDE.3020306@redhat.com> Message-ID: <56D57F0C.1060103@redhat.com> On 01.03.2016 12:32, Martin Basti wrote: > > > On 29.02.2016 13:16, Oleg Fayans wrote: >> Hi all, >> >> Finally the tests pass. >> >> The patch 0024 applies on top of patch 0022 (please, consider reviewing >> it also). Besides, the whole functionality depends on Martin's patch >> N 0421 >> >> All patches pass pylint. > hello, > > I cannot apply patches on master branch > Martin^2 My bad I applied wrong patch >> >> >> On 12/19/2015 11:56 PM, Martin Basti wrote: >>> >>> On 17.12.2015 10:04, Oleg Fayans wrote: >>>> Hi Martin, >>>> >>>> I am sorry, in my previous email I attached the old version of patch >>>> 0016. The correct on is attached. >>>> >>>> On 12/16/2015 05:47 PM, Martin Basti wrote: >>>>> On 16.12.2015 15:39, Martin Basti wrote: >>>>>> On 15.12.2015 10:29, Oleg Fayans wrote: >>>>>>> Hi Martin, >>>>>>> >>>>>>> The updated patches are attached. Patch 0017 includes all >>>>>>> changes from >>>>>>> patch 0018, so, if you approve this one, there would be no need to >>>>>>> continue with the review of 0018. This one contains all changes >>>>>>> related >>>>>>> to you remarks from 0018 review. Please see my explanation on the >>>>>>> stdout+stderr part in the thread from patch 0018. >>>>>>> With these two patches applied one of the tests fails due this bug: >>>>>>> https://fedorahosted.org/freeipa/ticket/5550 >>>>>>> >>>>>>> On 12/09/2015 12:17 PM, Martin Basti wrote: >>>>>>>> On 09.12.2015 12:10, Martin Basti wrote: >>>>>>>>> On 09.12.2015 11:14, Oleg Fayans wrote: >>>>>>>>>> Hi Martin >>>>>>>>>> >>>>>>>>>> On 12/09/2015 10:30 AM, Martin Basti wrote: >>>>>>>>>>> On 08.12.2015 23:48, Oleg Fayans wrote: >>>>>>>>>>>> Substituted a hardcoded suffix name with a constant >>>>>>>>>>>> DOMAIN_SUFFIX_NAME >>>>>>>>>>>> >>>>>>>>>>>> On 12/08/2015 02:33 PM, Oleg Fayans wrote: >>>>>>>>>>>>> Hi all, >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> The patches are rebased against the current master. >>>>>>>>>>>>> >>>>>>>>>>>>> On 12/02/2015 05:10 PM, Martin Basti wrote: >>>>>>>>>>>>>> On 02.12.2015 16:18, Oleg Fayans wrote: >>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 12/01/2015 04:08 PM, Martin Basti wrote: >>>>>>>>>>>>>>>> On 27.11.2015 16:26, Oleg Fayans wrote: >>>>>>>>>>>>>>>>> And patch N 16 passes lint too: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 11/27/2015 04:03 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 11/27/2015 03:26 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>> On 27.11.2015 15:04, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> All your suggestions were taken into account. Both >>>>>>>>>>>>>>>>>>>> patches are >>>>>>>>>>>>>>>>>>>> updated. Thank you for your help! >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On 11/26/2015 10:50 AM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>> On 26.11.2015 10:04, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> I agree to all your points but one. please, see my >>>>>>>>>>>>>>>>>>>>>> comment >>>>>>>>>>>>>>>>>>>>>> below >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> On 11/25/2015 07:42 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> 0) Note >>>>>>>>>>>>>>>>>>>>>>> Please be aware of >>>>>>>>>>>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5469 >>>>>>>>>>>>>>>>>>>>>>> during >>>>>>>>>>>>>>>>>>>>>>> KRA testing >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>> Please do not use MIN and MAX_DOMAIN_LEVEL >>>>>>>>>>>>>>>>>>>>>>> constants, >>>>>>>>>>>>>>>>>>>>>>> this may >>>>>>>>>>>>>>>>>>>>>>> change >>>>>>>>>>>>>>>>>>>>>>> over time, use DOMAIN_LEVEL_0 and DOMAIN_LEVEL_1 >>>>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>> level 0 >>>>>>>>>>>>>>>>>>>>>>> and 1 >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>> Why uninstall KRA then server, is not enough just >>>>>>>>>>>>>>>>>>>>>>> uninstall >>>>>>>>>>>>>>>>>>>>>>> server >>>>>>>>>>>>>>>>>>>>>>> which >>>>>>>>>>>>>>>>>>>>>>> covers KRA uninstall? >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> + def teardown_method(self, method): >>>>>>>>>>>>>>>>>>>>>>> + for host in self.replicas: >>>>>>>>>>>>>>>>>>>>>>> + host.run_command(self.kra_uninstall, >>>>>>>>>>>>>>>>>>>>>>> raiseonerr=False) >>>>>>>>>>>>>>>>>>>>>>> + tasks.uninstall_master(host) >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>> Can be this function more generic? It should allow >>>>>>>>>>>>>>>>>>>>>>> specify >>>>>>>>>>>>>>>>>>>>>>> host >>>>>>>>>>>>>>>>>>>>>>> where >>>>>>>>>>>>>>>>>>>>>>> KRA should be installed not just master >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> + def test_kra_install_master(self): >>>>>>>>>>>>>>>>>>>>>>> + self.master.run_command(self.kra_install) >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> TestLevel0(Dummy): >>>>>>>>>>>>>>>>>>>>>>> Can be the test name more specific, something like >>>>>>>>>>>>>>>>>>>>>>> TestReplicaPromotionLevel0 >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> 5) >>>>>>>>>>>>>>>>>>>>>>> please remove this, the patch is on review and it >>>>>>>>>>>>>>>>>>>>>>> will be >>>>>>>>>>>>>>>>>>>>>>> pushed >>>>>>>>>>>>>>>>>>>>>>> sooner >>>>>>>>>>>>>>>>>>>>>>> than tests >>>>>>>>>>>>>>>>>>>>>>> + @pytest.mark.xfail # Ticket N 5455 >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> and as I mentioned in ticket #5455, I cannot >>>>>>>>>>>>>>>>>>>>>>> reproduce >>>>>>>>>>>>>>>>>>>>>>> it with >>>>>>>>>>>>>>>>>>>>>>> ipa-kra-install, so please provide steps to >>>>>>>>>>>>>>>>>>>>>>> reproduce if >>>>>>>>>>>>>>>>>>>>>>> you >>>>>>>>>>>>>>>>>>>>>>> insist >>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>> this still does not work as expected with KRA. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> 6) This is completely wrong, it removes everything >>>>>>>>>>>>>>>>>>>>>>> that we >>>>>>>>>>>>>>>>>>>>>>> tried to >>>>>>>>>>>>>>>>>>>>>>> achieve with previous patches with domain level >>>>>>>>>>>>>>>>>>>>>>> in CI >>>>>>>>>>>>>>>>>>>>>> Actually, being able to configure domain level per >>>>>>>>>>>>>>>>>>>>>> class >>>>>>>>>>>>>>>>>>>>>> is WAY >>>>>>>>>>>>>>>>>>>>>> more >>>>>>>>>>>>>>>>>>>>>> convenient, than to always have to think which >>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>> level is >>>>>>>>>>>>>>>>>>>>>> appropriate for which particular test during jenkins >>>>>>>>>>>>>>>>>>>>>> job >>>>>>>>>>>>>>>>>>>>>> configuration. In fact, I should have thought >>>>>>>>>>>>>>>>>>>>>> about it >>>>>>>>>>>>>>>>>>>>>> from the >>>>>>>>>>>>>>>>>>>>>> very >>>>>>>>>>>>>>>>>>>>>> beginning. For example, in >>>>>>>>>>>>>>>>>>>>>> test_replica_promotion.py we >>>>>>>>>>>>>>>>>>>>>> have on >>>>>>>>>>>>>>>>>>>>>> class, >>>>>>>>>>>>>>>>>>>>>> which intiates with domain level = 1, while others - >>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>> 0. With config-based approach, we would have to >>>>>>>>>>>>>>>>>>>>>> implement a >>>>>>>>>>>>>>>>>>>>>> separate >>>>>>>>>>>>>>>>>>>>>> step that raises domain level. Overall, I am against >>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>> approach, >>>>>>>>>>>>>>>>>>>>>> when you have to remember to set certain domain >>>>>>>>>>>>>>>>>>>>>> level in >>>>>>>>>>>>>>>>>>>>>> config >>>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>>> any particular test. The tests themselves should be >>>>>>>>>>>>>>>>>>>>>> aware of >>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>> domain level they need. >>>>>>>>>>>>>>>>>>>>> I do not say that we should not have something that >>>>>>>>>>>>>>>>>>>>> overrides >>>>>>>>>>>>>>>>>>>>> settings >>>>>>>>>>>>>>>>>>>>> in from config in a particular test case, I say your >>>>>>>>>>>>>>>>>>>>> patch is >>>>>>>>>>>>>>>>>>>>> doing it >>>>>>>>>>>>>>>>>>>>> wrong. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> I agree it is useful to have param domain_level in >>>>>>>>>>>>>>>>>>>>> install_master, >>>>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>>>> intall_topo methods, but is cannot be >>>>>>>>>>>>>>>>>>>>> MAX_DOMAIN_LEVEL by >>>>>>>>>>>>>>>>>>>>> default, >>>>>>>>>>>>>>>>>>>>> because with your current patch the domain_level in >>>>>>>>>>>>>>>>>>>>> config is >>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>> used >>>>>>>>>>>>>>>>>>>>> at all, it will be always MAX_DOMAIN_LEVEL >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> For example I want to achieve this goal: >>>>>>>>>>>>>>>>>>>>> test_vault.py, this test suite can run on domain >>>>>>>>>>>>>>>>>>>>> level1 >>>>>>>>>>>>>>>>>>>>> and on >>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>> level0, so with one test we can test 2 domain levels >>>>>>>>>>>>>>>>>>>>> just >>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>> putting >>>>>>>>>>>>>>>>>>>>> domain level into config file. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> I agree that with extraordinary test like replica >>>>>>>>>>>>>>>>>>>>> promotion test >>>>>>>>>>>>>>>>>>>>> is, we >>>>>>>>>>>>>>>>>>>>> need something that allows override the config file. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> As I said bellow, domain_level default value >>>>>>>>>>>>>>>>>>>>> should be >>>>>>>>>>>>>>>>>>>>> None in >>>>>>>>>>>>>>>>>>>>> install_master and install_topo plugin. If domain >>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>> was >>>>>>>>>>>>>>>>>>>>> specified >>>>>>>>>>>>>>>>>>>>> use the specified one, if not (value is None) use the >>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>>>>> config file. >>>>>>>>>>>>>>>>>>>> Agreed :) >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Martin >>>>>>>>>>>>>>>>>>>>>>> [PATCH] Enabled setting domain_level per class >>>>>>>>>>>>>>>>>>>>>>> derived from >>>>>>>>>>>>>>>>>>>>>>> TestIntegration >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> When I configure domain level 0 in yaml config, how >>>>>>>>>>>>>>>>>>>>>>> is this >>>>>>>>>>>>>>>>>>>>>>> supposed to >>>>>>>>>>>>>>>>>>>>>>> get into install methods when you removed that >>>>>>>>>>>>>>>>>>>>>>> code? >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> - "--domain-level=%i" % >>>>>>>>>>>>>>>>>>>>>>> host.config.domain_level >>>>>>>>>>>>>>>>>>>>>>> + "--domain-level=%i" % domain_level >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> You always use MAX_DOMAIN_LEVEL in this case or >>>>>>>>>>>>>>>>>>>>>>> whatever is >>>>>>>>>>>>>>>>>>>>>>> specified in >>>>>>>>>>>>>>>>>>>>>>> domain_level option. >>>>>>>>>>>>>>>>>>>>>>> I suggest to use domain_level=None, and when it is >>>>>>>>>>>>>>>>>>>>>>> None use >>>>>>>>>>>>>>>>>>>>>>> 'host.config.domain_level', if it is not None, use >>>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> With this we can specify domain level in config >>>>>>>>>>>>>>>>>>>>>>> file for >>>>>>>>>>>>>>>>>>>>>>> test >>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>> can >>>>>>>>>>>>>>>>>>>>>>> be used for both domain levels and you can manually >>>>>>>>>>>>>>>>>>>>>>> specify >>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>> for test that requires specific domain level. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Also this should go away >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> @classmethod >>>>>>>>>>>>>>>>>>>>>>> def install(cls, mh): >>>>>>>>>>>>>>>>>>>>>>> + if hasattr(cls, "domain_level") and >>>>>>>>>>>>>>>>>>>>>>> cls.master: >>>>>>>>>>>>>>>>>>>>>>> + cls.master.config.domain_level = cls.domain_level >>>>>>>>>>>>>>>>>>>>>>> if cls.topology is None: >>>>>>>>>>>>>>>>>>>>>>> return >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> I do not see reason why test should override >>>>>>>>>>>>>>>>>>>>>>> configuration in >>>>>>>>>>>>>>>>>>>>>>> config in >>>>>>>>>>>>>>>>>>>>>>> this case. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Martin >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> On 25.11.2015 16:44, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Here is the updated version of the patch (more >>>>>>>>>>>>>>>>>>>>>>>> tests + >>>>>>>>>>>>>>>>>>>>>>>> fixed the >>>>>>>>>>>>>>>>>>>>>>>> issues of the first one) + patch 0017, that >>>>>>>>>>>>>>>>>>>>>>>> implements the >>>>>>>>>>>>>>>>>>>>>>>> necessary >>>>>>>>>>>>>>>>>>>>>>>> changes in the background code, i. e. patch 16 >>>>>>>>>>>>>>>>>>>>>>>> does not >>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>> without >>>>>>>>>>>>>>>>>>>>>>>> patch 17 >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> On 11/18/2015 05:20 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>> On 09.11.2015 15:09, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>> Hi guys, >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> Here are first two automated testcases from this >>>>>>>>>>>>>>>>>>>>>>>>>> (so far >>>>>>>>>>>>>>>>>>>>>>>>>> incomplete) >>>>>>>>>>>>>>>>>>>>>>>>>> testplan: >>>>>>>>>>>>>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> Testplan review is highly appreciated >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> PATCH 16: NACK >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>>>> What is the reason to add an unused parameter to >>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' to >>>>>>>>>>>>>>>>>>>>>>>>> install_topo()? >>>>>>>>>>>>>>>>>>>>>>>>> Also it is good practise to add new option as the >>>>>>>>>>>>>>>>>>>>>>>>> last >>>>>>>>>>>>>>>>>>>>>>>>> parameter. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>>>> cab you in both tests specify a domain level with >>>>>>>>>>>>>>>>>>>>>>>>> constant >>>>>>>>>>>>>>>>>>>>>>>>> instead of >>>>>>>>>>>>>>>>>>>>>>>>> number literal? >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>>>> both test call install_topo with custom domain >>>>>>>>>>>>>>>>>>>>>>>>> level, >>>>>>>>>>>>>>>>>>>>>>>>> but it >>>>>>>>>>>>>>>>>>>>>>>>> cannot >>>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>>> because 1) (did you run the test?) >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>>>> How the test "TestLevel1" is supposed to work? >>>>>>>>>>>>>>>>>>>>>>>>> Respectively why there is call of install_topo() >>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>> installs >>>>>>>>>>>>>>>>>>>>>>>>> replica. >>>>>>>>>>>>>>>>>>>>>>>>> As this test just tests that >>>>>>>>>>>>>>>>>>>>>>>>> ipa-replica-prepare is >>>>>>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>>>>>> working >>>>>>>>>>>>>>>>>>>>>>>>> anymore, >>>>>>>>>>>>>>>>>>>>>>>>> is it worth to spend 20 minutes with installing >>>>>>>>>>>>>>>>>>>>>>>>> replica and >>>>>>>>>>>>>>>>>>>>>>>>> then >>>>>>>>>>>>>>>>>>>>>>>>> just no >>>>>>>>>>>>>>>>>>>>>>>>> tot use it? IMO to install master in install >>>>>>>>>>>>>>>>>>>>>>>>> step is >>>>>>>>>>>>>>>>>>>>>>>>> enough. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> ./make-lint >>>>>>>>>>>>>>>>>>> ************* Module ipatests.test_integration.base >>>>>>>>>>>>>>>>>>> ipatests/test_integration/base.py:66: >>>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>>> IntegrationTest.install] Class 'IntegrationTest' has no >>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>> ************* Module >>>>>>>>>>>>>>>>>>> ipatests.test_integration.test_replica_promotion >>>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:16: >>>>>>>>>>>>>>>>>>> [E1101(no-member), Dummy.install] Class 'Dummy' has no >>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:117: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>>> TestCAInstall.test_ca_install_without_replica_file] >>>>>>>>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no >>>>>>>>>>>>>>>>>>> 'setup_replica' >>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Is it so hard to run pylint before patch is posted for >>>>>>>>>>>>>>>>>>> review? >>>>>>>>>>>>>>>>>> Sorry, my bad. Fixed. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>> Why is this change in the patch? >>>>>>>>>>>>>>>> - # Clean up the test directory >>>>>>>>>>>>>>>> - host.run_command(['rm', '-rvf', >>>>>>>>>>>>>>>> host.config.test_dir]) >>>>>>>>>>>>>>> Otherwise 2 out of 8 tests fail with IOError at line 78 of >>>>>>>>>>>>>>> ipatests/test_integration/tasks.py >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I do not understand yet how does this happen, but if you >>>>>>>>>>>>>>> remove >>>>>>>>>>>>>>> ipatests folder once, it then fails to be created again. >>>>>>>>>>>>>>> >>>>>>>>>>>>>> So this should be in separated patch and investigated >>>>>>>>>>>>>> properly. >>>>>>>>>>>>> Agree. Removed >>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>> is enough to have this check only in install_master, >>>>>>>>>>>>>>>> install_topo can >>>>>>>>>>>>>>>> pass None to install_master >>>>>>>>>>>>>>>> + if domain_level is None: >>>>>>>>>>>>>>>> + domain_level = master.config.domain_level >>>>>>>>>>>>>>> Done >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>> IMO replica-manage del should cleanup hosts entry, so >>>>>>>>>>>>>>>> following >>>>>>>>>>>>>>>> code >>>>>>>>>>>>>>>> should not be needed. >>>>>>>>>>>>>>>> + if cleanhost: >>>>>>>>>>>>>>>> + kinit_admin(master) >>>>>>>>>>>>>>>> + master.run_command(["ipa", "host-del", >>>>>>>>>>>>>>>> "--updatedns", >>>>>>>>>>>>>>>> replica.hostname], >>>>>>>>>>>>>>>> + raiseonerr=False) >>>>>>>>>>>>>>> Well, in fact it does not. At least the corresponding dns >>>>>>>>>>>>>>> record >>>>>>>>>>>>>>> stays >>>>>>>>>>>>>>> and causes the subsequent ipa-client-install to fail. >>>>>>>>>>>>>>> Probably >>>>>>>>>>>>>>> it's a >>>>>>>>>>>>>>> bug. On the other hand, if I promote an existing client to >>>>>>>>>>>>>>> replica and >>>>>>>>>>>>>>> then delete this replica, then, I probably want the host >>>>>>>>>>>>>>> record >>>>>>>>>>>>>>> (that >>>>>>>>>>>>>>> was created during client-install) to stay in the >>>>>>>>>>>>>>> system. So, >>>>>>>>>>>>>>> does not >>>>>>>>>>>>>>> look like a bug to me. >>>>>>>>>>>>>> No you don't, because replica uninstallation also removes >>>>>>>>>>>>>> the >>>>>>>>>>>>>> client. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I tried it with ipa42, ipa-replica-manage del removes host >>>>>>>>>>>>>> entry, >>>>>>>>>>>>>> and >>>>>>>>>>>>>> DNS A records, only SSHFP records stay there (I'm not sure >>>>>>>>>>>>>> if it >>>>>>>>>>>>>> is bug >>>>>>>>>>>>>> or feature) >>>>>>>>>>>>>> >>>>>>>>>>>>>> Also I received this message >>>>>>>>>>>>>> """ >>>>>>>>>>>>>> Failed to cleanup replica1.ipa.test DNS entries: no matching >>>>>>>>>>>>>> entry >>>>>>>>>>>>>> found >>>>>>>>>>>>>> You may need to manually remove them from the tree >>>>>>>>>>>>>> """ >>>>>>>>>>>>>> But, A record has been removed, so this is probably false >>>>>>>>>>>>>> positive and >>>>>>>>>>>>>> it needs to have a ticket. >>>>>>>>>>>>> Agree, that was an issue with my setup. >>>>>>>>>>>>> Removed >>>>>>>>>>>>> >>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>> This variable is not used >>>>>>>>>>>>>>>> + kra_uninstall = ["ipa-kra-install", "--uninstall", >>>>>>>>>>>>>>>> "-U"] >>>>>>>>>>>>>>> Removed >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 5) >>>>>>>>>>>>>>>> Why do you need this >>>>>>>>>>>>>>>> + kra_install = ["ipa-kra-install", "-U", "-p", >>>>>>>>>>>>>>>> config.dirman_password] >>>>>>>>>>>>>>>> when you implemented tasks.install_kra that returns the >>>>>>>>>>>>>>>> exactly >>>>>>>>>>>>>>>> the same >>>>>>>>>>>>>>>> result? >>>>>>>>>>>>>>> Right. Removed >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 6) >>>>>>>>>>>>>>>> PEP8 >>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:928:1: E302 >>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:934:1: E302 >>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:939:1: E302 >>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:943:1: E302 >>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:950:80: E501 line too >>>>>>>>>>>>>>>> long >>>>>>>>>>>>>>>> (80 > 79 >>>>>>>>>>>>>>>> characters) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:29:80: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>> too long (85 > 79 characters) >>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:64:80: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>> too long (85 > 79 characters) >>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:67:80: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>> too long (88 > 79 characters) >>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:93:80: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:94:80: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>> too long (83 > 79 characters) >>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:118:80: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>> too long (81 > 79 characters) >>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:128:80: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:129:80: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>> too long (82 > 79 characters) >>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:181:80: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>> Most of these complaints are unrelated to the current >>>>>>>>>>>>>>> patches. >>>>>>>>>>>>>>> It's better to create a separate patch addressing PEP8 >>>>>>>>>>>>>>> errors. >>>>>>>>>>>>>>> >>>>>>>>>>>>>> I beg for your pardon, those PEP8 errors have been >>>>>>>>>>>>>> introduced by >>>>>>>>>>>>>> your >>>>>>>>>>>>>> patches. >>>>>>>>>>>>> Fixed >>>>>>>>>>>>> >>>>>>>>>>>>>>>> 7) >>>>>>>>>>>>>>>> Why this must be stored in instance? IMO to have it >>>>>>>>>>>>>>>> stored as >>>>>>>>>>>>>>>> local >>>>>>>>>>>>>>>> variable is perfect >>>>>>>>>>>>>>>> TestKRAInstall, TestCAInstall >>>>>>>>>>>>>>>> self.replica1_filename = >>>>>>>>>>>>>>>> tasks.get_replica_filename(replica1) >>>>>>>>>>>>>>>> self.replica2_filename = >>>>>>>>>>>>>>>> tasks.get_replica_filename(replica2) >>>>>>>>>>>>>>> Agree. Fixed >>>>>>>>>>>>>>> >>>>>>>>>>> This patch is missing something. >>>>>>>>>> I am sorry, I forgot to revert my previous change. The correct >>>>>>>>>> patch is >>>>>>>>>> attached >>>>>>>>>> >>>>>>>>> ************* Module >>>>>>>>> ipatests.test_integration.test_replica_promotion >>>>>>>>> ipatests/test_integration/test_replica_promotion.py:15: >>>>>>>>> [E1123(unexpected-keyword-arg), Dummy.install] Unexpected keyword >>>>>>>>> argument 'domain_level' in function call) >>>>>>>>> ipatests/test_integration/test_replica_promotion.py:15: >>>>>>>>> [E1101(no-member), Dummy.install] Class 'Dummy' has no >>>>>>>>> 'domain_level' >>>>>>>>> member) >>>>>>>>> ipatests/test_integration/test_replica_promotion.py:19: >>>>>>>>> [E1101(no-member), Dummy.teardown_method] Module >>>>>>>>> 'ipatests.test_integration.tasks' has no 'uninstall_replica' >>>>>>>>> member) >>>>>>>>> ipatests/test_integration/test_replica_promotion.py:67: >>>>>>>>> [E1101(no-member), >>>>>>>>> TestReplicaPromotionLevel0.test_backup_restore] >>>>>>>>> Module 'ipatests.test_integration.tasks' has no 'ipa_backup' >>>>>>>>> member) >>>>>>>>> ipatests/test_integration/test_replica_promotion.py:72: >>>>>>>>> [E1101(no-member), >>>>>>>>> TestReplicaPromotionLevel0.test_backup_restore] >>>>>>>>> Module 'ipatests.test_integration.tasks' has no 'ipa_restore' >>>>>>>>> member) >>>>>>>>> ipatests/test_integration/test_replica_promotion.py:120: >>>>>>>>> [E1123(unexpected-keyword-arg), TestCAInstall.install] Unexpected >>>>>>>>> keyword argument 'domain_level' in function call) >>>>>>>>> >>>>>>>> Sorry I forgot to apply patch 17, my bad, I'm continuing with >>>>>>>> review >>>>>> LGTM, I haven't had time to test it, but if you are sure that >>>>>> test is >>>>>> working, we may push this. >>>>>> >>>>> Is this expected due the bug you mentioned? >>>>> _____ >>>>> __________________________________________________________________________ >>>>> >>>>> >>>>> TestReplicaPromotionLevel0.test_kra_install_master >>>>> ________________________________________________________________________________ >>>>> >>>>> >>>>> >>>>> >>>>> self = >>>>> >>>> >>>>> >>>>> object at 0x7f5071a59e50> >>>>> >>>>> def test_kra_install_master(self): >>>>> result1 = tasks.install_kra(self.master, raiseonerr=False) >>>>>> assert result1.returncode == 0, result1.stderr_text >>>>> E AssertionError: Usage: ipa-kra-install [options] >>>>> [replica_file] >>>>> E >>>>> E ipa-kra-install: error: Replica file >>>>> /root/ipatests/replica-info.gpg does not exist >>>>> E The ipa-kra-install command failed. See >>>>> /var/log/ipaserver-kra-install.log for more information >>>>> E >>>>> E assert 2 == 0 >>>>> E + where 2 = >>>> object at >>>>> 0x7f5071adbd50>.returncode >>>>> >>> IMO the test needs fix, KRA on replica file needs KRA related >>> certificates in replica file >>> >>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>> RUN >>> ['ipa-kra-install', '-U', '-p', 'Secret123', >>> '/root/ipatests/replica-info.gpg'] >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] RUN >>> ['ipa-kra-install', '-U', '-p', 'Secret123', >>> '/root/ipatests/replica-info.gpg'] >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] Missing KRA >>> certificates, please create a new replica file. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] The >>> ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log >>> for more information >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] Exit code: 1 >>> FAILED >>> traceback >>> >>> self = >> object at 0x7f660bc1a590> >>> > From tbabej at redhat.com Tue Mar 1 11:44:12 2016 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 1 Mar 2016 12:44:12 +0100 Subject: [Freeipa-devel] [PATCH 200] slapi-nis: update configuration to allow external members In-Reply-To: <56D43472.9070502@redhat.com> References: <20160222104811.GN4492@redhat.com> <56CB3F82.1070408@redhat.com> <20160222171455.GT4492@redhat.com> <56CB59E3.3010709@redhat.com> <56CFF106.1080305@redhat.com> <56D038F4.5040909@redhat.com> <20160226203840.GB16465@mail.corp.redhat.com> <56D3E2E3.2080207@redhat.com> <56D43472.9070502@redhat.com> Message-ID: <56D5808C.7030306@redhat.com> On 02/29/2016 01:07 PM, Tomas Babej wrote: > > > On 02/29/2016 07:19 AM, Jan Cholasta wrote: >> On 26.2.2016 21:38, Lukas Slebodnik wrote: >>> On (26/02/16 12:37), Tomas Babej wrote: >>>> >>>> >>>> On 02/26/2016 07:30 AM, Jan Cholasta wrote: >>>>> On 22.2.2016 19:56, Tomas Babej wrote: >>>>>> >>>>>> >>>>>> On 02/22/2016 06:14 PM, Alexander Bokovoy wrote: >>>>>>> On Mon, 22 Feb 2016, Tomas Babej wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 02/22/2016 11:48 AM, Alexander Bokovoy wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> attached patch should update compat tree configuration if it >>>>>>>>> exist to >>>>>>>>> follow slapi-nis 0.55 which has support for external members of IPA >>>>>>>>> groups. >>>>>>>>> >>>>>>>>> However, the real work is done in SSSD. These patches are not >>>>>>>>> upstreamed >>>>>>>>> yet. We'll need to bump SSSD dependency in future once they come to >>>>>>>>> distros. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> This looks good. >>>>>>>> >>>>>>>> However, the new update file needs to be added to Makefile.am. >>>>>>>> Additionally, patch adds a whitespace error. >>>>>>> Updated patch is attached. >>>>>>> >>>>>> >>>>>> ACK. >>>>>> >>>>>> This should not be pushed until the dependency for SSSD can be bumped. >>>>> >>>>> https://bodhi.fedoraproject.org/updates/FEDORA-2016-d872920f74 >>>>> >>>> >>>> Attaching the required spec change. >>>> >>>> Tomas >>> >>>> From dae8b8fd0b23bf25ccf75b275deaa5c599faa27b Mon Sep 17 00:00:00 2001 >>>> From: Tomas Babej >>>> Date: Fri, 26 Feb 2016 12:35:09 +0100 >>>> Subject: [PATCH] spec: Bump required sssd version to 1.13.3-5 >>>> >>>> Required as part of: https://fedorahosted.org/freeipa/ticket/4403 >>> ^^^^^^^^^^^^^ >>> There isn't mentioned sssd related ticket in slapi-nis bug >>> It would be good to add also sssd related ticket to commit message >>> https://fedorahosted.org/sssd/ticket/2522 >> >> +1, that's in IPA. >> > > Attaching patch with updated commit message. > > Tomas > Rebased and pushed to: ipa-4-2: dbea05e1578e2d6d80940f1d4289ecd98a0593ab ipa-4-3: 5e2c6b0f630300e20c11595e67c61e7eb3982aae master: 271086ebdd10b2229534220d830d1cbd5af6a352 From tbabej at redhat.com Tue Mar 1 12:06:09 2016 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 1 Mar 2016 13:06:09 +0100 Subject: [Freeipa-devel] [PATCH] 953 advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins In-Reply-To: <56D5628A.7090804@redhat.com> References: <56CF3352.3060400@redhat.com> <56D06151.7040007@redhat.com> <56D5628A.7090804@redhat.com> Message-ID: <56D585B1.80804@redhat.com> On 03/01/2016 10:36 AM, Petr Vobornik wrote: > On 02/26/2016 03:29 PM, Petr Spacek wrote: >> On 25.2.2016 18:01, Petr Vobornik wrote: >>> I did not add --enableldapstarttls to config_redhat_nss_ldap because >>> I'm not >>> sure if it is present on el5 (IMO it is not). >>> >>> authconfig in: >>> * config_redhat_nss_ldap got >>> * --enableldaptls >>> >>> * config_redhat_nss_pam_ldapd got >>> * --enableldaptls >>> * --enableldapstarttls >>> options >> >> Shouldn't it get only one of them? >> >> It seems weird to enable both at the same time. >> >> Petr^2 Spacek >> >>> https://fedorahosted.org/freeipa/ticket/5654 >> > > Updated patch attached. It uses only --enableldaptls in both commands. > > --enableldapstarttls is an alias for enableldaptls. > > After testing and checking /etc/openldap/ldap.conf, I don't think that > these options have any effect on el6. There is no 'ssl no' or 'ssl > start_tls' in any combination or lack of the options. Maybe they have > effect somewhere else. Anyway it shouldn't do any harm. > > ACK. Pushed to: master: 02d3ea106214c7e170cb9bf051e4085ade440134 ipa-4-3: b2c5c32d78f099ecc0fb1f10fbf2acd9e36da3ae ipa-4-2: 6111a30962db4f4bf095201854f3aaa3493adf7c From mkosek at redhat.com Tue Mar 1 12:24:41 2016 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 1 Mar 2016 13:24:41 +0100 Subject: [Freeipa-devel] [REVIEW] Intial stab towards Authentication Indicators In-Reply-To: <1456785331.2643.1.camel@redhat.com> References: <1456104026.2488.15.camel@redhat.com> <1456105856.6599.132.camel@redhat.com> <1456325710.3148.10.camel@redhat.com> <1456414375.3074.10.camel@redhat.com> <1456415388.6599.305.camel@redhat.com> <1456420747.3074.24.camel@redhat.com> <1456434812.3074.31.camel@redhat.com> <1456437087.6599.345.camel@redhat.com> <56D0062A.6060706@redhat.com> <1456785331.2643.1.camel@redhat.com> Message-ID: <56D58A09.9090004@redhat.com> On 02/29/2016 11:35 PM, Nathaniel McCallum wrote: > On Fri, 2016-02-26 at 09:00 +0100, Martin Kosek wrote: >> On 02/25/2016 10:51 PM, Simo Sorce wrote: >>> >>> On Thu, 2016-02-25 at 16:13 -0500, Nathaniel McCallum wrote: >>>> >>>> On Thu, 2016-02-25 at 12:19 -0500, Nathaniel McCallum wrote: >>>>> >>>>> On Thu, 2016-02-25 at 10:49 -0500, Simo Sorce wrote: >>>>>> >>>>>> >>>>>> On Thu, 2016-02-25 at 10:32 -0500, Nathaniel McCallum wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Wed, 2016-02-24 at 09:55 -0500, Nathaniel McCallum >>>>>>> wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Sun, 2016-02-21 at 20:50 -0500, Simo Sorce wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Sun, 2016-02-21 at 20:20 -0500, Nathaniel McCallum >>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> https://github.com/npmccallum/freeipa/pull/1 >>>>>>>>>> >>>>>>>>>> The above (pseudo) pull request contains four patches >>>>>>>>>> against >>>>>>>>>> FreeIPA >>>>>>>>>> to enable the insertion of Authentication Indicators >>>>>>>>>> into >>>>>>>>>> Kerberos >>>>>>>>>> tickets. The basic flow looks like this. >>>>>>>>>> >>>>>>>>>> First, we patch ipa-pwd-extop to return a control >>>>>>>>>> indicating >>>>>>>>>> what >>>>>>>>>> authentication method succeeded resulting in a >>>>>>>>>> successful >>>>>>>>>> bind. >>>>>>>>>> >>>>>>>>>> Second, we patch ipa-otpd to check the returned >>>>>>>>>> control to >>>>>>>>>> ensure >>>>>>>>>> that >>>>>>>>>> the bind resulted from an otp validation. >>>>>>>>>> >>>>>>>>>> Third, we patch ipa-kdb to enable the KDC to return >>>>>>>>>> either >>>>>>>>>> the >>>>>>>>>> encrypted timestamp or encrypted challenge preauth >>>>>>>>>> mechanism >>>>>>>>>> when >>>>>>>>>> the >>>>>>>>>> user is configured for optional 2FA logins. Clients >>>>>>>>>> can >>>>>>>>>> then >>>>>>>>>> decide >>>>>>>>>> whether to do 1FA or 2FA login (for kinit, sane >>>>>>>>>> behavior >>>>>>>>>> already >>>>>>>>>> exists). >>>>>>>>>> >>>>>>>>>> Forth, we patch ipa-kdb again to insert hard-coded >>>>>>>>>> authentication >>>>>>>>>> indicators for either OTP or RADIUS. >>>>>>>>>> >>>>>>>>>> Some explanation is required for the first two >>>>>>>>>> patches. >>>>>>>>>> Currently, >>>>>>>>>> it >>>>>>>>>> is possible to do a 1FA through the otp >>>>>>>>>> preauthentication >>>>>>>>>> mechanism >>>>>>>>>> if >>>>>>>>>> the user is configured for doing optional 2FA. >>>>>>>>>> However, >>>>>>>>>> because >>>>>>>>>> we >>>>>>>>>> want >>>>>>>>>> to insert an authentication indicator in this code >>>>>>>>>> path, we >>>>>>>>>> need >>>>>>>>>> to >>>>>>>>>> guarantee that a request going through the otp >>>>>>>>>> preauth >>>>>>>>>> mechanism >>>>>>>>>> actually validates an OTP. This is the purpose of the >>>>>>>>>> control. >>>>>>>>>> >>>>>>>>>> Items still on the TODO list: >>>>>>>>>> >>>>>>>>>> * Authentication Indicator enforcement >>>>>>>>>> - Upstream libkrb5 needs to grow funcs for >>>>>>>>>> reading >>>>>>>>>> indicators >>>>>>>>>> - Schema change to add indicators multi-value >>>>>>>>>> attr to >>>>>>>>>> services >>>>>>>>>> - ipa-kdb needs to implement check_policy_tgs() >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> * SSSD needs to learn to handle optional 2FA >>>>>>>>>> >>>>>>>>>> I will write up a project page for all of this >>>>>>>>>> tomorrow. >>>>>>>>>> But >>>>>>>>>> this >>>>>>>>>> small >>>>>>>>>> code basically amounts to my brainstorming. It is not >>>>>>>>>> ready >>>>>>>>>> for >>>>>>>>>> merge, >>>>>>>>>> just basic review. >>>>>>>>>> >>>>>>>>> It looks mostly ok, however the LDAP control part needs >>>>>>>>> to be >>>>>>>>> done >>>>>>>>> as >>>>>>>>> a >>>>>>>>> request/response pair. >>>>>>>>> A client that wishes to know what kind of >>>>>>>>> authentication >>>>>>>>> happened >>>>>>>>> should >>>>>>>>> send a request control, and only in that case , the >>>>>>>>> server >>>>>>>>> will >>>>>>>>> send >>>>>>>>> the >>>>>>>>> associated reply control with the requested >>>>>>>>> information. >>>>>>>> I just pushed a new version of the control (now merged >>>>>>>> into a >>>>>>>> single >>>>>>>> patch): https://github.com/npmccallum/freeipa/commit/a781 >>>>>>>> 91ee5d >>>>>>>> 31 >>>>>>>> e1de >>>>>>>> 39 >>>>>>>> f28eb637f66199da7e9225 >>>>>>>> >>>>>>>> In this version the client sends a critical control with >>>>>>>> no >>>>>>>> content >>>>>>>> indicating that the server must validate an OTP. If the >>>>>>>> LDAP >>>>>>>> server >>>>>>>> doesn't support the control (for whatever reason), bind >>>>>>>> will >>>>>>>> fail. If >>>>>>>> the LDAP server doesn't validate an OTP (for whatever >>>>>>>> reason), >>>>>>>> bind >>>>>>>> will fail. >>>>>>>> >>>>>>>> This approach is simpler and doesn't require a >>>>>>>> request/response >>>>>>>> control >>>>>>>> pair. >>>>>>> I need some design advice. My goal here is that we need a >>>>>>> way to >>>>>>> expose >>>>>>> the authentication indicators to services in the FreeIPA >>>>>>> UI/CLI. >>>>>>> >>>>>>> Here is the good news: users can already set these values >>>>>>> in >>>>>>> FreeIPA >>>>>>> using kadmin. They do this by simply setting the >>>>>>> require_auth >>>>>>> string on >>>>>>> the target service principal. Our kdb plugin then encodes >>>>>>> these >>>>>>> with >>>>>>> the rest of the tl_data into the krbExtraData attribute. >>>>>>> >>>>>>> I see two approaches here. First, we can try to manipulate >>>>>>> the >>>>>>> krbExtraData attribute directly. Second, we can create a >>>>>>> separate >>>>>>> attribute for the authentication indicator strings and then >>>>>>> synthesize >>>>>>> the tl_data internally in kdb. We would have to do this for >>>>>>> both >>>>>>> reads >>>>>>> and writes so as not to break existing kdb functionality. >>>>>>> >>>>>>> The trade-off that I see is that the first method >>>>>>> complicates the >>>>>>> python framework side where the second method complicates >>>>>>> the kdb >>>>>>> plugin. >>>>>>> >>>>>>> A third option, which I doubt is even possible, is to use >>>>>>> kadmin >>>>>>> to >>>>>>> manipulate this option rather than modifying LDAP directly. >>>>>>> >>>>>>> Thoughts? >>>>>> We should translate it, we need that to allow to delegate >>>>>> access >>>>>> only >>>>>> to >>>>>> the specific attribute via our standard means. >>>>>> >>>>>> We already do this for other tl_data entries. >>>>>> >>>>>> The krbExtraData access cannot always be delegated because it >>>>>> would >>>>>> be >>>>>> open ended. also it is really obnoxious to have to manipulate >>>>>> ASN.1 >>>>>> stuff in the framework. >>>>>> >>>>>> kadmin could be used at some point, but we'd still want to >>>>>> have >>>>>> this >>>>>> attribute extracted in order to be able to grant access >>>>>> control >>>>>> individually, as our ACL system and delegation system is more >>>>>> fine >>>>>> grained than what kadmin can offer. >>>>> After discussing this with MIT, Simo and Matt, it seems that >>>>> the best >>>>> option is to update the (MIT) upstream krbPrincipal objectClass >>>>> to >>>>> have >>>>> a new attribute. The reason for this is twofold. First, it has >>>>> upstream >>>>> value. Second, we don't have good objectClass to attach the new >>>>> attribute to inside FreeIPA. >>>>> >>>>> So the current plan is that Matt will create a patch for >>>>> storing auth >>>>> indicators (specifically, the "required_auth" strings) in a new >>>>> multi- >>>>> value string attribute on krbPrincipal objects. The >>>>> get_principal() >>>>> KDB >>>>> hook will read "required_auth" from krbExtraData or (if >>>>> present, >>>>> preferred) the new attribute. In turn, the put_principal() KDB >>>>> hook >>>>> will store "required_auth" in the new attribute. This will >>>>> allow the >>>>> transparent migration of any data currently stored in >>>>> krbExtraData. >>>>> >>>>> As part of this process, Matt will also refactor >>>>> put_principal() into >>>>> smaller functions (it is currently 800+ LOC). >>>>> >>>>> Once we have an attribute in upstream krbPrincipal, we will use >>>>> this >>>>> attribute exclusively in our KDB plugin. >>>> I have started a project page: >>>> http://www.freeipa.org/page/V4/AuthenticationIndicators >> Thanks Nathaniel! For starters, I moved the page to >> http://www.freeipa.org/page/V4/Authentication_Indicators >> to make sure the URL is consistent with other pages ;-) >> >> I also updated the Use Cases and added the User Story I am tracking >> with this >> feature: >> http://www.freeipa.org/page/V4/Authentication_Indicators#Strong_Authe >> ntication_on_Selected_System >> >>> >>>> >>>> We are still waiting on some details. But the general shape of >>>> things >>>> is there. Please review. :) >>> LGTM so far. >>> >>> Questions: >>> - Should the control specify what kind of auth specifically should >>> be >>> required ? >>> >>> - Will it make sense in future to have different strength otp-like >>> second factors and have ipa-otpd be able to specify which one it is >>> expecting to be validated ? >>> >>> - Even if ipa-otpd will not grow such a feature, I see this control >>> could be useful for pure LDAP auth clients, so perhaps a different >>> kind >>> of client may want to set this control ? Perhaps one day we can >>> have a >>> way to do GSSAPI auth and check that the AI on the ldap ticket was >>> a 2FA >>> and then DS will refuse login if the otp AI was missing on the >>> ticket it >>> received and the control requires it ? (could be used for the IPA >>> UI >>> connection to LDAP maybe ?) >> It would be also nice to add some graph how the workflows look like. >> It may be >> something based on Simo's picture he created some time back >> (attached). > > How's this (attached)? Good! Your version is IMO most useful for developers. The previous Simo's diagram could be also useful for admins that are Kerberos protocol savvy and would help them get the big picture of how the AI is inserted in the tokens. Design page can include both, it should not be a problem. From amarecek at redhat.com Tue Mar 1 12:27:22 2016 From: amarecek at redhat.com (=?utf-8?Q?Ale=C5=A1_Mare=C4=8Dek?=) Date: Tue, 1 Mar 2016 07:27:22 -0500 (EST) Subject: [Freeipa-devel] [PATCH] 0007 Refactor test_sudocmd_plugin In-Reply-To: <1905014287.35162874.1456340875185.JavaMail.zimbra@redhat.com> References: <1415364427.17513799.1453733845873.JavaMail.zimbra@redhat.com> <1464040446.19836563.1455196912586.JavaMail.zimbra@redhat.com> <1618888650.32803170.1456145983381.JavaMail.zimbra@redhat.com> <1411609333.26185776.1456236128153.JavaMail.zimbra@redhat.com> <1905014287.35162874.1456340875185.JavaMail.zimbra@redhat.com> Message-ID: <1940649649.2236188.1456835242238.JavaMail.zimbra@redhat.com> ACK. Thank you! - alich - ----- Original Message ----- > From: "Filip Skola" > To: "Ale? Mare?ek" > Cc: freeipa-devel at redhat.com, "Milan Kub?k" > Sent: Wednesday, February 24, 2016 8:07:55 PM > Subject: Re: [Freeipa-devel] [PATCH] 0007 Refactor test_sudocmd_plugin > > Hi, > > these problems have been fixed. > > F. > > ----- Original Message ----- > > NACK. > > Some little changes still required: > > * fixing the pep8 errors > > * fixing the wrong comment > > > > [root at master2 freeipa]# pep8 ipatests/test_xmlrpc/test_sudocmd_plugin.py > > ipatests/test_xmlrpc/test_sudocmd_plugin.py:94:80: E501 line too long (87 > > > 79 characters) > > ipatests/test_xmlrpc/test_sudocmd_plugin.py:97:80: E501 line too long (87 > > > 79 characters) > > ipatests/test_xmlrpc/test_sudocmd_plugin.py:134:80: E501 line too long (80 > > > > > 79 characters) > > > > [root at master2 freeipa]# pep8 ipatests/test_xmlrpc/tracker/sudocmd_plugin.py > > ipatests/test_xmlrpc/tracker/sudocmd_plugin.py:14:80: E501 line too long > > (81 > > > 79 characters) > > > > [root at master2 freeipa]# grep 'Class for' > > ipatests/test_xmlrpc/tracker/sudocmd_plugin.py > > """ Class for host plugin like tests """ > > > > > > ----- Original Message ----- > > > From: "Filip Skola" > > > To: "Ale? Mare?ek" > > > Cc: freeipa-devel at redhat.com, "Milan Kub?k" > > > Sent: Monday, February 22, 2016 1:59:43 PM > > > Subject: Re: [Freeipa-devel] [PATCH] 0007 Refactor test_sudocmd_plugin > > > > > > Hi, > > > > > > sudocmd tracker has been created. > > > > > > Filip > > > > > > ----- Original Message ----- > > > > NACK. > > > > > > > > "create_sudocmd" and "delete_sudocmd" should be placed in Tracker. So > > > > this > > > > patch should create the tracker as well. > > > > > > > > ----- Original Message ----- > > > > > From: "Filip Skola" > > > > > To: freeipa-devel at redhat.com > > > > > Sent: Monday, January 25, 2016 3:57:25 PM > > > > > Subject: [Freeipa-devel] [PATCH] 0007 Refactor test_sudocmd_plugin > > > > > > > > > > Hello, > > > > > > > > > > attaching refactored sudocmd_plugin. > > > > > > > > > > Filip > > > > > -- > > > > > Manage your subscription for the Freeipa-devel mailing list: > > > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > > > > > > > > > From amarecek at redhat.com Tue Mar 1 12:29:35 2016 From: amarecek at redhat.com (=?utf-8?Q?Ale=C5=A1_Mare=C4=8Dek?=) Date: Tue, 1 Mar 2016 07:29:35 -0500 (EST) Subject: [Freeipa-devel] [PATCH] 0008 Refactor test_sudocmdgroup_plugin, create SudoCmdGroupTracker In-Reply-To: <1204896696.35164319.1456341183055.JavaMail.zimbra@redhat.com> References: <1667642851.19197845.1453981757248.JavaMail.zimbra@redhat.com> <289487922.19837303.1455196994918.JavaMail.zimbra@redhat.com> <892356320.32871945.1456152096564.JavaMail.zimbra@redhat.com> <26549462.26332960.1456250313045.JavaMail.zimbra@redhat.com> <1204896696.35164319.1456341183055.JavaMail.zimbra@redhat.com> Message-ID: <108883573.2236436.1456835375323.JavaMail.zimbra@redhat.com> ACK. Thank you! Master push: Make sure it will go *after or together with* the previous patch from Filip, #0007, thanks! - alich - ----- Original Message ----- > From: "Filip Skola" > To: "Ale? Mare?ek" > Cc: freeipa-devel at redhat.com, "Milan Kub?k" > Sent: Wednesday, February 24, 2016 8:13:03 PM > Subject: Re: [Freeipa-devel] [PATCH] 0008 Refactor test_sudocmdgroup_plugin, create SudoCmdGroupTracker > > Hi, > > fixed. To be honest, I left that +1char longer lines there on purpose. IMHO > it brings better readability and pep8 *.py | wc -l in test_xmlrpc dir > returns an overwhelming number anyway. But yeah, some of these weren't > really necessary...so I changed them all :) > > This patch is dependent on 0007-3 patch. > > Filip > > ----- Original Message ----- > > NACK. > > > > > > [root at master2 test_xmlrpc]# pep8 test_sudocmdgroup_plugin.py > > test_sudocmdgroup_plugin.py:26:80: E501 line too long (80 > 79 characters) > > test_sudocmdgroup_plugin.py:70:80: E501 line too long (80 > 79 characters) > > test_sudocmdgroup_plugin.py:76:80: E501 line too long (80 > 79 characters) > > test_sudocmdgroup_plugin.py:84:80: E501 line too long (80 > 79 characters) > > test_sudocmdgroup_plugin.py:90:80: E501 line too long (80 > 79 characters) > > test_sudocmdgroup_plugin.py:98:80: E501 line too long (80 > 79 characters) > > test_sudocmdgroup_plugin.py:104:80: E501 line too long (80 > 79 characters) > > test_sudocmdgroup_plugin.py:166:80: E501 line too long (80 > 79 characters) > > test_sudocmdgroup_plugin.py:180:80: E501 line too long (80 > 79 characters) > > test_sudocmdgroup_plugin.py:186:80: E501 line too long (84 > 79 characters) > > [root at master2 test_xmlrpc]# pep8 tracker/sudocmdgroup_plugin.py > > tracker/sudocmdgroup_plugin.py:36:80: E501 line too long (82 > 79 > > characters) > > tracker/sudocmdgroup_plugin.py:42:80: E501 line too long (82 > 79 > > characters) > > tracker/sudocmdgroup_plugin.py:46:80: E501 line too long (85 > 79 > > characters) > > tracker/sudocmdgroup_plugin.py:55:80: E501 line too long (82 > 79 > > characters) > > tracker/sudocmdgroup_plugin.py:64:80: E501 line too long (82 > 79 > > characters) > > > > > > > > ----- Original Message ----- > > > From: "Filip Skola" > > > To: "Ale? Mare?ek" > > > Cc: freeipa-devel at redhat.com, "Milan Kub?k" > > > Sent: Monday, February 22, 2016 3:41:36 PM > > > Subject: Re: [Freeipa-devel] [PATCH] 0008 Refactor > > > test_sudocmdgroup_plugin, create SudoCmdGroupTracker > > > > > > Hi, > > > > > > the test has been updated so it now uses the SudoCmdTracker (from the > > > previous patch). > > > > > > Filip > > > > > > ----- Original Message ----- > > > > NACK. > > > > > > > > "create_sudocmd" and "delete_sudocmd" should be imported from Tracker, > > > > not > > > > from the previous test (sudocmd_plugin). > > > > > > > > - alich - > > > > > > > > ----- Original Message ----- > > > > > From: "Filip Skola" > > > > > To: freeipa-devel at redhat.com > > > > > Sent: Thursday, January 28, 2016 12:49:17 PM > > > > > Subject: [Freeipa-devel] [PATCH] 0008 Refactor > > > > > test_sudocmdgroup_plugin, > > > > > create SudoCmdGroupTracker > > > > > > > > > > Hi, > > > > > > > > > > sending the next sudo patch. This one depends on the previous one > > > > > (sudocmd_plugin). > > > > > > > > > > Filip > > > > > > > > > > -- > > > > > Manage your subscription for the Freeipa-devel mailing list: > > > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > > > > > > > > > From pvomacka at redhat.com Tue Mar 1 12:37:27 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Tue, 1 Mar 2016 13:37:27 +0100 Subject: [Freeipa-devel] [PATCH] 0007 webui: Add a field for GID in the user add dialog Message-ID: <56D58D07.709@redhat.com> Hi, The patch adds new field in user add dialog. This combo box lists GIDs of posix groups so user can choose one. It is also possible to fill a GID number which is not in the list. Link to the ticket: https://fedorahosted.org/freeipa/ticket/5505 -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0007-Add-field-for-group-id-in-user-add-dialog.patch Type: text/x-patch Size: 3041 bytes Desc: not available URL: From tbabej at redhat.com Tue Mar 1 12:46:08 2016 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 1 Mar 2016 13:46:08 +0100 Subject: [Freeipa-devel] [PATCH 00136] use LDAPS during standalone CA/KRA subsystem deployment In-Reply-To: <56D0854F.4030404@redhat.com> References: <56D0854F.4030404@redhat.com> Message-ID: <56D58F10.20803@redhat.com> On 02/26/2016 06:03 PM, Martin Babinsky wrote: > This patch fixes https://fedorahosted.org/freeipa/ticket/5570 and also > enables CA installation on CA-less master with hardened dirsrv > configuration. > > When testing I ran into the issue with Dogtag restart during KRA > installation [1] which I will try to troubleshoot with Dogtag guys. You > are welcome to troubleshoot it also during the review, maybe I did some > misconfiguration on my part. > > [1] https://www.redhat.com/archives/pki-devel/2016-February/msg00100.html > > Works fine, ACK! Pushed to: master: 276d16775a4ce8af5d39ca8a7bf5bcd638df343f ipa-4-3: 8de860cc081dd0e5e8b0ae3a97fbb89d6d1386c4 ipa-4-2: c7c126fb51c5b2c92622f493d1c7efbadb899e49 From tbabej at redhat.com Tue Mar 1 12:51:17 2016 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 1 Mar 2016 13:51:17 +0100 Subject: [Freeipa-devel] [PATCH] 0008 Refactor test_sudocmdgroup_plugin, create SudoCmdGroupTracker In-Reply-To: <108883573.2236436.1456835375323.JavaMail.zimbra@redhat.com> References: <1667642851.19197845.1453981757248.JavaMail.zimbra@redhat.com> <289487922.19837303.1455196994918.JavaMail.zimbra@redhat.com> <892356320.32871945.1456152096564.JavaMail.zimbra@redhat.com> <26549462.26332960.1456250313045.JavaMail.zimbra@redhat.com> <1204896696.35164319.1456341183055.JavaMail.zimbra@redhat.com> <108883573.2236436.1456835375323.JavaMail.zimbra@redhat.com> Message-ID: <56D59045.9000405@redhat.com> On 03/01/2016 01:29 PM, Ale? Mare?ek wrote: > ACK. > Thank you! > > Master push: Make sure it will go *after or together with* the previous patch from Filip, #0007, thanks! > > - alich - > > ----- Original Message ----- >> From: "Filip Skola" >> To: "Ale? Mare?ek" >> Cc: freeipa-devel at redhat.com, "Milan Kub?k" >> Sent: Wednesday, February 24, 2016 8:13:03 PM >> Subject: Re: [Freeipa-devel] [PATCH] 0008 Refactor test_sudocmdgroup_plugin, create SudoCmdGroupTracker >> >> Hi, >> >> fixed. To be honest, I left that +1char longer lines there on purpose. IMHO >> it brings better readability and pep8 *.py | wc -l in test_xmlrpc dir >> returns an overwhelming number anyway. But yeah, some of these weren't >> really necessary...so I changed them all :) >> >> This patch is dependent on 0007-3 patch. >> >> Filip >> >> ----- Original Message ----- >>> NACK. >>> >>> >>> [root at master2 test_xmlrpc]# pep8 test_sudocmdgroup_plugin.py >>> test_sudocmdgroup_plugin.py:26:80: E501 line too long (80 > 79 characters) >>> test_sudocmdgroup_plugin.py:70:80: E501 line too long (80 > 79 characters) >>> test_sudocmdgroup_plugin.py:76:80: E501 line too long (80 > 79 characters) >>> test_sudocmdgroup_plugin.py:84:80: E501 line too long (80 > 79 characters) >>> test_sudocmdgroup_plugin.py:90:80: E501 line too long (80 > 79 characters) >>> test_sudocmdgroup_plugin.py:98:80: E501 line too long (80 > 79 characters) >>> test_sudocmdgroup_plugin.py:104:80: E501 line too long (80 > 79 characters) >>> test_sudocmdgroup_plugin.py:166:80: E501 line too long (80 > 79 characters) >>> test_sudocmdgroup_plugin.py:180:80: E501 line too long (80 > 79 characters) >>> test_sudocmdgroup_plugin.py:186:80: E501 line too long (84 > 79 characters) >>> [root at master2 test_xmlrpc]# pep8 tracker/sudocmdgroup_plugin.py >>> tracker/sudocmdgroup_plugin.py:36:80: E501 line too long (82 > 79 >>> characters) >>> tracker/sudocmdgroup_plugin.py:42:80: E501 line too long (82 > 79 >>> characters) >>> tracker/sudocmdgroup_plugin.py:46:80: E501 line too long (85 > 79 >>> characters) >>> tracker/sudocmdgroup_plugin.py:55:80: E501 line too long (82 > 79 >>> characters) >>> tracker/sudocmdgroup_plugin.py:64:80: E501 line too long (82 > 79 >>> characters) >>> >>> >>> >>> ----- Original Message ----- >>>> From: "Filip Skola" >>>> To: "Ale? Mare?ek" >>>> Cc: freeipa-devel at redhat.com, "Milan Kub?k" >>>> Sent: Monday, February 22, 2016 3:41:36 PM >>>> Subject: Re: [Freeipa-devel] [PATCH] 0008 Refactor >>>> test_sudocmdgroup_plugin, create SudoCmdGroupTracker >>>> >>>> Hi, >>>> >>>> the test has been updated so it now uses the SudoCmdTracker (from the >>>> previous patch). >>>> >>>> Filip >>>> >>>> ----- Original Message ----- >>>>> NACK. >>>>> >>>>> "create_sudocmd" and "delete_sudocmd" should be imported from Tracker, >>>>> not >>>>> from the previous test (sudocmd_plugin). >>>>> >>>>> - alich - >>>>> >>>>> ----- Original Message ----- >>>>>> From: "Filip Skola" >>>>>> To: freeipa-devel at redhat.com >>>>>> Sent: Thursday, January 28, 2016 12:49:17 PM >>>>>> Subject: [Freeipa-devel] [PATCH] 0008 Refactor >>>>>> test_sudocmdgroup_plugin, >>>>>> create SudoCmdGroupTracker >>>>>> >>>>>> Hi, >>>>>> >>>>>> sending the next sudo patch. This one depends on the previous one >>>>>> (sudocmd_plugin). >>>>>> >>>>>> Filip >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-devel mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >>>>> >>>> >>> >> > Pushed to master: dd38602fa5ea3f0a51db5458e846f3756ab74e47 From tbabej at redhat.com Tue Mar 1 12:53:29 2016 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 1 Mar 2016 13:53:29 +0100 Subject: [Freeipa-devel] [PATCH] 0007 Refactor test_sudocmd_plugin In-Reply-To: <1940649649.2236188.1456835242238.JavaMail.zimbra@redhat.com> References: <1415364427.17513799.1453733845873.JavaMail.zimbra@redhat.com> <1464040446.19836563.1455196912586.JavaMail.zimbra@redhat.com> <1618888650.32803170.1456145983381.JavaMail.zimbra@redhat.com> <1411609333.26185776.1456236128153.JavaMail.zimbra@redhat.com> <1905014287.35162874.1456340875185.JavaMail.zimbra@redhat.com> <1940649649.2236188.1456835242238.JavaMail.zimbra@redhat.com> Message-ID: <56D590C9.4090908@redhat.com> On 03/01/2016 01:27 PM, Ale? Mare?ek wrote: > ACK. > Thank you! > - alich - > > ----- Original Message ----- >> From: "Filip Skola" >> To: "Ale? Mare?ek" >> Cc: freeipa-devel at redhat.com, "Milan Kub?k" >> Sent: Wednesday, February 24, 2016 8:07:55 PM >> Subject: Re: [Freeipa-devel] [PATCH] 0007 Refactor test_sudocmd_plugin >> >> Hi, >> >> these problems have been fixed. >> >> F. >> >> ----- Original Message ----- >>> NACK. >>> Some little changes still required: >>> * fixing the pep8 errors >>> * fixing the wrong comment >>> >>> [root at master2 freeipa]# pep8 ipatests/test_xmlrpc/test_sudocmd_plugin.py >>> ipatests/test_xmlrpc/test_sudocmd_plugin.py:94:80: E501 line too long (87 > >>> 79 characters) >>> ipatests/test_xmlrpc/test_sudocmd_plugin.py:97:80: E501 line too long (87 > >>> 79 characters) >>> ipatests/test_xmlrpc/test_sudocmd_plugin.py:134:80: E501 line too long (80 >>>> >>> 79 characters) >>> >>> [root at master2 freeipa]# pep8 ipatests/test_xmlrpc/tracker/sudocmd_plugin.py >>> ipatests/test_xmlrpc/tracker/sudocmd_plugin.py:14:80: E501 line too long >>> (81 >>>> 79 characters) >>> >>> [root at master2 freeipa]# grep 'Class for' >>> ipatests/test_xmlrpc/tracker/sudocmd_plugin.py >>> """ Class for host plugin like tests """ >>> >>> >>> ----- Original Message ----- >>>> From: "Filip Skola" >>>> To: "Ale? Mare?ek" >>>> Cc: freeipa-devel at redhat.com, "Milan Kub?k" >>>> Sent: Monday, February 22, 2016 1:59:43 PM >>>> Subject: Re: [Freeipa-devel] [PATCH] 0007 Refactor test_sudocmd_plugin >>>> >>>> Hi, >>>> >>>> sudocmd tracker has been created. >>>> >>>> Filip >>>> >>>> ----- Original Message ----- >>>>> NACK. >>>>> >>>>> "create_sudocmd" and "delete_sudocmd" should be placed in Tracker. So >>>>> this >>>>> patch should create the tracker as well. >>>>> >>>>> ----- Original Message ----- >>>>>> From: "Filip Skola" >>>>>> To: freeipa-devel at redhat.com >>>>>> Sent: Monday, January 25, 2016 3:57:25 PM >>>>>> Subject: [Freeipa-devel] [PATCH] 0007 Refactor test_sudocmd_plugin >>>>>> >>>>>> Hello, >>>>>> >>>>>> attaching refactored sudocmd_plugin. >>>>>> >>>>>> Filip >>>>>> -- >>>>>> Manage your subscription for the Freeipa-devel mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >>>>> >>>> >>> >> > Pushed to master: 007c360f85151caab7d608cc0a4eb1916b18eba9 Note: Please keep to down-posting on freeipa-devel. From mbasti at redhat.com Tue Mar 1 13:03:56 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 1 Mar 2016 14:03:56 +0100 Subject: [Freeipa-devel] [PATCH] 952 cookie parser: do not fail on cookie with empty value In-Reply-To: <56D561B5.2040401@redhat.com> References: <56D5612D.1050807@redhat.com> <56D561B5.2040401@redhat.com> Message-ID: <56D5933C.6070407@redhat.com> On 01.03.2016 10:32, Petr Vobornik wrote: > Forgot to attach ticket number. > > https://fedorahosted.org/freeipa/ticket/5709 > > ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Tue Mar 1 13:16:54 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 1 Mar 2016 14:16:54 +0100 Subject: [Freeipa-devel] [PATCH] 952 cookie parser: do not fail on cookie with empty value In-Reply-To: <56D5933C.6070407@redhat.com> References: <56D5612D.1050807@redhat.com> <56D561B5.2040401@redhat.com> <56D5933C.6070407@redhat.com> Message-ID: <56D59646.20204@redhat.com> On 03/01/2016 02:03 PM, Martin Basti wrote: > > > On 01.03.2016 10:32, Petr Vobornik wrote: >> Forgot to attach ticket number. >> >> https://fedorahosted.org/freeipa/ticket/5709 >> >> > ACK > Pushed to: master: 25c53ba3fe474a36639d1c5ed30510c921203fdc ipa-4-3: 5721997c1a085de5e8d9be14fe6b9c1d63e7b561 ipa-4-2: 09de4496f01bc4bdf56bb7f7fcdc6a54ff73b15a -- Petr Vobornik From pspacek at redhat.com Tue Mar 1 13:35:29 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 1 Mar 2016 14:35:29 +0100 Subject: [Freeipa-devel] [PATCH 0390] Fix build with GCC 4.9+ In-Reply-To: <20160301110658.GA31766@mail.corp.redhat.com> References: <56C710B0.3020005@redhat.com> <56CF166F.1010003@redhat.com> <20160301110658.GA31766@mail.corp.redhat.com> Message-ID: <56D59AA1.5070306@redhat.com> On 1.3.2016 12:06, Lukas Slebodnik wrote: > On (25/02/16 15:57), Petr Spacek wrote: >> On 19.2.2016 13:55, Petr Spacek wrote: >>> Hello, >>> >>> Fix build with GCC 4.9+. >>> >>> GCC 4.9+ is too aggressive when optimizing functions with nonnull >>> attributes. This removes most of asserts() in the plugin. >>> GCC 6 adds warnings for these cases. >>> >>> We are disabling the unwanted condition pruning by adding >>> -fno-delete-null-pointer-checks argument. >>> BIND 9 did the same in its commit 603a78708343f063b44affb882ef93bb19a5142a. >>> >>> Additionally we silence warnings to prevent build failures when -Werror >>> is used. >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1307346 >> >> Updated version is attached. It contains less autotools magic because it >> enables attribute nonnull only under Clang static analyzer and Coverity - as a >> result we do not have to silence GCC warnings from -Wnonnull. >> >> Please review so I can fix build in Fedora 24. >> >> Thank you. >> >> -- >> Petr^2 Spacek > >>From 4732fe9f4e525c44b46e7ed0734ccaec94fba49e Mon Sep 17 00:00:00 2001 >> From: Petr Spacek >> Date: Fri, 19 Feb 2016 13:39:27 +0100 >> Subject: [PATCH] Fix build with GCC 4.9+. >> >> GCC 4.9+ is too aggressive when optimizing functions with nonnull >> attributes. This removes most of asserts() in the plugin. >> GCC 6 adds warnings for these cases. >> >> We are disabling the unwanted condition pruning by adding >> -fno-delete-null-pointer-checks argument. >> BIND 9 did the same in its commit 603a78708343f063b44affb882ef93bb19a5142a. >> >> Additionally we enable nonnull attribute only when the build is running under >> Clang static analyzer or Coverity. >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1307346 >> --- >> configure.ac | 13 +++++++++++++ >> src/util.h | 8 ++++++-- >> 2 files changed, 19 insertions(+), 2 deletions(-) >> >> diff --git a/configure.ac b/configure.ac >> index a06708b1a5ee64bb64c80272c10ed1a35670c8d0..a0123ac0a62b5acd5238f028d8c42e83af4060db 100644 >> --- a/configure.ac >> +++ b/configure.ac >> @@ -39,6 +39,19 @@ AC_TRY_COMPILE([ >> [CFLAGS="$SAVED_CFLAGS" >> AC_MSG_RESULT([no])]) >> >> +# Check if build chain supports -fno-delete-null-pointer-checks >> +# this flag avoids too agressive optimizations which would remove some asserts >> +# BIND 9 did the same in its commit 603a78708343f063b44affb882ef93bb19a5142a >> +AC_MSG_CHECKING([for -fno-delete-null-pointer-checks compiler flag]) >> +SAVED_CFLAGS="$CFLAGS" >> +CFLAGS="$CFLAGS -fno-delete-null-pointer-checks" >> +AC_TRY_COMPILE([ >> + extern int fdef(void); >> +],[], >> +[AC_MSG_RESULT([yes])], >> +[CFLAGS="$SAVED_CFLAGS" >> + AC_MSG_RESULT([no])]) >> + > NACK. > > It failes with clang. > > configure:12982: checking for -fno-delete-null-pointer-checks compiler flag > configure:12999: clang -c -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -fvisibility=hidden -fno-delete-null-pointer-checks conftest.c >&5 > clang-3.8: warning: optimization flag '-fno-delete-null-pointer-checks' is not supported > clang-3.8: warning: argument unused during compilation: '-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1' > configure:12999: $? = 0 > configure:13000: result: yes > > Reproducer: > autoreconf -if && CC=clang ./configure && make Thanks! I was testing this only with Clang static analyzer ... Here is updated patch. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0390-3-Fix-build-with-GCC-4.9.patch Type: text/x-patch Size: 2548 bytes Desc: not available URL: From pspacek at redhat.com Tue Mar 1 13:36:41 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 1 Mar 2016 14:36:41 +0100 Subject: [Freeipa-devel] [PATCH 0391-0392] Add missing return value checks to pthread operations & replace strcmp(var, "") with strlen(var) to workaround Clang bug 20144 Message-ID: <56D59AE9.1040004@redhat.com> Hello, Add missing return value checks to pthread operations. Detected by clang 3.8 -O2 -Wunused-value. Replace strcmp(var, "") with strlen(var) to workaround Clang bug 20144. https://llvm.org/bugs/show_bug.cgi?id=20144 -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0391-Replace-strcmp-var-with-strlen-var-to-workaround-Cla.patch Type: text/x-patch Size: 1528 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0392-Add-missing-return-value-checks-to-pthread-operation.patch Type: text/x-patch Size: 4301 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Mar 1 13:50:31 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 1 Mar 2016 14:50:31 +0100 Subject: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI In-Reply-To: <56D473D7.2050103@redhat.com> References: <56A0D0EC.3010009@redhat.com> <56A1018D.101@redhat.com> <56CDCC82.30108@redhat.com> <56CEDF98.7060809@redhat.com> <56CF452E.30503@redhat.com> <56D06E27.2050408@redhat.com> <56D081E4.4070702@redhat.com> <56D473D7.2050103@redhat.com> Message-ID: <56D59E27.6070508@redhat.com> On 02/29/2016 05:37 PM, thierry bordaz wrote: > On 02/26/2016 05:48 PM, Martin Babinsky wrote: >> On 02/26/2016 04:24 PM, thierry bordaz wrote: >>> On 02/25/2016 07:17 PM, thierry bordaz wrote: >>>> On 02/25/2016 12:03 PM, Martin Babinsky wrote: >>>>> On 02/24/2016 04:30 PM, thierry bordaz wrote: >>>>>> On 01/21/2016 05:04 PM, Martin Babinsky wrote: >>>>>>> On 01/21/2016 01:37 PM, thierry bordaz wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Hi Thierry, >>>>>>> >>>>>>> I have couple of comments to your patch: >>>>>>> >>>>>>> 1.) >>>>>>> there is a number of PEP8 errors in the patch >>>>>>> (http://paste.fedoraproject.org/313246/33893701), please fix them. >>>>>>> >>>>>>> See http://www.freeipa.org/page/Python_Coding_Style for our >>>>>>> conventions used in Python code. >>>>>>> >>>>>>> 2.) >>>>>>> + DNA_BIND_METHOD = "dnaRemoteBindMethod" >>>>>>> + DNA_CONN_PROTOCOL = "dnaRemoteConnProtocol" >>>>>>> + DNA_PLUGIN_DN = 'cn=Distributed Numeric Assignment >>>>>>> Plugin,cn=plugins,cn=config' >>>>>>> + dna_config_base = 'cn=Posix IDs,%s' % DNA_PLUGIN_DN >>>>>>> >>>>>>> Uppercase names are usually reserved for module-level constants. >>>>>>> OTOH, >>>>>>> local variables should be lowercase. Also you can instantiate >>>>>>> dna_config_base directly as DN, using 2-member tuples, i. e: >>>>>>> >>>>>>> """ >>>>>>> dna_config_base = DN(('cn', 'posix IDs'), ('cn', 'Distributed >>>>>>> Numeric >>>>>>> Assignment Plugin'), ('cn', 'plugins'), ('cn', 'config')) >>>>>>> """ >>>>>>> >>>>>>> When passing DN object to the formatting functions/operators, it is >>>>>>> automatically converted to string so no need to hold string and DN >>>>>>> object separately. This is done in other places (see >>>>>>> function/methods >>>>>>> in replication.py). >>>>>>> >>>>>>> 3.) >>>>>>> >>>>>>> + for i in range(len(entries)) : >>>>>>> + >>>>>>> + mod = [] >>>>>>> + if entries[i].single_value.get(DNA_BIND_METHOD) != >>>>>>> method: >>>>>>> + mod.append((ldap.MOD_REPLACE, DNA_BIND_METHOD, >>>>>>> method)) >>>>>>> + >>>>>>> + if entries[i].single_value.get(DNA_CONN_PROTOCOL) != >>>>>>> protocol: >>>>>>> + mod.append((ldap.MOD_REPLACE, DNA_CONN_PROTOCOL, >>>>>>> protocol)) >>>>>>> >>>>>>> >>>>>>> please use idiomatic Python when handling list of entries, e.g.: >>>>>>> >>>>>>> """ >>>>>>> for entry in entries: >>>>>>> mod = [] >>>>>>> if entry.single_value.get(DNA_BIND_METHOD) != method: >>>>>>> ... >>>>>>> """ >>>>>>> >>>>>>> 4.) I think that this method should in DSInstance class since it >>>>>>> deals >>>>>>> with directory server configuration. Service is a parent object >>>>>>> of all >>>>>>> other service installers/configurators and should contain only >>>>>>> methods >>>>>>> common to more children. >>>>>>> >>>>>>> 5.) Since the method is called from every installer, it could be >>>>>>> beneficial to call it in DSInstance.__common_post_setup() as a >>>>>>> part of >>>>>>> Directory server installation. Is there any reason why this is >>>>>>> not the >>>>>>> case? >>>>>>> >>>>>>> 6.) >>>>>>> >>>>>>> + while attempt != MAX_WAIT: >>>>>>> + try: >>>>>>> + entries = conn.get_entries(sharedcfgdn, >>>>>>> scope=ldap.SCOPE_ONELEVEL, filter='dnaHostname=%s' % self.fqdn) >>>>>>> + break >>>>>>> + except errors.NotFound: >>>>>>> + root_logger.debug("So far enable not find DNA >>>>>>> shared >>>>>>> config entry for dnaHostname=%s under %s. Retry in 2sec" % >>>>>>> (self.fqdn, >>>>>>> sharedcfgdn)) >>>>>>> + attempt = attempt + 1 >>>>>>> + time.sleep(2) >>>>>>> + continue >>>>>>> + >>>>>>> + # safety checking >>>>>>> + # there is no return, if there are several entries, as a >>>>>>> workaround of #5510 >>>>>>> + if len(entries) != 1: >>>>>>> >>>>>>> I am quite afraid what would happen if the server does not return >>>>>>> any >>>>>>> entries until 30 s timeout. The code will then continue to the >>>>>>> condition which can potentially test an uninitialized variable and >>>>>>> blow up with 'NameError'. This should be handled more robustly, >>>>>>> e. g. >>>>>>> raise an exception when a timeout is reached and no entries were >>>>>>> returned. >>>>>>> >>>>>>> 7.) >>>>>>> >>>>>>> + if len(mod) > 0: >>>>>>> >>>>>>> A Pythonic way to test for non-empty container is >>>>>>> >>>>>>> """ >>>>>>> if mods: >>>>>>> # do stuff >>>>>>> """ >>>>>>> >>>>>>> since an empty list/dict/set evaluates to False and non-empty >>>>>>> containers are True. >>>>>>> >>>>>>> >>>>>>> 8.) >>>>>>> >>>>>>> + entry = conn.get_entry(entries[i].dn) >>>>>>> + if entry.single_value.get(DNA_BIND_METHOD) != >>>>>>> method: >>>>>>> + root_logger.error("Fail to set SASL/GSSAPI bind >>>>>>> method to %s" % (entries[i].dn)) >>>>>>> + if entry.single_value.get(DNA_CONN_PROTOCOL) != >>>>>>> protocol: >>>>>>> + root_logger.error("Fail to set LDAP protocol to >>>>>>> %s" % (entries[i].dn)) >>>>>>> >>>>>>> rather than re-fetching the modified entry and testing what >>>>>>> happened, >>>>>>> you can just catch an exception raised by unsuccessfull mod and >>>>>>> log an >>>>>>> error like this: >>>>>>> >>>>>>> """ >>>>>>> try: >>>>>>> conn.modify_s(entry.dn, mod) >>>>>>> except Exception as e: >>>>>>> root_logger.error("Failed to modify entry {}: >>>>>>> {}".format(entry, e)) >>>>>>> """ >>>>>>> >>>>>>> as a matter of fact, if the modify_s operation would fail for some >>>>>>> reason, an ldap exception would be raised and you checks would not >>>>>>> even be executed. >>>>>>> >>>>>>> 9.) >>>>>>> The debug message on line 219 should read "Unable to find DNA shared >>>>>>> config entry for dnaHostname=%s so far. Retry in 2 sec.". The errors >>>>>>> at the end of the method should have "Failed" instead of "Fail". >>>>>>> >>>>>> Hi Martin, >>>>>> >>>>>> Finally tested... here is the updated patch. Thanks for you patience >>>>>> >>>>>> >>>>>> thanks >>>>>> thierry >>>>> >>>>> Hi Thierry, >>>>> >>>>> the patch works as expected. I have some more nitpicks though: >>>>> >>>>> 1.) Please fix the following pep8 errors: >>>>> >>>>> http://paste.fedoraproject.org/329086/56397841/ >>>>> >>>>> you can check whether you recent commit conforms to PEP8 by running >>>>> >>>>> "git show -U0 | pep8 --diff" >>>>> >>>>> 2.) >>>>> + self.step("update DNA shared config entry", >>>>> self.update_dna_shared_config) >>>>> >>>>> I would rather change the message to "Updating DNA shared config >>>>> entry" since all other messages use continuous tense. >>>>> >>>>> 3.) >>>>> + else: >>>>> + raise RuntimeError("Could not get dnaHostname >>>>> entries in {} seconds".format(max_wait * 2)) >>>>> >>>>> Please use root_logger.error() and then return as is used elsewhere >>>>> in the method. We do not want a runaway exception crashing upgrade. >>>>> >>>> Hi Martin, >>>> >>>> Updated/tested the patch with your help/recommendations. pep8 is clear >>>> now :-) >>>> >>>> thanks >>>> thierry >>> >>> Hi Martin, >>> >>> Following your recommendation it is an updated patch to not check/update >>> shared config entry in DSinstance.__post_common_setup(). >>> In fact at this step, DNA plugin is disabled and such the check would be >>> a no-op. >>> >>> thanks >>> thierry >> >> Thanks Thierry, >> >> the patch will need a rebased version which applies cleanly on top of >> ipa-4-3 branch, but otherwise ACK. >> > Thanks Martin for all the reviews. > > Here is the patch for ipa-4.3 > > thnaks > thierry Thanks, ACK. -- Martin^3 Babinsky From mbasti at redhat.com Tue Mar 1 13:56:08 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 1 Mar 2016 14:56:08 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <56D57F0C.1060103@redhat.com> References: <5640A90B.6030906@redhat.com> <564CA530.3060006@redhat.com> <5655D741.4010402@redhat.com> <56560124.4060904@redhat.com> <5656CB3B.8010000@redhat.com> <5656D5EE.7010208@redhat.com> <565862E6.4020100@redhat.com> <56586807.9080805@redhat.com> <565870D6.40908@redhat.com> <56587616.5030609@redhat.com> <565DB7D3.5040500@redhat.com> <565F0BDD.8080206@redhat.com> <565F17EE.3020701@redhat.com> <5666DC18.2040906@redhat.com> <56675E31.3050203@redhat.com> <5667F49B.5020709@redhat.com> <5667FEFB.6090904@redhat.com> <56680C2E.7060805@redhat.com> <56680DDD.2000106@redhat.com> <566FDD80.7030805@redhat.com> <56717785.4020304@redhat.com> <567195B9.9070104@redhat.com> <56727AA7.2030809@redhat.com> <5675E08C.7030109@redhat.com> <56D43687.10502@redhat.com> <56D57DDE.3020306@redhat.com> <56D57F0C.1060103@redhat.com> Message-ID: <56D59F78.1000000@redhat.com> On 01.03.2016 12:37, Martin Basti wrote: > > > On 01.03.2016 12:32, Martin Basti wrote: >> >> >> On 29.02.2016 13:16, Oleg Fayans wrote: >>> Hi all, >>> >>> Finally the tests pass. >>> >>> The patch 0024 applies on top of patch 0022 (please, consider reviewing >>> it also). Besides, the whole functionality depends on Martin's patch >>> N 0421 >>> >>> All patches pass pylint. >> hello, >> >> I cannot apply patches on master branch >> Martin^2 > My bad I applied wrong patch > >>> >>> >>> On 12/19/2015 11:56 PM, Martin Basti wrote: >>>> >>>> On 17.12.2015 10:04, Oleg Fayans wrote: >>>>> Hi Martin, >>>>> >>>>> I am sorry, in my previous email I attached the old version of patch >>>>> 0016. The correct on is attached. >>>>> >>>>> On 12/16/2015 05:47 PM, Martin Basti wrote: >>>>>> On 16.12.2015 15:39, Martin Basti wrote: >>>>>>> On 15.12.2015 10:29, Oleg Fayans wrote: >>>>>>>> Hi Martin, >>>>>>>> >>>>>>>> The updated patches are attached. Patch 0017 includes all >>>>>>>> changes from >>>>>>>> patch 0018, so, if you approve this one, there would be no need to >>>>>>>> continue with the review of 0018. This one contains all changes >>>>>>>> related >>>>>>>> to you remarks from 0018 review. Please see my explanation on the >>>>>>>> stdout+stderr part in the thread from patch 0018. >>>>>>>> With these two patches applied one of the tests fails due this >>>>>>>> bug: >>>>>>>> https://fedorahosted.org/freeipa/ticket/5550 >>>>>>>> >>>>>>>> On 12/09/2015 12:17 PM, Martin Basti wrote: >>>>>>>>> On 09.12.2015 12:10, Martin Basti wrote: >>>>>>>>>> On 09.12.2015 11:14, Oleg Fayans wrote: >>>>>>>>>>> Hi Martin >>>>>>>>>>> >>>>>>>>>>> On 12/09/2015 10:30 AM, Martin Basti wrote: >>>>>>>>>>>> On 08.12.2015 23:48, Oleg Fayans wrote: >>>>>>>>>>>>> Substituted a hardcoded suffix name with a constant >>>>>>>>>>>>> DOMAIN_SUFFIX_NAME >>>>>>>>>>>>> >>>>>>>>>>>>> On 12/08/2015 02:33 PM, Oleg Fayans wrote: >>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> The patches are rebased against the current master. >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 12/02/2015 05:10 PM, Martin Basti wrote: >>>>>>>>>>>>>>> On 02.12.2015 16:18, Oleg Fayans wrote: >>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 12/01/2015 04:08 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>> On 27.11.2015 16:26, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>> And patch N 16 passes lint too: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 11/27/2015 04:03 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On 11/27/2015 03:26 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>> On 27.11.2015 15:04, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> All your suggestions were taken into account. Both >>>>>>>>>>>>>>>>>>>>> patches are >>>>>>>>>>>>>>>>>>>>> updated. Thank you for your help! >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On 11/26/2015 10:50 AM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>> On 26.11.2015 10:04, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> I agree to all your points but one. please, see my >>>>>>>>>>>>>>>>>>>>>>> comment >>>>>>>>>>>>>>>>>>>>>>> below >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> On 11/25/2015 07:42 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> 0) Note >>>>>>>>>>>>>>>>>>>>>>>> Please be aware of >>>>>>>>>>>>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5469 >>>>>>>>>>>>>>>>>>>>>>>> during >>>>>>>>>>>>>>>>>>>>>>>> KRA testing >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>>> Please do not use MIN and MAX_DOMAIN_LEVEL >>>>>>>>>>>>>>>>>>>>>>>> constants, >>>>>>>>>>>>>>>>>>>>>>>> this may >>>>>>>>>>>>>>>>>>>>>>>> change >>>>>>>>>>>>>>>>>>>>>>>> over time, use DOMAIN_LEVEL_0 and >>>>>>>>>>>>>>>>>>>>>>>> DOMAIN_LEVEL_1 for >>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>> level 0 >>>>>>>>>>>>>>>>>>>>>>>> and 1 >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>>> Why uninstall KRA then server, is not enough just >>>>>>>>>>>>>>>>>>>>>>>> uninstall >>>>>>>>>>>>>>>>>>>>>>>> server >>>>>>>>>>>>>>>>>>>>>>>> which >>>>>>>>>>>>>>>>>>>>>>>> covers KRA uninstall? >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> + def teardown_method(self, method): >>>>>>>>>>>>>>>>>>>>>>>> + for host in self.replicas: >>>>>>>>>>>>>>>>>>>>>>>> + host.run_command(self.kra_uninstall, >>>>>>>>>>>>>>>>>>>>>>>> raiseonerr=False) >>>>>>>>>>>>>>>>>>>>>>>> + tasks.uninstall_master(host) >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>>> Can be this function more generic? It should allow >>>>>>>>>>>>>>>>>>>>>>>> specify >>>>>>>>>>>>>>>>>>>>>>>> host >>>>>>>>>>>>>>>>>>>>>>>> where >>>>>>>>>>>>>>>>>>>>>>>> KRA should be installed not just master >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> + def test_kra_install_master(self): >>>>>>>>>>>>>>>>>>>>>>>> + self.master.run_command(self.kra_install) >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> TestLevel0(Dummy): >>>>>>>>>>>>>>>>>>>>>>>> Can be the test name more specific, something like >>>>>>>>>>>>>>>>>>>>>>>> TestReplicaPromotionLevel0 >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> 5) >>>>>>>>>>>>>>>>>>>>>>>> please remove this, the patch is on review and it >>>>>>>>>>>>>>>>>>>>>>>> will be >>>>>>>>>>>>>>>>>>>>>>>> pushed >>>>>>>>>>>>>>>>>>>>>>>> sooner >>>>>>>>>>>>>>>>>>>>>>>> than tests >>>>>>>>>>>>>>>>>>>>>>>> + @pytest.mark.xfail # Ticket N 5455 >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> and as I mentioned in ticket #5455, I cannot >>>>>>>>>>>>>>>>>>>>>>>> reproduce >>>>>>>>>>>>>>>>>>>>>>>> it with >>>>>>>>>>>>>>>>>>>>>>>> ipa-kra-install, so please provide steps to >>>>>>>>>>>>>>>>>>>>>>>> reproduce if >>>>>>>>>>>>>>>>>>>>>>>> you >>>>>>>>>>>>>>>>>>>>>>>> insist >>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>> this still does not work as expected with KRA. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> 6) This is completely wrong, it removes everything >>>>>>>>>>>>>>>>>>>>>>>> that we >>>>>>>>>>>>>>>>>>>>>>>> tried to >>>>>>>>>>>>>>>>>>>>>>>> achieve with previous patches with domain level >>>>>>>>>>>>>>>>>>>>>>>> in CI >>>>>>>>>>>>>>>>>>>>>>> Actually, being able to configure domain level per >>>>>>>>>>>>>>>>>>>>>>> class >>>>>>>>>>>>>>>>>>>>>>> is WAY >>>>>>>>>>>>>>>>>>>>>>> more >>>>>>>>>>>>>>>>>>>>>>> convenient, than to always have to think which >>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>> level is >>>>>>>>>>>>>>>>>>>>>>> appropriate for which particular test during >>>>>>>>>>>>>>>>>>>>>>> jenkins >>>>>>>>>>>>>>>>>>>>>>> job >>>>>>>>>>>>>>>>>>>>>>> configuration. In fact, I should have thought >>>>>>>>>>>>>>>>>>>>>>> about it >>>>>>>>>>>>>>>>>>>>>>> from the >>>>>>>>>>>>>>>>>>>>>>> very >>>>>>>>>>>>>>>>>>>>>>> beginning. For example, in >>>>>>>>>>>>>>>>>>>>>>> test_replica_promotion.py we >>>>>>>>>>>>>>>>>>>>>>> have on >>>>>>>>>>>>>>>>>>>>>>> class, >>>>>>>>>>>>>>>>>>>>>>> which intiates with domain level = 1, while >>>>>>>>>>>>>>>>>>>>>>> others - >>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>> 0. With config-based approach, we would have to >>>>>>>>>>>>>>>>>>>>>>> implement a >>>>>>>>>>>>>>>>>>>>>>> separate >>>>>>>>>>>>>>>>>>>>>>> step that raises domain level. Overall, I am >>>>>>>>>>>>>>>>>>>>>>> against >>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>> approach, >>>>>>>>>>>>>>>>>>>>>>> when you have to remember to set certain domain >>>>>>>>>>>>>>>>>>>>>>> level in >>>>>>>>>>>>>>>>>>>>>>> config >>>>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>>>> any particular test. The tests themselves should be >>>>>>>>>>>>>>>>>>>>>>> aware of >>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>> domain level they need. >>>>>>>>>>>>>>>>>>>>>> I do not say that we should not have something that >>>>>>>>>>>>>>>>>>>>>> overrides >>>>>>>>>>>>>>>>>>>>>> settings >>>>>>>>>>>>>>>>>>>>>> in from config in a particular test case, I say your >>>>>>>>>>>>>>>>>>>>>> patch is >>>>>>>>>>>>>>>>>>>>>> doing it >>>>>>>>>>>>>>>>>>>>>> wrong. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> I agree it is useful to have param domain_level in >>>>>>>>>>>>>>>>>>>>>> install_master, >>>>>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>>>>> intall_topo methods, but is cannot be >>>>>>>>>>>>>>>>>>>>>> MAX_DOMAIN_LEVEL by >>>>>>>>>>>>>>>>>>>>>> default, >>>>>>>>>>>>>>>>>>>>>> because with your current patch the domain_level in >>>>>>>>>>>>>>>>>>>>>> config is >>>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>>> used >>>>>>>>>>>>>>>>>>>>>> at all, it will be always MAX_DOMAIN_LEVEL >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> For example I want to achieve this goal: >>>>>>>>>>>>>>>>>>>>>> test_vault.py, this test suite can run on domain >>>>>>>>>>>>>>>>>>>>>> level1 >>>>>>>>>>>>>>>>>>>>>> and on >>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>> level0, so with one test we can test 2 domain levels >>>>>>>>>>>>>>>>>>>>>> just >>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>> putting >>>>>>>>>>>>>>>>>>>>>> domain level into config file. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> I agree that with extraordinary test like replica >>>>>>>>>>>>>>>>>>>>>> promotion test >>>>>>>>>>>>>>>>>>>>>> is, we >>>>>>>>>>>>>>>>>>>>>> need something that allows override the config file. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> As I said bellow, domain_level default value >>>>>>>>>>>>>>>>>>>>>> should be >>>>>>>>>>>>>>>>>>>>>> None in >>>>>>>>>>>>>>>>>>>>>> install_master and install_topo plugin. If domain >>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>> was >>>>>>>>>>>>>>>>>>>>>> specified >>>>>>>>>>>>>>>>>>>>>> use the specified one, if not (value is None) use >>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>>>>>> config file. >>>>>>>>>>>>>>>>>>>>> Agreed :) >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Martin >>>>>>>>>>>>>>>>>>>>>>>> [PATCH] Enabled setting domain_level per class >>>>>>>>>>>>>>>>>>>>>>>> derived from >>>>>>>>>>>>>>>>>>>>>>>> TestIntegration >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> When I configure domain level 0 in yaml config, >>>>>>>>>>>>>>>>>>>>>>>> how >>>>>>>>>>>>>>>>>>>>>>>> is this >>>>>>>>>>>>>>>>>>>>>>>> supposed to >>>>>>>>>>>>>>>>>>>>>>>> get into install methods when you removed that >>>>>>>>>>>>>>>>>>>>>>>> code? >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> - "--domain-level=%i" % >>>>>>>>>>>>>>>>>>>>>>>> host.config.domain_level >>>>>>>>>>>>>>>>>>>>>>>> + "--domain-level=%i" % domain_level >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> You always use MAX_DOMAIN_LEVEL in this case or >>>>>>>>>>>>>>>>>>>>>>>> whatever is >>>>>>>>>>>>>>>>>>>>>>>> specified in >>>>>>>>>>>>>>>>>>>>>>>> domain_level option. >>>>>>>>>>>>>>>>>>>>>>>> I suggest to use domain_level=None, and when it is >>>>>>>>>>>>>>>>>>>>>>>> None use >>>>>>>>>>>>>>>>>>>>>>>> 'host.config.domain_level', if it is not None, use >>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> With this we can specify domain level in config >>>>>>>>>>>>>>>>>>>>>>>> file for >>>>>>>>>>>>>>>>>>>>>>>> test >>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>> can >>>>>>>>>>>>>>>>>>>>>>>> be used for both domain levels and you can >>>>>>>>>>>>>>>>>>>>>>>> manually >>>>>>>>>>>>>>>>>>>>>>>> specify >>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>> for test that requires specific domain level. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Also this should go away >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> @classmethod >>>>>>>>>>>>>>>>>>>>>>>> def install(cls, mh): >>>>>>>>>>>>>>>>>>>>>>>> + if hasattr(cls, "domain_level") and >>>>>>>>>>>>>>>>>>>>>>>> cls.master: >>>>>>>>>>>>>>>>>>>>>>>> + cls.master.config.domain_level = >>>>>>>>>>>>>>>>>>>>>>>> cls.domain_level >>>>>>>>>>>>>>>>>>>>>>>> if cls.topology is None: >>>>>>>>>>>>>>>>>>>>>>>> return >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> I do not see reason why test should override >>>>>>>>>>>>>>>>>>>>>>>> configuration in >>>>>>>>>>>>>>>>>>>>>>>> config in >>>>>>>>>>>>>>>>>>>>>>>> this case. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Martin >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> On 25.11.2015 16:44, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Here is the updated version of the patch (more >>>>>>>>>>>>>>>>>>>>>>>>> tests + >>>>>>>>>>>>>>>>>>>>>>>>> fixed the >>>>>>>>>>>>>>>>>>>>>>>>> issues of the first one) + patch 0017, that >>>>>>>>>>>>>>>>>>>>>>>>> implements the >>>>>>>>>>>>>>>>>>>>>>>>> necessary >>>>>>>>>>>>>>>>>>>>>>>>> changes in the background code, i. e. patch 16 >>>>>>>>>>>>>>>>>>>>>>>>> does not >>>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>>> without >>>>>>>>>>>>>>>>>>>>>>>>> patch 17 >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> On 11/18/2015 05:20 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>>> On 09.11.2015 15:09, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>> Hi guys, >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> Here are first two automated testcases from >>>>>>>>>>>>>>>>>>>>>>>>>>> this >>>>>>>>>>>>>>>>>>>>>>>>>>> (so far >>>>>>>>>>>>>>>>>>>>>>>>>>> incomplete) >>>>>>>>>>>>>>>>>>>>>>>>>>> testplan: >>>>>>>>>>>>>>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> Testplan review is highly appreciated >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> PATCH 16: NACK >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>>>>> What is the reason to add an unused parameter to >>>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' to >>>>>>>>>>>>>>>>>>>>>>>>>> install_topo()? >>>>>>>>>>>>>>>>>>>>>>>>>> Also it is good practise to add new option as >>>>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>>>> last >>>>>>>>>>>>>>>>>>>>>>>>>> parameter. >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>>>>> cab you in both tests specify a domain level >>>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>>> constant >>>>>>>>>>>>>>>>>>>>>>>>>> instead of >>>>>>>>>>>>>>>>>>>>>>>>>> number literal? >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>>>>> both test call install_topo with custom domain >>>>>>>>>>>>>>>>>>>>>>>>>> level, >>>>>>>>>>>>>>>>>>>>>>>>>> but it >>>>>>>>>>>>>>>>>>>>>>>>>> cannot >>>>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>>>> because 1) (did you run the test?) >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>>>>> How the test "TestLevel1" is supposed to work? >>>>>>>>>>>>>>>>>>>>>>>>>> Respectively why there is call of install_topo() >>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>> installs >>>>>>>>>>>>>>>>>>>>>>>>>> replica. >>>>>>>>>>>>>>>>>>>>>>>>>> As this test just tests that >>>>>>>>>>>>>>>>>>>>>>>>>> ipa-replica-prepare is >>>>>>>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>>>>>>> working >>>>>>>>>>>>>>>>>>>>>>>>>> anymore, >>>>>>>>>>>>>>>>>>>>>>>>>> is it worth to spend 20 minutes with installing >>>>>>>>>>>>>>>>>>>>>>>>>> replica and >>>>>>>>>>>>>>>>>>>>>>>>>> then >>>>>>>>>>>>>>>>>>>>>>>>>> just no >>>>>>>>>>>>>>>>>>>>>>>>>> tot use it? IMO to install master in install >>>>>>>>>>>>>>>>>>>>>>>>>> step is >>>>>>>>>>>>>>>>>>>>>>>>>> enough. >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> ./make-lint >>>>>>>>>>>>>>>>>>>> ************* Module ipatests.test_integration.base >>>>>>>>>>>>>>>>>>>> ipatests/test_integration/base.py:66: >>>>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>>>> IntegrationTest.install] Class 'IntegrationTest' >>>>>>>>>>>>>>>>>>>> has no >>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>> ************* Module >>>>>>>>>>>>>>>>>>>> ipatests.test_integration.test_replica_promotion >>>>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:16: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> [E1101(no-member), Dummy.install] Class 'Dummy' has no >>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:117: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>>>> TestCAInstall.test_ca_install_without_replica_file] >>>>>>>>>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no >>>>>>>>>>>>>>>>>>>> 'setup_replica' >>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Is it so hard to run pylint before patch is posted for >>>>>>>>>>>>>>>>>>>> review? >>>>>>>>>>>>>>>>>>> Sorry, my bad. Fixed. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>> Why is this change in the patch? >>>>>>>>>>>>>>>>> - # Clean up the test directory >>>>>>>>>>>>>>>>> - host.run_command(['rm', '-rvf', >>>>>>>>>>>>>>>>> host.config.test_dir]) >>>>>>>>>>>>>>>> Otherwise 2 out of 8 tests fail with IOError at line 78 of >>>>>>>>>>>>>>>> ipatests/test_integration/tasks.py >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I do not understand yet how does this happen, but if you >>>>>>>>>>>>>>>> remove >>>>>>>>>>>>>>>> ipatests folder once, it then fails to be created again. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> So this should be in separated patch and investigated >>>>>>>>>>>>>>> properly. >>>>>>>>>>>>>> Agree. Removed >>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>> is enough to have this check only in install_master, >>>>>>>>>>>>>>>>> install_topo can >>>>>>>>>>>>>>>>> pass None to install_master >>>>>>>>>>>>>>>>> + if domain_level is None: >>>>>>>>>>>>>>>>> + domain_level = master.config.domain_level >>>>>>>>>>>>>>>> Done >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>> IMO replica-manage del should cleanup hosts entry, so >>>>>>>>>>>>>>>>> following >>>>>>>>>>>>>>>>> code >>>>>>>>>>>>>>>>> should not be needed. >>>>>>>>>>>>>>>>> + if cleanhost: >>>>>>>>>>>>>>>>> + kinit_admin(master) >>>>>>>>>>>>>>>>> + master.run_command(["ipa", "host-del", >>>>>>>>>>>>>>>>> "--updatedns", >>>>>>>>>>>>>>>>> replica.hostname], >>>>>>>>>>>>>>>>> + raiseonerr=False) >>>>>>>>>>>>>>>> Well, in fact it does not. At least the corresponding dns >>>>>>>>>>>>>>>> record >>>>>>>>>>>>>>>> stays >>>>>>>>>>>>>>>> and causes the subsequent ipa-client-install to fail. >>>>>>>>>>>>>>>> Probably >>>>>>>>>>>>>>>> it's a >>>>>>>>>>>>>>>> bug. On the other hand, if I promote an existing client to >>>>>>>>>>>>>>>> replica and >>>>>>>>>>>>>>>> then delete this replica, then, I probably want the host >>>>>>>>>>>>>>>> record >>>>>>>>>>>>>>>> (that >>>>>>>>>>>>>>>> was created during client-install) to stay in the >>>>>>>>>>>>>>>> system. So, >>>>>>>>>>>>>>>> does not >>>>>>>>>>>>>>>> look like a bug to me. >>>>>>>>>>>>>>> No you don't, because replica uninstallation also >>>>>>>>>>>>>>> removes the >>>>>>>>>>>>>>> client. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I tried it with ipa42, ipa-replica-manage del removes host >>>>>>>>>>>>>>> entry, >>>>>>>>>>>>>>> and >>>>>>>>>>>>>>> DNS A records, only SSHFP records stay there (I'm not sure >>>>>>>>>>>>>>> if it >>>>>>>>>>>>>>> is bug >>>>>>>>>>>>>>> or feature) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Also I received this message >>>>>>>>>>>>>>> """ >>>>>>>>>>>>>>> Failed to cleanup replica1.ipa.test DNS entries: no >>>>>>>>>>>>>>> matching >>>>>>>>>>>>>>> entry >>>>>>>>>>>>>>> found >>>>>>>>>>>>>>> You may need to manually remove them from the tree >>>>>>>>>>>>>>> """ >>>>>>>>>>>>>>> But, A record has been removed, so this is probably false >>>>>>>>>>>>>>> positive and >>>>>>>>>>>>>>> it needs to have a ticket. >>>>>>>>>>>>>> Agree, that was an issue with my setup. >>>>>>>>>>>>>> Removed >>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>> This variable is not used >>>>>>>>>>>>>>>>> + kra_uninstall = ["ipa-kra-install", >>>>>>>>>>>>>>>>> "--uninstall", "-U"] >>>>>>>>>>>>>>>> Removed >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 5) >>>>>>>>>>>>>>>>> Why do you need this >>>>>>>>>>>>>>>>> + kra_install = ["ipa-kra-install", "-U", "-p", >>>>>>>>>>>>>>>>> config.dirman_password] >>>>>>>>>>>>>>>>> when you implemented tasks.install_kra that returns the >>>>>>>>>>>>>>>>> exactly >>>>>>>>>>>>>>>>> the same >>>>>>>>>>>>>>>>> result? >>>>>>>>>>>>>>>> Right. Removed >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 6) >>>>>>>>>>>>>>>>> PEP8 >>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:928:1: E302 >>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:934:1: E302 >>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:939:1: E302 >>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:943:1: E302 >>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:950:80: E501 line >>>>>>>>>>>>>>>>> too >>>>>>>>>>>>>>>>> long >>>>>>>>>>>>>>>>> (80 > 79 >>>>>>>>>>>>>>>>> characters) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:29:80: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>> too long (85 > 79 characters) >>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:64:80: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>> too long (85 > 79 characters) >>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:67:80: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>> too long (88 > 79 characters) >>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:93:80: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:94:80: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>> too long (83 > 79 characters) >>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:118:80: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>> too long (81 > 79 characters) >>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:128:80: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:129:80: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>> too long (82 > 79 characters) >>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:181:80: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>> Most of these complaints are unrelated to the current >>>>>>>>>>>>>>>> patches. >>>>>>>>>>>>>>>> It's better to create a separate patch addressing PEP8 >>>>>>>>>>>>>>>> errors. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I beg for your pardon, those PEP8 errors have been >>>>>>>>>>>>>>> introduced by >>>>>>>>>>>>>>> your >>>>>>>>>>>>>>> patches. >>>>>>>>>>>>>> Fixed >>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 7) >>>>>>>>>>>>>>>>> Why this must be stored in instance? IMO to have it >>>>>>>>>>>>>>>>> stored as >>>>>>>>>>>>>>>>> local >>>>>>>>>>>>>>>>> variable is perfect >>>>>>>>>>>>>>>>> TestKRAInstall, TestCAInstall >>>>>>>>>>>>>>>>> self.replica1_filename = >>>>>>>>>>>>>>>>> tasks.get_replica_filename(replica1) >>>>>>>>>>>>>>>>> self.replica2_filename = >>>>>>>>>>>>>>>>> tasks.get_replica_filename(replica2) >>>>>>>>>>>>>>>> Agree. Fixed >>>>>>>>>>>>>>>> >>>>>>>>>>>> This patch is missing something. >>>>>>>>>>> I am sorry, I forgot to revert my previous change. The correct >>>>>>>>>>> patch is >>>>>>>>>>> attached >>>>>>>>>>> >>>>>>>>>> ************* Module >>>>>>>>>> ipatests.test_integration.test_replica_promotion >>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:15: >>>>>>>>>> [E1123(unexpected-keyword-arg), Dummy.install] Unexpected >>>>>>>>>> keyword >>>>>>>>>> argument 'domain_level' in function call) >>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:15: >>>>>>>>>> [E1101(no-member), Dummy.install] Class 'Dummy' has no >>>>>>>>>> 'domain_level' >>>>>>>>>> member) >>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:19: >>>>>>>>>> [E1101(no-member), Dummy.teardown_method] Module >>>>>>>>>> 'ipatests.test_integration.tasks' has no 'uninstall_replica' >>>>>>>>>> member) >>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:67: >>>>>>>>>> [E1101(no-member), >>>>>>>>>> TestReplicaPromotionLevel0.test_backup_restore] >>>>>>>>>> Module 'ipatests.test_integration.tasks' has no 'ipa_backup' >>>>>>>>>> member) >>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:72: >>>>>>>>>> [E1101(no-member), >>>>>>>>>> TestReplicaPromotionLevel0.test_backup_restore] >>>>>>>>>> Module 'ipatests.test_integration.tasks' has no 'ipa_restore' >>>>>>>>>> member) >>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:120: >>>>>>>>>> [E1123(unexpected-keyword-arg), TestCAInstall.install] >>>>>>>>>> Unexpected >>>>>>>>>> keyword argument 'domain_level' in function call) >>>>>>>>>> >>>>>>>>> Sorry I forgot to apply patch 17, my bad, I'm continuing with >>>>>>>>> review >>>>>>> LGTM, I haven't had time to test it, but if you are sure that >>>>>>> test is >>>>>>> working, we may push this. >>>>>>> >>>>>> Is this expected due the bug you mentioned? >>>>>> _____ >>>>>> __________________________________________________________________________ >>>>>> >>>>>> >>>>>> TestReplicaPromotionLevel0.test_kra_install_master >>>>>> ________________________________________________________________________________ >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> self = >>>>>> >>>>> >>>>>> >>>>>> object at 0x7f5071a59e50> >>>>>> >>>>>> def test_kra_install_master(self): >>>>>> result1 = tasks.install_kra(self.master, raiseonerr=False) >>>>>>> assert result1.returncode == 0, result1.stderr_text >>>>>> E AssertionError: Usage: ipa-kra-install [options] >>>>>> [replica_file] >>>>>> E >>>>>> E ipa-kra-install: error: Replica file >>>>>> /root/ipatests/replica-info.gpg does not exist >>>>>> E The ipa-kra-install command failed. See >>>>>> /var/log/ipaserver-kra-install.log for more information >>>>>> E >>>>>> E assert 2 == 0 >>>>>> E + where 2 = >>>>> object at >>>>>> 0x7f5071adbd50>.returncode >>>>>> >>>> IMO the test needs fix, KRA on replica file needs KRA related >>>> certificates in replica file >>>> >>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] RUN >>>> >>>> ['ipa-kra-install', '-U', '-p', 'Secret123', >>>> '/root/ipatests/replica-info.gpg'] >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] RUN >>>> ['ipa-kra-install', '-U', '-p', 'Secret123', >>>> '/root/ipatests/replica-info.gpg'] >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] Missing KRA >>>> certificates, please create a new replica file. >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] The >>>> ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log >>>> for more information >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] Exit code: 1 >>>> FAILED >>>> traceback >>>> >>>> self = >>>> >>> object at 0x7f660bc1a590> >>>> >> > I just read the code. PATCH 16: 0) PEP8 ./ipatests/test_integration/test_replica_promotion.py:24:14: E111 indentation is not a multiple of four ./ipatests/test_integration/test_replica_promotion.py:24:14: E113 unexpected indentation ./ipatests/test_integration/test_replica_promotion.py:148:80: E501 line too long (80 > 79 characters) ./ipatests/test_integration/test_replica_promotion.py:150:80: E501 line too long (81 > 79 characters) 1) workaround is not workaround, because the host entry is removed anyway, the error is raised from POST callback, please remove it + # Workaround for 5627 + if "host not found" in result.stderr_text: + self.master.run_command(["ipa", + "host-del", + host.hostname], raiseonerr=False) 2) Please name it better, for example "replica" instead of "i" + for i in self.replicas: + tasks.install_replica(master, i, setup_ca=False, + setup_dns=True) 3) Please use constant for domain level (multiple times) + result1 = tasks.install_ca(replica1, domain_level=1, raiseonerr=False) + tasks.install_ca(replica1, domain_level=0) + result2 = tasks.install_ca(replica2, domain_level=0, raiseonerr=False) ... more times 4) This link does not exists, only connect is deprecated not ipa-replica-manage at all + def test_replica_manage_commands(self): + """ + TestCase: http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan + #Test_case:_ipa-replica-manage_is_deprecated_in_domain_level_1 + """ 5) Missing testcases: Test case: Unprivileged users are not allowed to enroll and promote clients Test case: Replica created using old workflow is functional after domain upgrade Test case: ipa-csreplica-manage connect is deprecated in domain level 1 Test case: Replica can be installed using one command Test case: Prohibit ipa server uninstallation from disconnecting topology segment PATCH 24: 1) why there is this change, how it is related to this patch?: def apply_common_fixes(host): + prepare_host(host) fix_etc_hosts(host) fix_hostname(host) - prepare_host(host) 2) Why is there this change, how it is related to this patch?: def replica_prepare(master, replica): - apply_common_fixes(replica) fix_apache_semaphores(replica) ... def install_replica(master, replica, setup_ca=True, setup_dns=False, ... + apply_common_fixes(replica) 3) why is there this change, how it is related to this patch?: - + args.extend(['-n', replica.domain.name, + '-r', replica.domain.realm]) 4) why there force, how is this change related to this patch (domain levels)? '-w', client.config.admin_password, - '--server', master.hostname] + '--server', master.hostname, + '--force'] + list(extra_args)) Otherwise domain level related changes LGTM PATCH 25 LGTM Martin^2 From mkubik at redhat.com Tue Mar 1 14:22:48 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Tue, 1 Mar 2016 15:22:48 +0100 Subject: [Freeipa-devel] [TEST][Patch 0022] small refactoring in integration tests due to BZ 1303095 In-Reply-To: <56C7147A.1090407@redhat.com> References: <56AB80BE.4090604@redhat.com> <56B1C6E2.60106@redhat.com> <56B1FE4C.4080600@redhat.com> <56B3029F.70001@redhat.com> <56BDF43D.70503@redhat.com> <56C7147A.1090407@redhat.com> Message-ID: <56D5A5B8.7080108@redhat.com> On 02/19/2016 02:11 PM, Oleg Fayans wrote: > Hi Milan, > > On 02/12/2016 04:03 PM, Milan Kub?k wrote: >> > Agreed. The latest patch gets rid of all resolv.conf related > manipulations. The tests work (where not affected by > https://fedorahosted.org/bind-dyndb-ldap/ticket/160) > > >> -- >> Milan Kubik >> Works for me, tested on sudo test that requires autodiscovery. ACK -- Milan Kubik From pspacek at redhat.com Tue Mar 1 14:23:25 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 1 Mar 2016 15:23:25 +0100 Subject: [Freeipa-devel] [PATCH 0086] Fix URL for reporting bugs in string Message-ID: <56D5A5DD.1000209@redhat.com> Hello, Fix URL for reporting bugs in strings. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0086-Fix-URL-for-reporting-bugs-in-strings.patch Type: text/x-patch Size: 952 bytes Desc: not available URL: From tbabej at redhat.com Tue Mar 1 14:25:57 2016 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 1 Mar 2016 15:25:57 +0100 Subject: [Freeipa-devel] [PATCH 0086] Fix URL for reporting bugs in string In-Reply-To: <56D5A5DD.1000209@redhat.com> References: <56D5A5DD.1000209@redhat.com> Message-ID: <56D5A675.8010109@redhat.com> On 03/01/2016 03:23 PM, Petr Spacek wrote: > Hello, > > Fix URL for reporting bugs in strings. > ACK, good catch. From tbabej at redhat.com Tue Mar 1 14:27:29 2016 From: tbabej at redhat.com (Tomas Babej) Date: Tue, 1 Mar 2016 15:27:29 +0100 Subject: [Freeipa-devel] [PATCH 0086] Fix URL for reporting bugs in string In-Reply-To: <56D5A675.8010109@redhat.com> References: <56D5A5DD.1000209@redhat.com> <56D5A675.8010109@redhat.com> Message-ID: <56D5A6D1.2070809@redhat.com> On 03/01/2016 03:25 PM, Tomas Babej wrote: > > > On 03/01/2016 03:23 PM, Petr Spacek wrote: >> Hello, >> >> Fix URL for reporting bugs in strings. >> > > ACK, good catch. > Pushed to master: e9922c36b15476f99426d0e85fde857887fb5c7d From pspacek at redhat.com Tue Mar 1 14:46:23 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 1 Mar 2016 15:46:23 +0100 Subject: [Freeipa-devel] [PATCH 0087] Pylint: enable parallelism Message-ID: <56D5AB3F.6080702@redhat.com> Hello, Pylint: enable parallelism The config file specifies 8 cores but Pylint very quickly ends up with 3 cores so do not worry about overwhelming your system. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0087-Pylint-enable-parallelism.patch Type: text/x-patch Size: 705 bytes Desc: not available URL: From pvoborni at redhat.com Tue Mar 1 15:39:10 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 1 Mar 2016 16:39:10 +0100 Subject: [Freeipa-devel] [PATCH 0416-0419] fix broken configuration of sidgen and extdom plugins In-Reply-To: <56CC93B8.2050307@redhat.com> References: <56C6E324.2090509@redhat.com> <20160219101226.GQ4492@redhat.com> <56C71F3E.4080102@redhat.com> <20160219140216.GZ4492@redhat.com> <56CB31E3.7030002@redhat.com> <56CB5052.5040803@redhat.com> <56CB5D57.3070300@redhat.com> <56CC45C1.1010805@redhat.com> <20160223120249.GG4492@redhat.com> <56CC4F9C.5040705@redhat.com> <56CC8962.40201@redhat.com> <56CC93B8.2050307@redhat.com> Message-ID: <56D5B79E.9020606@redhat.com> On 02/23/2016 06:15 PM, Martin Basti wrote: > > > On 23.02.2016 17:31, Tomas Babej wrote: >> >> On 02/23/2016 01:25 PM, Martin Basti wrote: >>> >>> On 23.02.2016 13:02, Alexander Bokovoy wrote: >>>> On Tue, 23 Feb 2016, Martin Basti wrote: >>>>> From f2ae1bd129a1741500d2f3dcb86a0da553604d15 Mon Sep 17 00:00:00 >>>>> 2001 >>>>> From: Martin Basti >>>>> Date: Tue, 23 Feb 2016 10:37:47 +0100 >>>>> Subject: [PATCH 4/4] fix upgrade: wait for proper DS socket after DS >>>>> restart >>>>> >>>>> Restarting DS executed by upgrade plugin causes that upgrade frameworg >>>>> was waiting for not proper socket to be ready. This commit fix issue. >>>> Please fix the commit message typos. >>>> >>> Fixed. Updated patches attached. >> ACK. >> >> Tomas > Pushed to master: 0accf8ccb64963954dbe7c137d23f52e5901ac4f > Pushed to ipa-4-3: 4734012c8063460f93f3b819a5bbcca797f6059e > Pushed to ipa-4-2: 63d8caf0d105f02decc0b5d865fedf6ad063bc1a > Testing freeipa-4.2.4 build and it fails at install/dsinstance.py:add_sidgen_plugin:936 adding self.ldap_connect() on line 937 fixed the issue. -- Petr Vobornik From mbasti at redhat.com Tue Mar 1 16:02:03 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 1 Mar 2016 17:02:03 +0100 Subject: [Freeipa-devel] [PATCH 0416-0419] fix broken configuration of sidgen and extdom plugins In-Reply-To: <56D5B79E.9020606@redhat.com> References: <56C6E324.2090509@redhat.com> <20160219101226.GQ4492@redhat.com> <56C71F3E.4080102@redhat.com> <20160219140216.GZ4492@redhat.com> <56CB31E3.7030002@redhat.com> <56CB5052.5040803@redhat.com> <56CB5D57.3070300@redhat.com> <56CC45C1.1010805@redhat.com> <20160223120249.GG4492@redhat.com> <56CC4F9C.5040705@redhat.com> <56CC8962.40201@redhat.com> <56CC93B8.2050307@redhat.com> <56D5B79E.9020606@redhat.com> Message-ID: <56D5BCFB.7010406@redhat.com> On 01.03.2016 16:39, Petr Vobornik wrote: > On 02/23/2016 06:15 PM, Martin Basti wrote: >> >> >> On 23.02.2016 17:31, Tomas Babej wrote: >>> >>> On 02/23/2016 01:25 PM, Martin Basti wrote: >>>> >>>> On 23.02.2016 13:02, Alexander Bokovoy wrote: >>>>> On Tue, 23 Feb 2016, Martin Basti wrote: >>>>>> From f2ae1bd129a1741500d2f3dcb86a0da553604d15 Mon Sep 17 00:00:00 >>>>>> 2001 >>>>>> From: Martin Basti >>>>>> Date: Tue, 23 Feb 2016 10:37:47 +0100 >>>>>> Subject: [PATCH 4/4] fix upgrade: wait for proper DS socket after DS >>>>>> restart >>>>>> >>>>>> Restarting DS executed by upgrade plugin causes that upgrade >>>>>> frameworg >>>>>> was waiting for not proper socket to be ready. This commit fix >>>>>> issue. >>>>> Please fix the commit message typos. >>>>> >>>> Fixed. Updated patches attached. >>> ACK. >>> >>> Tomas >> Pushed to master: 0accf8ccb64963954dbe7c137d23f52e5901ac4f >> Pushed to ipa-4-3: 4734012c8063460f93f3b819a5bbcca797f6059e >> Pushed to ipa-4-2: 63d8caf0d105f02decc0b5d865fedf6ad063bc1a >> > > Testing freeipa-4.2.4 build and it fails at > install/dsinstance.py:add_sidgen_plugin:936 > > adding self.ldap_connect() on line 937 fixed the issue. Well I may rework PATCH 0416, and fix it in different way, or I can add self.ldap_connect() to sidgen and extdom steps. Which is better? From pvoborni at redhat.com Tue Mar 1 16:13:02 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 1 Mar 2016 17:13:02 +0100 Subject: [Freeipa-devel] [PATCH 0416-0419] fix broken configuration of sidgen and extdom plugins In-Reply-To: <56D5BCFB.7010406@redhat.com> References: <56C6E324.2090509@redhat.com> <20160219101226.GQ4492@redhat.com> <56C71F3E.4080102@redhat.com> <20160219140216.GZ4492@redhat.com> <56CB31E3.7030002@redhat.com> <56CB5052.5040803@redhat.com> <56CB5D57.3070300@redhat.com> <56CC45C1.1010805@redhat.com> <20160223120249.GG4492@redhat.com> <56CC4F9C.5040705@redhat.com> <56CC8962.40201@redhat.com> <56CC93B8.2050307@redhat.com> <56D5B79E.9020606@redhat.com> <56D5BCFB.7010406@redhat.com> Message-ID: <56D5BF8E.3050308@redhat.com> On 03/01/2016 05:02 PM, Martin Basti wrote: > > > On 01.03.2016 16:39, Petr Vobornik wrote: >> On 02/23/2016 06:15 PM, Martin Basti wrote: >>> >>> >>> On 23.02.2016 17:31, Tomas Babej wrote: >>>> >>>> On 02/23/2016 01:25 PM, Martin Basti wrote: >>>>> >>>>> On 23.02.2016 13:02, Alexander Bokovoy wrote: >>>>>> On Tue, 23 Feb 2016, Martin Basti wrote: >>>>>>> From f2ae1bd129a1741500d2f3dcb86a0da553604d15 Mon Sep 17 00:00:00 >>>>>>> 2001 >>>>>>> From: Martin Basti >>>>>>> Date: Tue, 23 Feb 2016 10:37:47 +0100 >>>>>>> Subject: [PATCH 4/4] fix upgrade: wait for proper DS socket after DS >>>>>>> restart >>>>>>> >>>>>>> Restarting DS executed by upgrade plugin causes that upgrade >>>>>>> frameworg >>>>>>> was waiting for not proper socket to be ready. This commit fix >>>>>>> issue. >>>>>> Please fix the commit message typos. >>>>>> >>>>> Fixed. Updated patches attached. >>>> ACK. >>>> >>>> Tomas >>> Pushed to master: 0accf8ccb64963954dbe7c137d23f52e5901ac4f >>> Pushed to ipa-4-3: 4734012c8063460f93f3b819a5bbcca797f6059e >>> Pushed to ipa-4-2: 63d8caf0d105f02decc0b5d865fedf6ad063bc1a >>> >> >> Testing freeipa-4.2.4 build and it fails at >> install/dsinstance.py:add_sidgen_plugin:936 >> >> adding self.ldap_connect() on line 937 fixed the issue. > > Well I may rework PATCH 0416, and fix it in different way, or I can add > self.ldap_connect() to sidgen and extdom steps. > > Which is better? > I would avoid reworking it in all 3 branches if in 4.3 and master it works and is actually correct. Doesn't make sense to change new code because of missing features in old branches. Adding connect to ipa-4-2 seems enough to me. -- Petr Vobornik From mbasti at redhat.com Tue Mar 1 16:14:02 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 1 Mar 2016 17:14:02 +0100 Subject: [Freeipa-devel] [PATCH 0416-0419] fix broken configuration of sidgen and extdom plugins In-Reply-To: <56D5BF8E.3050308@redhat.com> References: <56C6E324.2090509@redhat.com> <20160219101226.GQ4492@redhat.com> <56C71F3E.4080102@redhat.com> <20160219140216.GZ4492@redhat.com> <56CB31E3.7030002@redhat.com> <56CB5052.5040803@redhat.com> <56CB5D57.3070300@redhat.com> <56CC45C1.1010805@redhat.com> <20160223120249.GG4492@redhat.com> <56CC4F9C.5040705@redhat.com> <56CC8962.40201@redhat.com> <56CC93B8.2050307@redhat.com> <56D5B79E.9020606@redhat.com> <56D5BCFB.7010406@redhat.com> <56D5BF8E.3050308@redhat.com> Message-ID: <56D5BFCA.6060707@redhat.com> On 01.03.2016 17:13, Petr Vobornik wrote: > On 03/01/2016 05:02 PM, Martin Basti wrote: >> >> >> On 01.03.2016 16:39, Petr Vobornik wrote: >>> On 02/23/2016 06:15 PM, Martin Basti wrote: >>>> >>>> >>>> On 23.02.2016 17:31, Tomas Babej wrote: >>>>> >>>>> On 02/23/2016 01:25 PM, Martin Basti wrote: >>>>>> >>>>>> On 23.02.2016 13:02, Alexander Bokovoy wrote: >>>>>>> On Tue, 23 Feb 2016, Martin Basti wrote: >>>>>>>> From f2ae1bd129a1741500d2f3dcb86a0da553604d15 Mon Sep 17 00:00:00 >>>>>>>> 2001 >>>>>>>> From: Martin Basti >>>>>>>> Date: Tue, 23 Feb 2016 10:37:47 +0100 >>>>>>>> Subject: [PATCH 4/4] fix upgrade: wait for proper DS socket >>>>>>>> after DS >>>>>>>> restart >>>>>>>> >>>>>>>> Restarting DS executed by upgrade plugin causes that upgrade >>>>>>>> frameworg >>>>>>>> was waiting for not proper socket to be ready. This commit fix >>>>>>>> issue. >>>>>>> Please fix the commit message typos. >>>>>>> >>>>>> Fixed. Updated patches attached. >>>>> ACK. >>>>> >>>>> Tomas >>>> Pushed to master: 0accf8ccb64963954dbe7c137d23f52e5901ac4f >>>> Pushed to ipa-4-3: 4734012c8063460f93f3b819a5bbcca797f6059e >>>> Pushed to ipa-4-2: 63d8caf0d105f02decc0b5d865fedf6ad063bc1a >>>> >>> >>> Testing freeipa-4.2.4 build and it fails at >>> install/dsinstance.py:add_sidgen_plugin:936 >>> >>> adding self.ldap_connect() on line 937 fixed the issue. >> >> Well I may rework PATCH 0416, and fix it in different way, or I can add >> self.ldap_connect() to sidgen and extdom steps. >> >> Which is better? >> > > I would avoid reworking it in all 3 branches if in 4.3 and master it > works and is actually correct. Doesn't make sense to change new code > because of missing features in old branches. Adding connect to ipa-4-2 > seems enough to me. IMO it works accidentaly there, any additional patch or restart can break it in 4.3 and master too From pviktori at redhat.com Tue Mar 1 16:18:08 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 1 Mar 2016 17:18:08 +0100 Subject: [Freeipa-devel] [python-pytest-multihost] Request to add support to specify username/password for each host In-Reply-To: <20160229165748.GA19752@mniranja.pnq.redhat.com> References: <20160226101434.GA18928@mniranja.pnq.redhat.com> <20160229112631.GA13353@mniranja.pnq.redhat.com> <20160229160744.GA18511@mniranja.pnq.redhat.com> <20160229165748.GA19752@mniranja.pnq.redhat.com> Message-ID: <56D5C0C0.5010500@redhat.com> On 02/29/2016 05:57 PM, Niranjan wrote: > Greetings, > > Attached wrong patch in my last mail. Request to review the patch > attached to this email > Hello, I've generalized the patch a bit to make it use existing host attributes, and I added tests. Could you check if it still works for you? -- Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-support-to-specify-usernames-password-per-host.patch Type: text/x-patch Size: 6956 bytes Desc: not available URL: From mbasti at redhat.com Tue Mar 1 16:55:54 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 1 Mar 2016 17:55:54 +0100 Subject: [Freeipa-devel] [PATCH 0425] pylint: suppress false positive no-member errors In-Reply-To: <56CF30E6.5080902@redhat.com> References: <56CF1455.3020904@redhat.com> <56CF30E6.5080902@redhat.com> Message-ID: <56D5C99A.4050201@redhat.com> On 25.02.2016 17:50, Martin Basti wrote: > > > On 25.02.2016 15:48, Martin Basti wrote: >> The last pylint 1.5 patch, \o/ >> >> https://fedorahosted.org/freeipa/ticket/5615 >> >> > self-NACK too broad disables > > Updated patches attached. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0425.2-pylint-supress-false-positive-no-member-errors.patch Type: text/x-patch Size: 11840 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-2-mbasti-0425.2-pylint-supress-false-positive-no-member-errors.patch Type: text/x-patch Size: 8676 bytes Desc: not available URL: From mbasti at redhat.com Tue Mar 1 17:32:21 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 1 Mar 2016 18:32:21 +0100 Subject: [Freeipa-devel] [PATCH 0427] fix broken configuration of sidgen and extdom plugins In-Reply-To: <56D5BFCA.6060707@redhat.com> References: <56C6E324.2090509@redhat.com> <20160219101226.GQ4492@redhat.com> <56C71F3E.4080102@redhat.com> <20160219140216.GZ4492@redhat.com> <56CB31E3.7030002@redhat.com> <56CB5052.5040803@redhat.com> <56CB5D57.3070300@redhat.com> <56CC45C1.1010805@redhat.com> <20160223120249.GG4492@redhat.com> <56CC4F9C.5040705@redhat.com> <56CC8962.40201@redhat.com> <56CC93B8.2050307@redhat.com> <56D5B79E.9020606@redhat.com> <56D5BCFB.7010406@redhat.com> <56D5BF8E.3050308@redhat.com> <56D5BFCA.6060707@redhat.com> Message-ID: <56D5D225.1090004@redhat.com> On 01.03.2016 17:14, Martin Basti wrote: > > > On 01.03.2016 17:13, Petr Vobornik wrote: >> On 03/01/2016 05:02 PM, Martin Basti wrote: >>> >>> >>> On 01.03.2016 16:39, Petr Vobornik wrote: >>>> On 02/23/2016 06:15 PM, Martin Basti wrote: >>>>> >>>>> >>>>> On 23.02.2016 17:31, Tomas Babej wrote: >>>>>> >>>>>> On 02/23/2016 01:25 PM, Martin Basti wrote: >>>>>>> >>>>>>> On 23.02.2016 13:02, Alexander Bokovoy wrote: >>>>>>>> On Tue, 23 Feb 2016, Martin Basti wrote: >>>>>>>>> From f2ae1bd129a1741500d2f3dcb86a0da553604d15 Mon Sep 17 >>>>>>>>> 00:00:00 >>>>>>>>> 2001 >>>>>>>>> From: Martin Basti >>>>>>>>> Date: Tue, 23 Feb 2016 10:37:47 +0100 >>>>>>>>> Subject: [PATCH 4/4] fix upgrade: wait for proper DS socket >>>>>>>>> after DS >>>>>>>>> restart >>>>>>>>> >>>>>>>>> Restarting DS executed by upgrade plugin causes that upgrade >>>>>>>>> frameworg >>>>>>>>> was waiting for not proper socket to be ready. This commit fix >>>>>>>>> issue. >>>>>>>> Please fix the commit message typos. >>>>>>>> >>>>>>> Fixed. Updated patches attached. >>>>>> ACK. >>>>>> >>>>>> Tomas >>>>> Pushed to master: 0accf8ccb64963954dbe7c137d23f52e5901ac4f >>>>> Pushed to ipa-4-3: 4734012c8063460f93f3b819a5bbcca797f6059e >>>>> Pushed to ipa-4-2: 63d8caf0d105f02decc0b5d865fedf6ad063bc1a >>>>> >>>> >>>> Testing freeipa-4.2.4 build and it fails at >>>> install/dsinstance.py:add_sidgen_plugin:936 >>>> >>>> adding self.ldap_connect() on line 937 fixed the issue. >>> >>> Well I may rework PATCH 0416, and fix it in different way, or I can add >>> self.ldap_connect() to sidgen and extdom steps. >>> >>> Which is better? >>> >> >> I would avoid reworking it in all 3 branches if in 4.3 and master it >> works and is actually correct. Doesn't make sense to change new code >> because of missing features in old branches. Adding connect to >> ipa-4-2 seems enough to me. > > IMO it works accidentaly there, any additional patch or restart can > break it in 4.3 and master too > Patch attached. ipa-4-2 needs to have backported ca8f63624b204f0c4f2d1ac5f4ed93551f7e62df -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0427-Fix-connections-to-DS-during-installation.patch Type: text/x-patch Size: 1407 bytes Desc: not available URL: From mbasti at redhat.com Tue Mar 1 18:04:51 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 1 Mar 2016 19:04:51 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <56D59F78.1000000@redhat.com> References: <5640A90B.6030906@redhat.com> <564CA530.3060006@redhat.com> <5655D741.4010402@redhat.com> <56560124.4060904@redhat.com> <5656CB3B.8010000@redhat.com> <5656D5EE.7010208@redhat.com> <565862E6.4020100@redhat.com> <56586807.9080805@redhat.com> <565870D6.40908@redhat.com> <56587616.5030609@redhat.com> <565DB7D3.5040500@redhat.com> <565F0BDD.8080206@redhat.com> <565F17EE.3020701@redhat.com> <5666DC18.2040906@redhat.com> <56675E31.3050203@redhat.com> <5667F49B.5020709@redhat.com> <5667FEFB.6090904@redhat.com> <56680C2E.7060805@redhat.com> <56680DDD.2000106@redhat.com> <566FDD80.7030805@redhat.com> <56717785.4020304@redhat.com> <567195B9.9070104@redhat.com> <56727AA7.2030809@redhat.com> <5675E08C.7030109@redhat.com> <56D43687.10502@redhat.com> <56D57DDE.3020306@redhat.com> <56D57F0C.1060103@redhat.com> <56D59F78.1000000@redhat.com> Message-ID: <56D5D9C3.8000102@redhat.com> On 01.03.2016 14:56, Martin Basti wrote: > > > > On 01.03.2016 12:37, Martin Basti wrote: >> >> >> On 01.03.2016 12:32, Martin Basti wrote: >>> >>> >>> On 29.02.2016 13:16, Oleg Fayans wrote: >>>> Hi all, >>>> >>>> Finally the tests pass. >>>> >>>> The patch 0024 applies on top of patch 0022 (please, consider >>>> reviewing >>>> it also). Besides, the whole functionality depends on Martin's >>>> patch N 0421 >>>> >>>> All patches pass pylint. >>> hello, >>> >>> I cannot apply patches on master branch >>> Martin^2 >> My bad I applied wrong patch >> >>>> >>>> >>>> On 12/19/2015 11:56 PM, Martin Basti wrote: >>>>> >>>>> On 17.12.2015 10:04, Oleg Fayans wrote: >>>>>> Hi Martin, >>>>>> >>>>>> I am sorry, in my previous email I attached the old version of patch >>>>>> 0016. The correct on is attached. >>>>>> >>>>>> On 12/16/2015 05:47 PM, Martin Basti wrote: >>>>>>> On 16.12.2015 15:39, Martin Basti wrote: >>>>>>>> On 15.12.2015 10:29, Oleg Fayans wrote: >>>>>>>>> Hi Martin, >>>>>>>>> >>>>>>>>> The updated patches are attached. Patch 0017 includes all >>>>>>>>> changes from >>>>>>>>> patch 0018, so, if you approve this one, there would be no >>>>>>>>> need to >>>>>>>>> continue with the review of 0018. This one contains all changes >>>>>>>>> related >>>>>>>>> to you remarks from 0018 review. Please see my explanation on the >>>>>>>>> stdout+stderr part in the thread from patch 0018. >>>>>>>>> With these two patches applied one of the tests fails due this >>>>>>>>> bug: >>>>>>>>> https://fedorahosted.org/freeipa/ticket/5550 >>>>>>>>> >>>>>>>>> On 12/09/2015 12:17 PM, Martin Basti wrote: >>>>>>>>>> On 09.12.2015 12:10, Martin Basti wrote: >>>>>>>>>>> On 09.12.2015 11:14, Oleg Fayans wrote: >>>>>>>>>>>> Hi Martin >>>>>>>>>>>> >>>>>>>>>>>> On 12/09/2015 10:30 AM, Martin Basti wrote: >>>>>>>>>>>>> On 08.12.2015 23:48, Oleg Fayans wrote: >>>>>>>>>>>>>> Substituted a hardcoded suffix name with a constant >>>>>>>>>>>>>> DOMAIN_SUFFIX_NAME >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 12/08/2015 02:33 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> The patches are rebased against the current master. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 12/02/2015 05:10 PM, Martin Basti wrote: >>>>>>>>>>>>>>>> On 02.12.2015 16:18, Oleg Fayans wrote: >>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 12/01/2015 04:08 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>> On 27.11.2015 16:26, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>> And patch N 16 passes lint too: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On 11/27/2015 04:03 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On 11/27/2015 03:26 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>> On 27.11.2015 15:04, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> All your suggestions were taken into account. Both >>>>>>>>>>>>>>>>>>>>>> patches are >>>>>>>>>>>>>>>>>>>>>> updated. Thank you for your help! >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> On 11/26/2015 10:50 AM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>> On 26.11.2015 10:04, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> I agree to all your points but one. please, see my >>>>>>>>>>>>>>>>>>>>>>>> comment >>>>>>>>>>>>>>>>>>>>>>>> below >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> On 11/25/2015 07:42 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> 0) Note >>>>>>>>>>>>>>>>>>>>>>>>> Please be aware of >>>>>>>>>>>>>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5469 >>>>>>>>>>>>>>>>>>>>>>>>> during >>>>>>>>>>>>>>>>>>>>>>>>> KRA testing >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>>>> Please do not use MIN and MAX_DOMAIN_LEVEL >>>>>>>>>>>>>>>>>>>>>>>>> constants, >>>>>>>>>>>>>>>>>>>>>>>>> this may >>>>>>>>>>>>>>>>>>>>>>>>> change >>>>>>>>>>>>>>>>>>>>>>>>> over time, use DOMAIN_LEVEL_0 and >>>>>>>>>>>>>>>>>>>>>>>>> DOMAIN_LEVEL_1 for >>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>> level 0 >>>>>>>>>>>>>>>>>>>>>>>>> and 1 >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>>>> Why uninstall KRA then server, is not enough just >>>>>>>>>>>>>>>>>>>>>>>>> uninstall >>>>>>>>>>>>>>>>>>>>>>>>> server >>>>>>>>>>>>>>>>>>>>>>>>> which >>>>>>>>>>>>>>>>>>>>>>>>> covers KRA uninstall? >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> + def teardown_method(self, method): >>>>>>>>>>>>>>>>>>>>>>>>> + for host in self.replicas: >>>>>>>>>>>>>>>>>>>>>>>>> + host.run_command(self.kra_uninstall, >>>>>>>>>>>>>>>>>>>>>>>>> raiseonerr=False) >>>>>>>>>>>>>>>>>>>>>>>>> + tasks.uninstall_master(host) >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>>>> Can be this function more generic? It should >>>>>>>>>>>>>>>>>>>>>>>>> allow >>>>>>>>>>>>>>>>>>>>>>>>> specify >>>>>>>>>>>>>>>>>>>>>>>>> host >>>>>>>>>>>>>>>>>>>>>>>>> where >>>>>>>>>>>>>>>>>>>>>>>>> KRA should be installed not just master >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> + def test_kra_install_master(self): >>>>>>>>>>>>>>>>>>>>>>>>> + self.master.run_command(self.kra_install) >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> TestLevel0(Dummy): >>>>>>>>>>>>>>>>>>>>>>>>> Can be the test name more specific, something >>>>>>>>>>>>>>>>>>>>>>>>> like >>>>>>>>>>>>>>>>>>>>>>>>> TestReplicaPromotionLevel0 >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> 5) >>>>>>>>>>>>>>>>>>>>>>>>> please remove this, the patch is on review and it >>>>>>>>>>>>>>>>>>>>>>>>> will be >>>>>>>>>>>>>>>>>>>>>>>>> pushed >>>>>>>>>>>>>>>>>>>>>>>>> sooner >>>>>>>>>>>>>>>>>>>>>>>>> than tests >>>>>>>>>>>>>>>>>>>>>>>>> + @pytest.mark.xfail # Ticket N 5455 >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> and as I mentioned in ticket #5455, I cannot >>>>>>>>>>>>>>>>>>>>>>>>> reproduce >>>>>>>>>>>>>>>>>>>>>>>>> it with >>>>>>>>>>>>>>>>>>>>>>>>> ipa-kra-install, so please provide steps to >>>>>>>>>>>>>>>>>>>>>>>>> reproduce if >>>>>>>>>>>>>>>>>>>>>>>>> you >>>>>>>>>>>>>>>>>>>>>>>>> insist >>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>> this still does not work as expected with KRA. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> 6) This is completely wrong, it removes >>>>>>>>>>>>>>>>>>>>>>>>> everything >>>>>>>>>>>>>>>>>>>>>>>>> that we >>>>>>>>>>>>>>>>>>>>>>>>> tried to >>>>>>>>>>>>>>>>>>>>>>>>> achieve with previous patches with domain >>>>>>>>>>>>>>>>>>>>>>>>> level in CI >>>>>>>>>>>>>>>>>>>>>>>> Actually, being able to configure domain level per >>>>>>>>>>>>>>>>>>>>>>>> class >>>>>>>>>>>>>>>>>>>>>>>> is WAY >>>>>>>>>>>>>>>>>>>>>>>> more >>>>>>>>>>>>>>>>>>>>>>>> convenient, than to always have to think which >>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>> level is >>>>>>>>>>>>>>>>>>>>>>>> appropriate for which particular test during >>>>>>>>>>>>>>>>>>>>>>>> jenkins >>>>>>>>>>>>>>>>>>>>>>>> job >>>>>>>>>>>>>>>>>>>>>>>> configuration. In fact, I should have thought >>>>>>>>>>>>>>>>>>>>>>>> about it >>>>>>>>>>>>>>>>>>>>>>>> from the >>>>>>>>>>>>>>>>>>>>>>>> very >>>>>>>>>>>>>>>>>>>>>>>> beginning. For example, in >>>>>>>>>>>>>>>>>>>>>>>> test_replica_promotion.py we >>>>>>>>>>>>>>>>>>>>>>>> have on >>>>>>>>>>>>>>>>>>>>>>>> class, >>>>>>>>>>>>>>>>>>>>>>>> which intiates with domain level = 1, while >>>>>>>>>>>>>>>>>>>>>>>> others - >>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>> 0. With config-based approach, we would have to >>>>>>>>>>>>>>>>>>>>>>>> implement a >>>>>>>>>>>>>>>>>>>>>>>> separate >>>>>>>>>>>>>>>>>>>>>>>> step that raises domain level. Overall, I am >>>>>>>>>>>>>>>>>>>>>>>> against >>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>> approach, >>>>>>>>>>>>>>>>>>>>>>>> when you have to remember to set certain domain >>>>>>>>>>>>>>>>>>>>>>>> level in >>>>>>>>>>>>>>>>>>>>>>>> config >>>>>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>>>>> any particular test. The tests themselves >>>>>>>>>>>>>>>>>>>>>>>> should be >>>>>>>>>>>>>>>>>>>>>>>> aware of >>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>> domain level they need. >>>>>>>>>>>>>>>>>>>>>>> I do not say that we should not have something that >>>>>>>>>>>>>>>>>>>>>>> overrides >>>>>>>>>>>>>>>>>>>>>>> settings >>>>>>>>>>>>>>>>>>>>>>> in from config in a particular test case, I say >>>>>>>>>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>>>>>>>>> patch is >>>>>>>>>>>>>>>>>>>>>>> doing it >>>>>>>>>>>>>>>>>>>>>>> wrong. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> I agree it is useful to have param domain_level in >>>>>>>>>>>>>>>>>>>>>>> install_master, >>>>>>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>>>>>> intall_topo methods, but is cannot be >>>>>>>>>>>>>>>>>>>>>>> MAX_DOMAIN_LEVEL by >>>>>>>>>>>>>>>>>>>>>>> default, >>>>>>>>>>>>>>>>>>>>>>> because with your current patch the domain_level in >>>>>>>>>>>>>>>>>>>>>>> config is >>>>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>>>> used >>>>>>>>>>>>>>>>>>>>>>> at all, it will be always MAX_DOMAIN_LEVEL >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> For example I want to achieve this goal: >>>>>>>>>>>>>>>>>>>>>>> test_vault.py, this test suite can run on domain >>>>>>>>>>>>>>>>>>>>>>> level1 >>>>>>>>>>>>>>>>>>>>>>> and on >>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>> level0, so with one test we can test 2 domain >>>>>>>>>>>>>>>>>>>>>>> levels >>>>>>>>>>>>>>>>>>>>>>> just >>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>> putting >>>>>>>>>>>>>>>>>>>>>>> domain level into config file. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> I agree that with extraordinary test like replica >>>>>>>>>>>>>>>>>>>>>>> promotion test >>>>>>>>>>>>>>>>>>>>>>> is, we >>>>>>>>>>>>>>>>>>>>>>> need something that allows override the config >>>>>>>>>>>>>>>>>>>>>>> file. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> As I said bellow, domain_level default value >>>>>>>>>>>>>>>>>>>>>>> should be >>>>>>>>>>>>>>>>>>>>>>> None in >>>>>>>>>>>>>>>>>>>>>>> install_master and install_topo plugin. If >>>>>>>>>>>>>>>>>>>>>>> domain level >>>>>>>>>>>>>>>>>>>>>>> was >>>>>>>>>>>>>>>>>>>>>>> specified >>>>>>>>>>>>>>>>>>>>>>> use the specified one, if not (value is None) >>>>>>>>>>>>>>>>>>>>>>> use the >>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>>>>>>> config file. >>>>>>>>>>>>>>>>>>>>>> Agreed :) >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Martin >>>>>>>>>>>>>>>>>>>>>>>>> [PATCH] Enabled setting domain_level per class >>>>>>>>>>>>>>>>>>>>>>>>> derived from >>>>>>>>>>>>>>>>>>>>>>>>> TestIntegration >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> When I configure domain level 0 in yaml >>>>>>>>>>>>>>>>>>>>>>>>> config, how >>>>>>>>>>>>>>>>>>>>>>>>> is this >>>>>>>>>>>>>>>>>>>>>>>>> supposed to >>>>>>>>>>>>>>>>>>>>>>>>> get into install methods when you removed that >>>>>>>>>>>>>>>>>>>>>>>>> code? >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> - "--domain-level=%i" % >>>>>>>>>>>>>>>>>>>>>>>>> host.config.domain_level >>>>>>>>>>>>>>>>>>>>>>>>> + "--domain-level=%i" % domain_level >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> You always use MAX_DOMAIN_LEVEL in this case or >>>>>>>>>>>>>>>>>>>>>>>>> whatever is >>>>>>>>>>>>>>>>>>>>>>>>> specified in >>>>>>>>>>>>>>>>>>>>>>>>> domain_level option. >>>>>>>>>>>>>>>>>>>>>>>>> I suggest to use domain_level=None, and when >>>>>>>>>>>>>>>>>>>>>>>>> it is >>>>>>>>>>>>>>>>>>>>>>>>> None use >>>>>>>>>>>>>>>>>>>>>>>>> 'host.config.domain_level', if it is not None, >>>>>>>>>>>>>>>>>>>>>>>>> use >>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> With this we can specify domain level in config >>>>>>>>>>>>>>>>>>>>>>>>> file for >>>>>>>>>>>>>>>>>>>>>>>>> test >>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>> can >>>>>>>>>>>>>>>>>>>>>>>>> be used for both domain levels and you can >>>>>>>>>>>>>>>>>>>>>>>>> manually >>>>>>>>>>>>>>>>>>>>>>>>> specify >>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>> for test that requires specific domain level. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Also this should go away >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> @classmethod >>>>>>>>>>>>>>>>>>>>>>>>> def install(cls, mh): >>>>>>>>>>>>>>>>>>>>>>>>> + if hasattr(cls, "domain_level") and >>>>>>>>>>>>>>>>>>>>>>>>> cls.master: >>>>>>>>>>>>>>>>>>>>>>>>> + cls.master.config.domain_level = >>>>>>>>>>>>>>>>>>>>>>>>> cls.domain_level >>>>>>>>>>>>>>>>>>>>>>>>> if cls.topology is None: >>>>>>>>>>>>>>>>>>>>>>>>> return >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> I do not see reason why test should override >>>>>>>>>>>>>>>>>>>>>>>>> configuration in >>>>>>>>>>>>>>>>>>>>>>>>> config in >>>>>>>>>>>>>>>>>>>>>>>>> this case. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Martin >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> On 25.11.2015 16:44, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> Here is the updated version of the patch (more >>>>>>>>>>>>>>>>>>>>>>>>>> tests + >>>>>>>>>>>>>>>>>>>>>>>>>> fixed the >>>>>>>>>>>>>>>>>>>>>>>>>> issues of the first one) + patch 0017, that >>>>>>>>>>>>>>>>>>>>>>>>>> implements the >>>>>>>>>>>>>>>>>>>>>>>>>> necessary >>>>>>>>>>>>>>>>>>>>>>>>>> changes in the background code, i. e. patch 16 >>>>>>>>>>>>>>>>>>>>>>>>>> does not >>>>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>>>> without >>>>>>>>>>>>>>>>>>>>>>>>>> patch 17 >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> On 11/18/2015 05:20 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>> On 09.11.2015 15:09, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi guys, >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> Here are first two automated testcases from >>>>>>>>>>>>>>>>>>>>>>>>>>>> this >>>>>>>>>>>>>>>>>>>>>>>>>>>> (so far >>>>>>>>>>>>>>>>>>>>>>>>>>>> incomplete) >>>>>>>>>>>>>>>>>>>>>>>>>>>> testplan: >>>>>>>>>>>>>>>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> Testplan review is highly appreciated >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> PATCH 16: NACK >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>>>>>> What is the reason to add an unused >>>>>>>>>>>>>>>>>>>>>>>>>>> parameter to >>>>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' to >>>>>>>>>>>>>>>>>>>>>>>>>>> install_topo()? >>>>>>>>>>>>>>>>>>>>>>>>>>> Also it is good practise to add new option >>>>>>>>>>>>>>>>>>>>>>>>>>> as the >>>>>>>>>>>>>>>>>>>>>>>>>>> last >>>>>>>>>>>>>>>>>>>>>>>>>>> parameter. >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>>>>>> cab you in both tests specify a domain level >>>>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>>>> constant >>>>>>>>>>>>>>>>>>>>>>>>>>> instead of >>>>>>>>>>>>>>>>>>>>>>>>>>> number literal? >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>>>>>> both test call install_topo with custom domain >>>>>>>>>>>>>>>>>>>>>>>>>>> level, >>>>>>>>>>>>>>>>>>>>>>>>>>> but it >>>>>>>>>>>>>>>>>>>>>>>>>>> cannot >>>>>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>>>>> because 1) (did you run the test?) >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>>>>>> How the test "TestLevel1" is supposed to work? >>>>>>>>>>>>>>>>>>>>>>>>>>> Respectively why there is call of >>>>>>>>>>>>>>>>>>>>>>>>>>> install_topo() >>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>> installs >>>>>>>>>>>>>>>>>>>>>>>>>>> replica. >>>>>>>>>>>>>>>>>>>>>>>>>>> As this test just tests that >>>>>>>>>>>>>>>>>>>>>>>>>>> ipa-replica-prepare is >>>>>>>>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>>>>>>>> working >>>>>>>>>>>>>>>>>>>>>>>>>>> anymore, >>>>>>>>>>>>>>>>>>>>>>>>>>> is it worth to spend 20 minutes with installing >>>>>>>>>>>>>>>>>>>>>>>>>>> replica and >>>>>>>>>>>>>>>>>>>>>>>>>>> then >>>>>>>>>>>>>>>>>>>>>>>>>>> just no >>>>>>>>>>>>>>>>>>>>>>>>>>> tot use it? IMO to install master in install >>>>>>>>>>>>>>>>>>>>>>>>>>> step is >>>>>>>>>>>>>>>>>>>>>>>>>>> enough. >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> ./make-lint >>>>>>>>>>>>>>>>>>>>> ************* Module ipatests.test_integration.base >>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/base.py:66: >>>>>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>>>>> IntegrationTest.install] Class 'IntegrationTest' >>>>>>>>>>>>>>>>>>>>> has no >>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>> ************* Module >>>>>>>>>>>>>>>>>>>>> ipatests.test_integration.test_replica_promotion >>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:16: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> [E1101(no-member), Dummy.install] Class 'Dummy' >>>>>>>>>>>>>>>>>>>>> has no >>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:117: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>>>>> TestCAInstall.test_ca_install_without_replica_file] >>>>>>>>>>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no >>>>>>>>>>>>>>>>>>>>> 'setup_replica' >>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Is it so hard to run pylint before patch is posted >>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>> review? >>>>>>>>>>>>>>>>>>>> Sorry, my bad. Fixed. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>> Why is this change in the patch? >>>>>>>>>>>>>>>>>> - # Clean up the test directory >>>>>>>>>>>>>>>>>> - host.run_command(['rm', '-rvf', >>>>>>>>>>>>>>>>>> host.config.test_dir]) >>>>>>>>>>>>>>>>> Otherwise 2 out of 8 tests fail with IOError at line >>>>>>>>>>>>>>>>> 78 of >>>>>>>>>>>>>>>>> ipatests/test_integration/tasks.py >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I do not understand yet how does this happen, but if you >>>>>>>>>>>>>>>>> remove >>>>>>>>>>>>>>>>> ipatests folder once, it then fails to be created again. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> So this should be in separated patch and investigated >>>>>>>>>>>>>>>> properly. >>>>>>>>>>>>>>> Agree. Removed >>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>> is enough to have this check only in install_master, >>>>>>>>>>>>>>>>>> install_topo can >>>>>>>>>>>>>>>>>> pass None to install_master >>>>>>>>>>>>>>>>>> + if domain_level is None: >>>>>>>>>>>>>>>>>> + domain_level = master.config.domain_level >>>>>>>>>>>>>>>>> Done >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>> IMO replica-manage del should cleanup hosts entry, so >>>>>>>>>>>>>>>>>> following >>>>>>>>>>>>>>>>>> code >>>>>>>>>>>>>>>>>> should not be needed. >>>>>>>>>>>>>>>>>> + if cleanhost: >>>>>>>>>>>>>>>>>> + kinit_admin(master) >>>>>>>>>>>>>>>>>> + master.run_command(["ipa", "host-del", >>>>>>>>>>>>>>>>>> "--updatedns", >>>>>>>>>>>>>>>>>> replica.hostname], >>>>>>>>>>>>>>>>>> + raiseonerr=False) >>>>>>>>>>>>>>>>> Well, in fact it does not. At least the corresponding dns >>>>>>>>>>>>>>>>> record >>>>>>>>>>>>>>>>> stays >>>>>>>>>>>>>>>>> and causes the subsequent ipa-client-install to fail. >>>>>>>>>>>>>>>>> Probably >>>>>>>>>>>>>>>>> it's a >>>>>>>>>>>>>>>>> bug. On the other hand, if I promote an existing >>>>>>>>>>>>>>>>> client to >>>>>>>>>>>>>>>>> replica and >>>>>>>>>>>>>>>>> then delete this replica, then, I probably want the host >>>>>>>>>>>>>>>>> record >>>>>>>>>>>>>>>>> (that >>>>>>>>>>>>>>>>> was created during client-install) to stay in the >>>>>>>>>>>>>>>>> system. So, >>>>>>>>>>>>>>>>> does not >>>>>>>>>>>>>>>>> look like a bug to me. >>>>>>>>>>>>>>>> No you don't, because replica uninstallation also >>>>>>>>>>>>>>>> removes the >>>>>>>>>>>>>>>> client. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I tried it with ipa42, ipa-replica-manage del removes host >>>>>>>>>>>>>>>> entry, >>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>> DNS A records, only SSHFP records stay there (I'm not sure >>>>>>>>>>>>>>>> if it >>>>>>>>>>>>>>>> is bug >>>>>>>>>>>>>>>> or feature) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Also I received this message >>>>>>>>>>>>>>>> """ >>>>>>>>>>>>>>>> Failed to cleanup replica1.ipa.test DNS entries: no >>>>>>>>>>>>>>>> matching >>>>>>>>>>>>>>>> entry >>>>>>>>>>>>>>>> found >>>>>>>>>>>>>>>> You may need to manually remove them from the tree >>>>>>>>>>>>>>>> """ >>>>>>>>>>>>>>>> But, A record has been removed, so this is probably false >>>>>>>>>>>>>>>> positive and >>>>>>>>>>>>>>>> it needs to have a ticket. >>>>>>>>>>>>>>> Agree, that was an issue with my setup. >>>>>>>>>>>>>>> Removed >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>> This variable is not used >>>>>>>>>>>>>>>>>> + kra_uninstall = ["ipa-kra-install", >>>>>>>>>>>>>>>>>> "--uninstall", "-U"] >>>>>>>>>>>>>>>>> Removed >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> 5) >>>>>>>>>>>>>>>>>> Why do you need this >>>>>>>>>>>>>>>>>> + kra_install = ["ipa-kra-install", "-U", "-p", >>>>>>>>>>>>>>>>>> config.dirman_password] >>>>>>>>>>>>>>>>>> when you implemented tasks.install_kra that returns the >>>>>>>>>>>>>>>>>> exactly >>>>>>>>>>>>>>>>>> the same >>>>>>>>>>>>>>>>>> result? >>>>>>>>>>>>>>>>> Right. Removed >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> 6) >>>>>>>>>>>>>>>>>> PEP8 >>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:928:1: E302 >>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:934:1: E302 >>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:939:1: E302 >>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:943:1: E302 >>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:950:80: E501 >>>>>>>>>>>>>>>>>> line too >>>>>>>>>>>>>>>>>> long >>>>>>>>>>>>>>>>>> (80 > 79 >>>>>>>>>>>>>>>>>> characters) >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:29:80: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>> too long (85 > 79 characters) >>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:64:80: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>> too long (85 > 79 characters) >>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:67:80: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>> too long (88 > 79 characters) >>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:93:80: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:94:80: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>> too long (83 > 79 characters) >>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:118:80: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>> too long (81 > 79 characters) >>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:128:80: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:129:80: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>> too long (82 > 79 characters) >>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:181:80: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>> Most of these complaints are unrelated to the current >>>>>>>>>>>>>>>>> patches. >>>>>>>>>>>>>>>>> It's better to create a separate patch addressing PEP8 >>>>>>>>>>>>>>>>> errors. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I beg for your pardon, those PEP8 errors have been >>>>>>>>>>>>>>>> introduced by >>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>> patches. >>>>>>>>>>>>>>> Fixed >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> 7) >>>>>>>>>>>>>>>>>> Why this must be stored in instance? IMO to have it >>>>>>>>>>>>>>>>>> stored as >>>>>>>>>>>>>>>>>> local >>>>>>>>>>>>>>>>>> variable is perfect >>>>>>>>>>>>>>>>>> TestKRAInstall, TestCAInstall >>>>>>>>>>>>>>>>>> self.replica1_filename = >>>>>>>>>>>>>>>>>> tasks.get_replica_filename(replica1) >>>>>>>>>>>>>>>>>> self.replica2_filename = >>>>>>>>>>>>>>>>>> tasks.get_replica_filename(replica2) >>>>>>>>>>>>>>>>> Agree. Fixed >>>>>>>>>>>>>>>>> >>>>>>>>>>>>> This patch is missing something. >>>>>>>>>>>> I am sorry, I forgot to revert my previous change. The correct >>>>>>>>>>>> patch is >>>>>>>>>>>> attached >>>>>>>>>>>> >>>>>>>>>>> ************* Module >>>>>>>>>>> ipatests.test_integration.test_replica_promotion >>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:15: >>>>>>>>>>> [E1123(unexpected-keyword-arg), Dummy.install] Unexpected >>>>>>>>>>> keyword >>>>>>>>>>> argument 'domain_level' in function call) >>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:15: >>>>>>>>>>> [E1101(no-member), Dummy.install] Class 'Dummy' has no >>>>>>>>>>> 'domain_level' >>>>>>>>>>> member) >>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:19: >>>>>>>>>>> [E1101(no-member), Dummy.teardown_method] Module >>>>>>>>>>> 'ipatests.test_integration.tasks' has no 'uninstall_replica' >>>>>>>>>>> member) >>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:67: >>>>>>>>>>> [E1101(no-member), >>>>>>>>>>> TestReplicaPromotionLevel0.test_backup_restore] >>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no 'ipa_backup' >>>>>>>>>>> member) >>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:72: >>>>>>>>>>> [E1101(no-member), >>>>>>>>>>> TestReplicaPromotionLevel0.test_backup_restore] >>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no 'ipa_restore' >>>>>>>>>>> member) >>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:120: >>>>>>>>>>> [E1123(unexpected-keyword-arg), TestCAInstall.install] >>>>>>>>>>> Unexpected >>>>>>>>>>> keyword argument 'domain_level' in function call) >>>>>>>>>>> >>>>>>>>>> Sorry I forgot to apply patch 17, my bad, I'm continuing with >>>>>>>>>> review >>>>>>>> LGTM, I haven't had time to test it, but if you are sure that >>>>>>>> test is >>>>>>>> working, we may push this. >>>>>>>> >>>>>>> Is this expected due the bug you mentioned? >>>>>>> _____ >>>>>>> __________________________________________________________________________ >>>>>>> >>>>>>> >>>>>>> TestReplicaPromotionLevel0.test_kra_install_master >>>>>>> ________________________________________________________________________________ >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> self = >>>>>>> >>>>>> >>>>>>> >>>>>>> object at 0x7f5071a59e50> >>>>>>> >>>>>>> def test_kra_install_master(self): >>>>>>> result1 = tasks.install_kra(self.master, >>>>>>> raiseonerr=False) >>>>>>>> assert result1.returncode == 0, result1.stderr_text >>>>>>> E AssertionError: Usage: ipa-kra-install [options] >>>>>>> [replica_file] >>>>>>> E >>>>>>> E ipa-kra-install: error: Replica file >>>>>>> /root/ipatests/replica-info.gpg does not exist >>>>>>> E The ipa-kra-install command failed. See >>>>>>> /var/log/ipaserver-kra-install.log for more information >>>>>>> E >>>>>>> E assert 2 == 0 >>>>>>> E + where 2 = >>>>>> object at >>>>>>> 0x7f5071adbd50>.returncode >>>>>>> >>>>> IMO the test needs fix, KRA on replica file needs KRA related >>>>> certificates in replica file >>>>> >>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>> RUN >>>>> ['ipa-kra-install', '-U', '-p', 'Secret123', >>>>> '/root/ipatests/replica-info.gpg'] >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] RUN >>>>> ['ipa-kra-install', '-U', '-p', 'Secret123', >>>>> '/root/ipatests/replica-info.gpg'] >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] Missing KRA >>>>> certificates, please create a new replica file. >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] The >>>>> ipa-kra-install command failed. See >>>>> /var/log/ipaserver-kra-install.log >>>>> for more information >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] Exit code: 1 >>>>> FAILED >>>>> traceback >>>>> >>>>> self = >>>>> >>>> object at 0x7f660bc1a590> >>>>> >>> >> > I just read the code. > > PATCH 16: > 0) > PEP8 > ./ipatests/test_integration/test_replica_promotion.py:24:14: E111 > indentation is not a multiple of four > ./ipatests/test_integration/test_replica_promotion.py:24:14: E113 > unexpected indentation > ./ipatests/test_integration/test_replica_promotion.py:148:80: E501 > line too long (80 > 79 characters) > ./ipatests/test_integration/test_replica_promotion.py:150:80: E501 > line too long (81 > 79 characters) > > 1) > workaround is not workaround, because the host entry is removed > anyway, the error is raised from POST callback, please remove it > + # Workaround for 5627 > + if "host not found" in result.stderr_text: > + self.master.run_command(["ipa", > + "host-del", > + host.hostname], > raiseonerr=False) sorry, I was wrong with this, check is in pre_callback, but please remove it anyway, I will send patch to fix it ASAP > > 2) > Please name it better, for example "replica" instead of "i" > + for i in self.replicas: > + tasks.install_replica(master, i, setup_ca=False, > + setup_dns=True) > > 3) > Please use constant for domain level (multiple times) > + result1 = tasks.install_ca(replica1, domain_level=1, raiseonerr=False) > > + tasks.install_ca(replica1, domain_level=0) > + result2 = tasks.install_ca(replica2, domain_level=0, > raiseonerr=False) > ... more times > > 4) > This link does not exists, only connect is deprecated not > ipa-replica-manage at all > + def test_replica_manage_commands(self): > + """ > + TestCase: > http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan > + #Test_case:_ipa-replica-manage_is_deprecated_in_domain_level_1 > + """ > > 5) > Missing testcases: > > Test case: Unprivileged users are not allowed to enroll and promote > clients > Test case: Replica created using old workflow is functional after > domain upgrade > Test case: ipa-csreplica-manage connect is deprecated in domain level 1 > Test case: Replica can be installed using one command > Test case: Prohibit ipa server uninstallation from disconnecting > topology segment > > > PATCH 24: > > 1) > why there is this change, how it is related to this patch?: > def apply_common_fixes(host): > + prepare_host(host) > fix_etc_hosts(host) > fix_hostname(host) > - prepare_host(host) > > 2) > Why is there this change, how it is related to this patch?: > def replica_prepare(master, replica): > - apply_common_fixes(replica) > fix_apache_semaphores(replica) > ... > def install_replica(master, replica, setup_ca=True, setup_dns=False, > ... > + apply_common_fixes(replica) > > 3) > why is there this change, how it is related to this patch?: > - > + args.extend(['-n', replica.domain.name, > + '-r', replica.domain.realm]) > > 4) > why there force, how is this change related to this patch (domain > levels)? > '-w', client.config.admin_password, > - '--server', master.hostname] > + '--server', master.hostname, > + '--force'] > + list(extra_args)) > > Otherwise domain level related changes LGTM > > PATCH 25 > > LGTM > > Martin^2 > From mbasti at redhat.com Tue Mar 1 19:09:07 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 1 Mar 2016 20:09:07 +0100 Subject: [Freeipa-devel] [PATCH 0428] SPEC: do not execute upgrade when ipa server is not installed Message-ID: <56D5E8D3.5020709@redhat.com> https://fedorahosted.org/freeipa/ticket/5704 Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0428-SPEC-do-not-run-upgrade-when-ipa-server-is-not-insta.patch Type: text/x-patch Size: 1759 bytes Desc: not available URL: From rcritten at redhat.com Tue Mar 1 19:13:35 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 1 Mar 2016 14:13:35 -0500 Subject: [Freeipa-devel] [PATCH 0428] SPEC: do not execute upgrade when ipa server is not installed In-Reply-To: <56D5E8D3.5020709@redhat.com> References: <56D5E8D3.5020709@redhat.com> Message-ID: <56D5E9DF.1080201@redhat.com> Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5704 > > Patch attached. > > Would it be safer to integrate this into ipa-upgrade itself? You'd just need to return 0 for the case where IPA isn't installed. rob From mbasti at redhat.com Tue Mar 1 19:15:56 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 1 Mar 2016 20:15:56 +0100 Subject: [Freeipa-devel] [PATCH 0428] SPEC: do not execute upgrade when ipa server is not installed In-Reply-To: <56D5E9DF.1080201@redhat.com> References: <56D5E8D3.5020709@redhat.com> <56D5E9DF.1080201@redhat.com> Message-ID: <56D5EA6C.4030005@redhat.com> On 01.03.2016 20:13, Rob Crittenden wrote: > Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5704 >> >> Patch attached. >> >> > Would it be safer to integrate this into ipa-upgrade itself? You'd just > need to return 0 for the case where IPA isn't installed. > > rob How about the case when ipa-server-upgrade is called by user from CLI? It should fail because IPA is not installed, instead of returning success. That check is in specfile anyway due service restart. Martin^2 From rcritten at redhat.com Tue Mar 1 19:36:18 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 1 Mar 2016 14:36:18 -0500 Subject: [Freeipa-devel] [PATCH 0428] SPEC: do not execute upgrade when ipa server is not installed In-Reply-To: <56D5EA6C.4030005@redhat.com> References: <56D5E8D3.5020709@redhat.com> <56D5E9DF.1080201@redhat.com> <56D5EA6C.4030005@redhat.com> Message-ID: <56D5EF32.7090006@redhat.com> Martin Basti wrote: > > > On 01.03.2016 20:13, Rob Crittenden wrote: >> Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/5704 >>> >>> Patch attached. >>> >>> >> Would it be safer to integrate this into ipa-upgrade itself? You'd just >> need to return 0 for the case where IPA isn't installed. >> >> rob > How about the case when ipa-server-upgrade is called by user from CLI? > It should fail because IPA is not installed, instead of returning > success. That check is in specfile anyway due service restart. > > Martin^2 Yeah, I was hoping you'd miss that :-) It just seems to me, as you point out, that it should check when run by anything, user or spec, so adding it only to the spec seems wrong. I'm not a huge fan of option bloat but that would be one way around this, --graceful-exit or something. Could make it a hidden option if you wanted. rob From ofayans at redhat.com Tue Mar 1 23:12:31 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 2 Mar 2016 00:12:31 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <56D5D9C3.8000102@redhat.com> References: <5640A90B.6030906@redhat.com> <564CA530.3060006@redhat.com> <5655D741.4010402@redhat.com> <56560124.4060904@redhat.com> <5656CB3B.8010000@redhat.com> <5656D5EE.7010208@redhat.com> <565862E6.4020100@redhat.com> <56586807.9080805@redhat.com> <565870D6.40908@redhat.com> <56587616.5030609@redhat.com> <565DB7D3.5040500@redhat.com> <565F0BDD.8080206@redhat.com> <565F17EE.3020701@redhat.com> <5666DC18.2040906@redhat.com> <56675E31.3050203@redhat.com> <5667F49B.5020709@redhat.com> <5667FEFB.6090904@redhat.com> <56680C2E.7060805@redhat.com> <56680DDD.2000106@redhat.com> <566FDD80.7030805@redhat.com> <56717785.4020304@redhat.com> <567195B9.9070104@redhat.com> <56727AA7.2030809@redhat.com> <5675E08C.7030109@redhat.com> <56D43687.10502@redhat.com> <56D57DDE.3020306@redhat.com> <56D57F0C.1060103@redhat.com> <56D59F78.1000000@redhat.com> <56D5D9C3.8000102@redhat.com> Message-ID: <56D621DF.406@redhat.com> Hi Martin, On 03/01/2016 07:04 PM, Martin Basti wrote: > > > On 01.03.2016 14:56, Martin Basti wrote: >> >> >> >> On 01.03.2016 12:37, Martin Basti wrote: >>> >>> >>> On 01.03.2016 12:32, Martin Basti wrote: >>>> >>>> >>>> On 29.02.2016 13:16, Oleg Fayans wrote: >>>>> Hi all, >>>>> >>>>> Finally the tests pass. >>>>> >>>>> The patch 0024 applies on top of patch 0022 (please, consider >>>>> reviewing >>>>> it also). Besides, the whole functionality depends on Martin's >>>>> patch N 0421 >>>>> >>>>> All patches pass pylint. >>>> hello, >>>> >>>> I cannot apply patches on master branch >>>> Martin^2 >>> My bad I applied wrong patch >>> >>>>> >>>>> >>>>> On 12/19/2015 11:56 PM, Martin Basti wrote: >>>>>> >>>>>> On 17.12.2015 10:04, Oleg Fayans wrote: >>>>>>> Hi Martin, >>>>>>> >>>>>>> I am sorry, in my previous email I attached the old version of patch >>>>>>> 0016. The correct on is attached. >>>>>>> >>>>>>> On 12/16/2015 05:47 PM, Martin Basti wrote: >>>>>>>> On 16.12.2015 15:39, Martin Basti wrote: >>>>>>>>> On 15.12.2015 10:29, Oleg Fayans wrote: >>>>>>>>>> Hi Martin, >>>>>>>>>> >>>>>>>>>> The updated patches are attached. Patch 0017 includes all >>>>>>>>>> changes from >>>>>>>>>> patch 0018, so, if you approve this one, there would be no >>>>>>>>>> need to >>>>>>>>>> continue with the review of 0018. This one contains all changes >>>>>>>>>> related >>>>>>>>>> to you remarks from 0018 review. Please see my explanation on the >>>>>>>>>> stdout+stderr part in the thread from patch 0018. >>>>>>>>>> With these two patches applied one of the tests fails due this >>>>>>>>>> bug: >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5550 >>>>>>>>>> >>>>>>>>>> On 12/09/2015 12:17 PM, Martin Basti wrote: >>>>>>>>>>> On 09.12.2015 12:10, Martin Basti wrote: >>>>>>>>>>>> On 09.12.2015 11:14, Oleg Fayans wrote: >>>>>>>>>>>>> Hi Martin >>>>>>>>>>>>> >>>>>>>>>>>>> On 12/09/2015 10:30 AM, Martin Basti wrote: >>>>>>>>>>>>>> On 08.12.2015 23:48, Oleg Fayans wrote: >>>>>>>>>>>>>>> Substituted a hardcoded suffix name with a constant >>>>>>>>>>>>>>> DOMAIN_SUFFIX_NAME >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 12/08/2015 02:33 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> The patches are rebased against the current master. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 12/02/2015 05:10 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>> On 02.12.2015 16:18, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 12/01/2015 04:08 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>> On 27.11.2015 16:26, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>> And patch N 16 passes lint too: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On 11/27/2015 04:03 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On 11/27/2015 03:26 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>> On 27.11.2015 15:04, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> All your suggestions were taken into account. Both >>>>>>>>>>>>>>>>>>>>>>> patches are >>>>>>>>>>>>>>>>>>>>>>> updated. Thank you for your help! >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> On 11/26/2015 10:50 AM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>> On 26.11.2015 10:04, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> I agree to all your points but one. please, see my >>>>>>>>>>>>>>>>>>>>>>>>> comment >>>>>>>>>>>>>>>>>>>>>>>>> below >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> On 11/25/2015 07:42 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> 0) Note >>>>>>>>>>>>>>>>>>>>>>>>>> Please be aware of >>>>>>>>>>>>>>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5469 >>>>>>>>>>>>>>>>>>>>>>>>>> during >>>>>>>>>>>>>>>>>>>>>>>>>> KRA testing >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>>>>> Please do not use MIN and MAX_DOMAIN_LEVEL >>>>>>>>>>>>>>>>>>>>>>>>>> constants, >>>>>>>>>>>>>>>>>>>>>>>>>> this may >>>>>>>>>>>>>>>>>>>>>>>>>> change >>>>>>>>>>>>>>>>>>>>>>>>>> over time, use DOMAIN_LEVEL_0 and >>>>>>>>>>>>>>>>>>>>>>>>>> DOMAIN_LEVEL_1 for >>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>> level 0 >>>>>>>>>>>>>>>>>>>>>>>>>> and 1 >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>>>>> Why uninstall KRA then server, is not enough just >>>>>>>>>>>>>>>>>>>>>>>>>> uninstall >>>>>>>>>>>>>>>>>>>>>>>>>> server >>>>>>>>>>>>>>>>>>>>>>>>>> which >>>>>>>>>>>>>>>>>>>>>>>>>> covers KRA uninstall? >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> + def teardown_method(self, method): >>>>>>>>>>>>>>>>>>>>>>>>>> + for host in self.replicas: >>>>>>>>>>>>>>>>>>>>>>>>>> + host.run_command(self.kra_uninstall, >>>>>>>>>>>>>>>>>>>>>>>>>> raiseonerr=False) >>>>>>>>>>>>>>>>>>>>>>>>>> + tasks.uninstall_master(host) >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>>>>> Can be this function more generic? It should >>>>>>>>>>>>>>>>>>>>>>>>>> allow >>>>>>>>>>>>>>>>>>>>>>>>>> specify >>>>>>>>>>>>>>>>>>>>>>>>>> host >>>>>>>>>>>>>>>>>>>>>>>>>> where >>>>>>>>>>>>>>>>>>>>>>>>>> KRA should be installed not just master >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> + def test_kra_install_master(self): >>>>>>>>>>>>>>>>>>>>>>>>>> + self.master.run_command(self.kra_install) >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> TestLevel0(Dummy): >>>>>>>>>>>>>>>>>>>>>>>>>> Can be the test name more specific, something >>>>>>>>>>>>>>>>>>>>>>>>>> like >>>>>>>>>>>>>>>>>>>>>>>>>> TestReplicaPromotionLevel0 >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> 5) >>>>>>>>>>>>>>>>>>>>>>>>>> please remove this, the patch is on review and it >>>>>>>>>>>>>>>>>>>>>>>>>> will be >>>>>>>>>>>>>>>>>>>>>>>>>> pushed >>>>>>>>>>>>>>>>>>>>>>>>>> sooner >>>>>>>>>>>>>>>>>>>>>>>>>> than tests >>>>>>>>>>>>>>>>>>>>>>>>>> + @pytest.mark.xfail # Ticket N 5455 >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> and as I mentioned in ticket #5455, I cannot >>>>>>>>>>>>>>>>>>>>>>>>>> reproduce >>>>>>>>>>>>>>>>>>>>>>>>>> it with >>>>>>>>>>>>>>>>>>>>>>>>>> ipa-kra-install, so please provide steps to >>>>>>>>>>>>>>>>>>>>>>>>>> reproduce if >>>>>>>>>>>>>>>>>>>>>>>>>> you >>>>>>>>>>>>>>>>>>>>>>>>>> insist >>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>> this still does not work as expected with KRA. >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> 6) This is completely wrong, it removes >>>>>>>>>>>>>>>>>>>>>>>>>> everything >>>>>>>>>>>>>>>>>>>>>>>>>> that we >>>>>>>>>>>>>>>>>>>>>>>>>> tried to >>>>>>>>>>>>>>>>>>>>>>>>>> achieve with previous patches with domain >>>>>>>>>>>>>>>>>>>>>>>>>> level in CI >>>>>>>>>>>>>>>>>>>>>>>>> Actually, being able to configure domain level per >>>>>>>>>>>>>>>>>>>>>>>>> class >>>>>>>>>>>>>>>>>>>>>>>>> is WAY >>>>>>>>>>>>>>>>>>>>>>>>> more >>>>>>>>>>>>>>>>>>>>>>>>> convenient, than to always have to think which >>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>> level is >>>>>>>>>>>>>>>>>>>>>>>>> appropriate for which particular test during >>>>>>>>>>>>>>>>>>>>>>>>> jenkins >>>>>>>>>>>>>>>>>>>>>>>>> job >>>>>>>>>>>>>>>>>>>>>>>>> configuration. In fact, I should have thought >>>>>>>>>>>>>>>>>>>>>>>>> about it >>>>>>>>>>>>>>>>>>>>>>>>> from the >>>>>>>>>>>>>>>>>>>>>>>>> very >>>>>>>>>>>>>>>>>>>>>>>>> beginning. For example, in >>>>>>>>>>>>>>>>>>>>>>>>> test_replica_promotion.py we >>>>>>>>>>>>>>>>>>>>>>>>> have on >>>>>>>>>>>>>>>>>>>>>>>>> class, >>>>>>>>>>>>>>>>>>>>>>>>> which intiates with domain level = 1, while >>>>>>>>>>>>>>>>>>>>>>>>> others - >>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>> 0. With config-based approach, we would have to >>>>>>>>>>>>>>>>>>>>>>>>> implement a >>>>>>>>>>>>>>>>>>>>>>>>> separate >>>>>>>>>>>>>>>>>>>>>>>>> step that raises domain level. Overall, I am >>>>>>>>>>>>>>>>>>>>>>>>> against >>>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>>> approach, >>>>>>>>>>>>>>>>>>>>>>>>> when you have to remember to set certain domain >>>>>>>>>>>>>>>>>>>>>>>>> level in >>>>>>>>>>>>>>>>>>>>>>>>> config >>>>>>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>>>>>> any particular test. The tests themselves >>>>>>>>>>>>>>>>>>>>>>>>> should be >>>>>>>>>>>>>>>>>>>>>>>>> aware of >>>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>>> domain level they need. >>>>>>>>>>>>>>>>>>>>>>>> I do not say that we should not have something that >>>>>>>>>>>>>>>>>>>>>>>> overrides >>>>>>>>>>>>>>>>>>>>>>>> settings >>>>>>>>>>>>>>>>>>>>>>>> in from config in a particular test case, I say >>>>>>>>>>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>>>>>>>>>> patch is >>>>>>>>>>>>>>>>>>>>>>>> doing it >>>>>>>>>>>>>>>>>>>>>>>> wrong. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> I agree it is useful to have param domain_level in >>>>>>>>>>>>>>>>>>>>>>>> install_master, >>>>>>>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>>>>>>> intall_topo methods, but is cannot be >>>>>>>>>>>>>>>>>>>>>>>> MAX_DOMAIN_LEVEL by >>>>>>>>>>>>>>>>>>>>>>>> default, >>>>>>>>>>>>>>>>>>>>>>>> because with your current patch the domain_level in >>>>>>>>>>>>>>>>>>>>>>>> config is >>>>>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>>>>> used >>>>>>>>>>>>>>>>>>>>>>>> at all, it will be always MAX_DOMAIN_LEVEL >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> For example I want to achieve this goal: >>>>>>>>>>>>>>>>>>>>>>>> test_vault.py, this test suite can run on domain >>>>>>>>>>>>>>>>>>>>>>>> level1 >>>>>>>>>>>>>>>>>>>>>>>> and on >>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>> level0, so with one test we can test 2 domain >>>>>>>>>>>>>>>>>>>>>>>> levels >>>>>>>>>>>>>>>>>>>>>>>> just >>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>> putting >>>>>>>>>>>>>>>>>>>>>>>> domain level into config file. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> I agree that with extraordinary test like replica >>>>>>>>>>>>>>>>>>>>>>>> promotion test >>>>>>>>>>>>>>>>>>>>>>>> is, we >>>>>>>>>>>>>>>>>>>>>>>> need something that allows override the config >>>>>>>>>>>>>>>>>>>>>>>> file. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> As I said bellow, domain_level default value >>>>>>>>>>>>>>>>>>>>>>>> should be >>>>>>>>>>>>>>>>>>>>>>>> None in >>>>>>>>>>>>>>>>>>>>>>>> install_master and install_topo plugin. If >>>>>>>>>>>>>>>>>>>>>>>> domain level >>>>>>>>>>>>>>>>>>>>>>>> was >>>>>>>>>>>>>>>>>>>>>>>> specified >>>>>>>>>>>>>>>>>>>>>>>> use the specified one, if not (value is None) >>>>>>>>>>>>>>>>>>>>>>>> use the >>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>>>>>>>> config file. >>>>>>>>>>>>>>>>>>>>>>> Agreed :) >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Martin >>>>>>>>>>>>>>>>>>>>>>>>>> [PATCH] Enabled setting domain_level per class >>>>>>>>>>>>>>>>>>>>>>>>>> derived from >>>>>>>>>>>>>>>>>>>>>>>>>> TestIntegration >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> When I configure domain level 0 in yaml >>>>>>>>>>>>>>>>>>>>>>>>>> config, how >>>>>>>>>>>>>>>>>>>>>>>>>> is this >>>>>>>>>>>>>>>>>>>>>>>>>> supposed to >>>>>>>>>>>>>>>>>>>>>>>>>> get into install methods when you removed that >>>>>>>>>>>>>>>>>>>>>>>>>> code? >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> - "--domain-level=%i" % >>>>>>>>>>>>>>>>>>>>>>>>>> host.config.domain_level >>>>>>>>>>>>>>>>>>>>>>>>>> + "--domain-level=%i" % domain_level >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> You always use MAX_DOMAIN_LEVEL in this case or >>>>>>>>>>>>>>>>>>>>>>>>>> whatever is >>>>>>>>>>>>>>>>>>>>>>>>>> specified in >>>>>>>>>>>>>>>>>>>>>>>>>> domain_level option. >>>>>>>>>>>>>>>>>>>>>>>>>> I suggest to use domain_level=None, and when >>>>>>>>>>>>>>>>>>>>>>>>>> it is >>>>>>>>>>>>>>>>>>>>>>>>>> None use >>>>>>>>>>>>>>>>>>>>>>>>>> 'host.config.domain_level', if it is not None, >>>>>>>>>>>>>>>>>>>>>>>>>> use >>>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> With this we can specify domain level in config >>>>>>>>>>>>>>>>>>>>>>>>>> file for >>>>>>>>>>>>>>>>>>>>>>>>>> test >>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>> can >>>>>>>>>>>>>>>>>>>>>>>>>> be used for both domain levels and you can >>>>>>>>>>>>>>>>>>>>>>>>>> manually >>>>>>>>>>>>>>>>>>>>>>>>>> specify >>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>>> for test that requires specific domain level. >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> Also this should go away >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> @classmethod >>>>>>>>>>>>>>>>>>>>>>>>>> def install(cls, mh): >>>>>>>>>>>>>>>>>>>>>>>>>> + if hasattr(cls, "domain_level") and >>>>>>>>>>>>>>>>>>>>>>>>>> cls.master: >>>>>>>>>>>>>>>>>>>>>>>>>> + cls.master.config.domain_level = >>>>>>>>>>>>>>>>>>>>>>>>>> cls.domain_level >>>>>>>>>>>>>>>>>>>>>>>>>> if cls.topology is None: >>>>>>>>>>>>>>>>>>>>>>>>>> return >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> I do not see reason why test should override >>>>>>>>>>>>>>>>>>>>>>>>>> configuration in >>>>>>>>>>>>>>>>>>>>>>>>>> config in >>>>>>>>>>>>>>>>>>>>>>>>>> this case. >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> Martin >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> On 25.11.2015 16:44, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> Here is the updated version of the patch (more >>>>>>>>>>>>>>>>>>>>>>>>>>> tests + >>>>>>>>>>>>>>>>>>>>>>>>>>> fixed the >>>>>>>>>>>>>>>>>>>>>>>>>>> issues of the first one) + patch 0017, that >>>>>>>>>>>>>>>>>>>>>>>>>>> implements the >>>>>>>>>>>>>>>>>>>>>>>>>>> necessary >>>>>>>>>>>>>>>>>>>>>>>>>>> changes in the background code, i. e. patch 16 >>>>>>>>>>>>>>>>>>>>>>>>>>> does not >>>>>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>>>>> without >>>>>>>>>>>>>>>>>>>>>>>>>>> patch 17 >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> On 11/18/2015 05:20 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>> On 09.11.2015 15:09, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi guys, >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Here are first two automated testcases from >>>>>>>>>>>>>>>>>>>>>>>>>>>>> this >>>>>>>>>>>>>>>>>>>>>>>>>>>>> (so far >>>>>>>>>>>>>>>>>>>>>>>>>>>>> incomplete) >>>>>>>>>>>>>>>>>>>>>>>>>>>>> testplan: >>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Testplan review is highly appreciated >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> PATCH 16: NACK >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>>>>>>> What is the reason to add an unused >>>>>>>>>>>>>>>>>>>>>>>>>>>> parameter to >>>>>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' to >>>>>>>>>>>>>>>>>>>>>>>>>>>> install_topo()? >>>>>>>>>>>>>>>>>>>>>>>>>>>> Also it is good practise to add new option >>>>>>>>>>>>>>>>>>>>>>>>>>>> as the >>>>>>>>>>>>>>>>>>>>>>>>>>>> last >>>>>>>>>>>>>>>>>>>>>>>>>>>> parameter. >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>>>>>>> cab you in both tests specify a domain level >>>>>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>>>>> constant >>>>>>>>>>>>>>>>>>>>>>>>>>>> instead of >>>>>>>>>>>>>>>>>>>>>>>>>>>> number literal? >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>>>>>>> both test call install_topo with custom domain >>>>>>>>>>>>>>>>>>>>>>>>>>>> level, >>>>>>>>>>>>>>>>>>>>>>>>>>>> but it >>>>>>>>>>>>>>>>>>>>>>>>>>>> cannot >>>>>>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>>>>>> because 1) (did you run the test?) >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>>>>>>> How the test "TestLevel1" is supposed to work? >>>>>>>>>>>>>>>>>>>>>>>>>>>> Respectively why there is call of >>>>>>>>>>>>>>>>>>>>>>>>>>>> install_topo() >>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>> installs >>>>>>>>>>>>>>>>>>>>>>>>>>>> replica. >>>>>>>>>>>>>>>>>>>>>>>>>>>> As this test just tests that >>>>>>>>>>>>>>>>>>>>>>>>>>>> ipa-replica-prepare is >>>>>>>>>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>>>>>>>>> working >>>>>>>>>>>>>>>>>>>>>>>>>>>> anymore, >>>>>>>>>>>>>>>>>>>>>>>>>>>> is it worth to spend 20 minutes with installing >>>>>>>>>>>>>>>>>>>>>>>>>>>> replica and >>>>>>>>>>>>>>>>>>>>>>>>>>>> then >>>>>>>>>>>>>>>>>>>>>>>>>>>> just no >>>>>>>>>>>>>>>>>>>>>>>>>>>> tot use it? IMO to install master in install >>>>>>>>>>>>>>>>>>>>>>>>>>>> step is >>>>>>>>>>>>>>>>>>>>>>>>>>>> enough. >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> ./make-lint >>>>>>>>>>>>>>>>>>>>>> ************* Module ipatests.test_integration.base >>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/base.py:66: >>>>>>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>>>>>> IntegrationTest.install] Class 'IntegrationTest' >>>>>>>>>>>>>>>>>>>>>> has no >>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>>> ************* Module >>>>>>>>>>>>>>>>>>>>>> ipatests.test_integration.test_replica_promotion >>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:16: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> [E1101(no-member), Dummy.install] Class 'Dummy' >>>>>>>>>>>>>>>>>>>>>> has no >>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:117: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>>>>>> TestCAInstall.test_ca_install_without_replica_file] >>>>>>>>>>>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no >>>>>>>>>>>>>>>>>>>>>> 'setup_replica' >>>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Is it so hard to run pylint before patch is posted >>>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>>> review? >>>>>>>>>>>>>>>>>>>>> Sorry, my bad. Fixed. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>> Why is this change in the patch? >>>>>>>>>>>>>>>>>>> - # Clean up the test directory >>>>>>>>>>>>>>>>>>> - host.run_command(['rm', '-rvf', >>>>>>>>>>>>>>>>>>> host.config.test_dir]) >>>>>>>>>>>>>>>>>> Otherwise 2 out of 8 tests fail with IOError at line >>>>>>>>>>>>>>>>>> 78 of >>>>>>>>>>>>>>>>>> ipatests/test_integration/tasks.py >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I do not understand yet how does this happen, but if you >>>>>>>>>>>>>>>>>> remove >>>>>>>>>>>>>>>>>> ipatests folder once, it then fails to be created again. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> So this should be in separated patch and investigated >>>>>>>>>>>>>>>>> properly. >>>>>>>>>>>>>>>> Agree. Removed >>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>> is enough to have this check only in install_master, >>>>>>>>>>>>>>>>>>> install_topo can >>>>>>>>>>>>>>>>>>> pass None to install_master >>>>>>>>>>>>>>>>>>> + if domain_level is None: >>>>>>>>>>>>>>>>>>> + domain_level = master.config.domain_level >>>>>>>>>>>>>>>>>> Done >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>> IMO replica-manage del should cleanup hosts entry, so >>>>>>>>>>>>>>>>>>> following >>>>>>>>>>>>>>>>>>> code >>>>>>>>>>>>>>>>>>> should not be needed. >>>>>>>>>>>>>>>>>>> + if cleanhost: >>>>>>>>>>>>>>>>>>> + kinit_admin(master) >>>>>>>>>>>>>>>>>>> + master.run_command(["ipa", "host-del", >>>>>>>>>>>>>>>>>>> "--updatedns", >>>>>>>>>>>>>>>>>>> replica.hostname], >>>>>>>>>>>>>>>>>>> + raiseonerr=False) >>>>>>>>>>>>>>>>>> Well, in fact it does not. At least the corresponding dns >>>>>>>>>>>>>>>>>> record >>>>>>>>>>>>>>>>>> stays >>>>>>>>>>>>>>>>>> and causes the subsequent ipa-client-install to fail. >>>>>>>>>>>>>>>>>> Probably >>>>>>>>>>>>>>>>>> it's a >>>>>>>>>>>>>>>>>> bug. On the other hand, if I promote an existing >>>>>>>>>>>>>>>>>> client to >>>>>>>>>>>>>>>>>> replica and >>>>>>>>>>>>>>>>>> then delete this replica, then, I probably want the host >>>>>>>>>>>>>>>>>> record >>>>>>>>>>>>>>>>>> (that >>>>>>>>>>>>>>>>>> was created during client-install) to stay in the >>>>>>>>>>>>>>>>>> system. So, >>>>>>>>>>>>>>>>>> does not >>>>>>>>>>>>>>>>>> look like a bug to me. >>>>>>>>>>>>>>>>> No you don't, because replica uninstallation also >>>>>>>>>>>>>>>>> removes the >>>>>>>>>>>>>>>>> client. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I tried it with ipa42, ipa-replica-manage del removes host >>>>>>>>>>>>>>>>> entry, >>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>> DNS A records, only SSHFP records stay there (I'm not sure >>>>>>>>>>>>>>>>> if it >>>>>>>>>>>>>>>>> is bug >>>>>>>>>>>>>>>>> or feature) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Also I received this message >>>>>>>>>>>>>>>>> """ >>>>>>>>>>>>>>>>> Failed to cleanup replica1.ipa.test DNS entries: no >>>>>>>>>>>>>>>>> matching >>>>>>>>>>>>>>>>> entry >>>>>>>>>>>>>>>>> found >>>>>>>>>>>>>>>>> You may need to manually remove them from the tree >>>>>>>>>>>>>>>>> """ >>>>>>>>>>>>>>>>> But, A record has been removed, so this is probably false >>>>>>>>>>>>>>>>> positive and >>>>>>>>>>>>>>>>> it needs to have a ticket. >>>>>>>>>>>>>>>> Agree, that was an issue with my setup. >>>>>>>>>>>>>>>> Removed >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>> This variable is not used >>>>>>>>>>>>>>>>>>> + kra_uninstall = ["ipa-kra-install", >>>>>>>>>>>>>>>>>>> "--uninstall", "-U"] >>>>>>>>>>>>>>>>>> Removed >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> 5) >>>>>>>>>>>>>>>>>>> Why do you need this >>>>>>>>>>>>>>>>>>> + kra_install = ["ipa-kra-install", "-U", "-p", >>>>>>>>>>>>>>>>>>> config.dirman_password] >>>>>>>>>>>>>>>>>>> when you implemented tasks.install_kra that returns the >>>>>>>>>>>>>>>>>>> exactly >>>>>>>>>>>>>>>>>>> the same >>>>>>>>>>>>>>>>>>> result? >>>>>>>>>>>>>>>>>> Right. Removed >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> 6) >>>>>>>>>>>>>>>>>>> PEP8 >>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:928:1: E302 >>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:934:1: E302 >>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:939:1: E302 >>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:943:1: E302 >>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:950:80: E501 >>>>>>>>>>>>>>>>>>> line too >>>>>>>>>>>>>>>>>>> long >>>>>>>>>>>>>>>>>>> (80 > 79 >>>>>>>>>>>>>>>>>>> characters) >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:29:80: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>> too long (85 > 79 characters) >>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:64:80: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>> too long (85 > 79 characters) >>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:67:80: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>> too long (88 > 79 characters) >>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:93:80: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:94:80: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>> too long (83 > 79 characters) >>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:118:80: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>> too long (81 > 79 characters) >>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:128:80: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:129:80: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>> too long (82 > 79 characters) >>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:181:80: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>> Most of these complaints are unrelated to the current >>>>>>>>>>>>>>>>>> patches. >>>>>>>>>>>>>>>>>> It's better to create a separate patch addressing PEP8 >>>>>>>>>>>>>>>>>> errors. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I beg for your pardon, those PEP8 errors have been >>>>>>>>>>>>>>>>> introduced by >>>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>>> patches. >>>>>>>>>>>>>>>> Fixed >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> 7) >>>>>>>>>>>>>>>>>>> Why this must be stored in instance? IMO to have it >>>>>>>>>>>>>>>>>>> stored as >>>>>>>>>>>>>>>>>>> local >>>>>>>>>>>>>>>>>>> variable is perfect >>>>>>>>>>>>>>>>>>> TestKRAInstall, TestCAInstall >>>>>>>>>>>>>>>>>>> self.replica1_filename = >>>>>>>>>>>>>>>>>>> tasks.get_replica_filename(replica1) >>>>>>>>>>>>>>>>>>> self.replica2_filename = >>>>>>>>>>>>>>>>>>> tasks.get_replica_filename(replica2) >>>>>>>>>>>>>>>>>> Agree. Fixed >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>> This patch is missing something. >>>>>>>>>>>>> I am sorry, I forgot to revert my previous change. The correct >>>>>>>>>>>>> patch is >>>>>>>>>>>>> attached >>>>>>>>>>>>> >>>>>>>>>>>> ************* Module >>>>>>>>>>>> ipatests.test_integration.test_replica_promotion >>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:15: >>>>>>>>>>>> [E1123(unexpected-keyword-arg), Dummy.install] Unexpected >>>>>>>>>>>> keyword >>>>>>>>>>>> argument 'domain_level' in function call) >>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:15: >>>>>>>>>>>> [E1101(no-member), Dummy.install] Class 'Dummy' has no >>>>>>>>>>>> 'domain_level' >>>>>>>>>>>> member) >>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:19: >>>>>>>>>>>> [E1101(no-member), Dummy.teardown_method] Module >>>>>>>>>>>> 'ipatests.test_integration.tasks' has no 'uninstall_replica' >>>>>>>>>>>> member) >>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:67: >>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>> TestReplicaPromotionLevel0.test_backup_restore] >>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no 'ipa_backup' >>>>>>>>>>>> member) >>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:72: >>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>> TestReplicaPromotionLevel0.test_backup_restore] >>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no 'ipa_restore' >>>>>>>>>>>> member) >>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:120: >>>>>>>>>>>> [E1123(unexpected-keyword-arg), TestCAInstall.install] >>>>>>>>>>>> Unexpected >>>>>>>>>>>> keyword argument 'domain_level' in function call) >>>>>>>>>>>> >>>>>>>>>>> Sorry I forgot to apply patch 17, my bad, I'm continuing with >>>>>>>>>>> review >>>>>>>>> LGTM, I haven't had time to test it, but if you are sure that >>>>>>>>> test is >>>>>>>>> working, we may push this. >>>>>>>>> >>>>>>>> Is this expected due the bug you mentioned? >>>>>>>> _____ >>>>>>>> __________________________________________________________________________ >>>>>>>> >>>>>>>> >>>>>>>> TestReplicaPromotionLevel0.test_kra_install_master >>>>>>>> ________________________________________________________________________________ >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> self = >>>>>>>> >>>>>>> >>>>>>>> >>>>>>>> object at 0x7f5071a59e50> >>>>>>>> >>>>>>>> def test_kra_install_master(self): >>>>>>>> result1 = tasks.install_kra(self.master, >>>>>>>> raiseonerr=False) >>>>>>>>> assert result1.returncode == 0, result1.stderr_text >>>>>>>> E AssertionError: Usage: ipa-kra-install [options] >>>>>>>> [replica_file] >>>>>>>> E >>>>>>>> E ipa-kra-install: error: Replica file >>>>>>>> /root/ipatests/replica-info.gpg does not exist >>>>>>>> E The ipa-kra-install command failed. See >>>>>>>> /var/log/ipaserver-kra-install.log for more information >>>>>>>> E >>>>>>>> E assert 2 == 0 >>>>>>>> E + where 2 = >>>>>>> object at >>>>>>>> 0x7f5071adbd50>.returncode >>>>>>>> >>>>>> IMO the test needs fix, KRA on replica file needs KRA related >>>>>> certificates in replica file >>>>>> >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>> RUN >>>>>> ['ipa-kra-install', '-U', '-p', 'Secret123', >>>>>> '/root/ipatests/replica-info.gpg'] >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] RUN >>>>>> ['ipa-kra-install', '-U', '-p', 'Secret123', >>>>>> '/root/ipatests/replica-info.gpg'] >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] Missing KRA >>>>>> certificates, please create a new replica file. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] The >>>>>> ipa-kra-install command failed. See >>>>>> /var/log/ipaserver-kra-install.log >>>>>> for more information >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] Exit code: 1 >>>>>> FAILED >>>>>> traceback >>>>>> >>>>>> self = >>>>>> >>>>> object at 0x7f660bc1a590> >>>>>> >>>> >>> >> I just read the code. >> >> PATCH 16: >> 0) >> PEP8 >> ./ipatests/test_integration/test_replica_promotion.py:24:14: E111 >> indentation is not a multiple of four >> ./ipatests/test_integration/test_replica_promotion.py:24:14: E113 >> unexpected indentation >> ./ipatests/test_integration/test_replica_promotion.py:148:80: E501 >> line too long (80 > 79 characters) >> ./ipatests/test_integration/test_replica_promotion.py:150:80: E501 >> line too long (81 > 79 characters) >> >> 1) >> workaround is not workaround, because the host entry is removed >> anyway, the error is raised from POST callback, please remove it >> + # Workaround for 5627 >> + if "host not found" in result.stderr_text: >> + self.master.run_command(["ipa", >> + "host-del", >> + host.hostname], >> raiseonerr=False) > sorry, I was wrong with this, check is in pre_callback, but please > remove it anyway, I will send patch to fix it ASAP Done > >> >> 2) >> Please name it better, for example "replica" instead of "i" >> + for i in self.replicas: >> + tasks.install_replica(master, i, setup_ca=False, >> + setup_dns=True) Done >> >> 3) >> Please use constant for domain level (multiple times) >> + result1 = tasks.install_ca(replica1, domain_level=1, raiseonerr=False) >> >> + tasks.install_ca(replica1, domain_level=0) >> + result2 = tasks.install_ca(replica2, domain_level=0, >> raiseonerr=False) >> ... more times Done >> >> 4) >> This link does not exists, only connect is deprecated not >> ipa-replica-manage at all >> + def test_replica_manage_commands(self): >> + """ >> + TestCase: >> http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan >> + #Test_case:_ipa-replica-manage_is_deprecated_in_domain_level_1 >> + """ Fixed >> >> 5) >> Missing testcases: >> >> Test case: Unprivileged users are not allowed to enroll and promote >> clients >> Test case: Replica created using old workflow is functional after >> domain upgrade >> Test case: ipa-csreplica-manage connect is deprecated in domain level 1 >> Test case: Replica can be installed using one command >> Test case: Prohibit ipa server uninstallation from disconnecting >> topology segment >> They are on the way, not fully ready yet >> >> PATCH 24: >> >> 1) >> why there is this change, how it is related to this patch?: >> def apply_common_fixes(host): >> + prepare_host(host) >> fix_etc_hosts(host) >> fix_hostname(host) >> - prepare_host(host) Good catch! That was one of my attempts to address the issue that was successfully resolved in patch 0025. Will remove it once we agree on the rest of the changes >> >> 2) >> Why is there this change, how it is related to this patch?: >> def replica_prepare(master, replica): >> - apply_common_fixes(replica) >> fix_apache_semaphores(replica) >> ... >> def install_replica(master, replica, setup_ca=True, setup_dns=False, >> ... >> + apply_common_fixes(replica) Just to make this call independent from domain level (at domain_level 1 replica_prepare never gets called) >> >> 3) >> why is there this change, how it is related to this patch?: >> - >> + args.extend(['-n', replica.domain.name, >> + '-r', replica.domain.realm]) At least -r is a required parameter. -n was added for further robustness. Can be safely removed, though >> >> 4) >> why there force, how is this change related to this patch (domain >> levels)? >> '-w', client.config.admin_password, >> - '--server', master.hostname] >> + '--server', master.hostname, >> + '--force'] >> + list(extra_args)) client refuses to install unless everything is super clear in the dns setup (including reverse zone). Otherwise the installer fails and informs you that you may use '--force' at your own risk. I can rerun the tests without this option to provide you with the exact output, if you like. >> >> Otherwise domain level related changes LGTM >> >> PATCH 25 >> >> LGTM >> >> Martin^2 >> > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0016.9-Integration-tests-for-replica-promotion-feature.patch Type: text/x-patch Size: 10939 bytes Desc: not available URL: From jcholast at redhat.com Wed Mar 2 06:26:32 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 2 Mar 2016 07:26:32 +0100 Subject: [Freeipa-devel] [PATCH 0428] SPEC: do not execute upgrade when ipa server is not installed In-Reply-To: <56D5EF32.7090006@redhat.com> References: <56D5E8D3.5020709@redhat.com> <56D5E9DF.1080201@redhat.com> <56D5EA6C.4030005@redhat.com> <56D5EF32.7090006@redhat.com> Message-ID: <56D68798.60603@redhat.com> On 1.3.2016 20:36, Rob Crittenden wrote: > Martin Basti wrote: >> >> >> On 01.03.2016 20:13, Rob Crittenden wrote: >>> Martin Basti wrote: >>>> https://fedorahosted.org/freeipa/ticket/5704 >>>> >>>> Patch attached. >>>> >>>> >>> Would it be safer to integrate this into ipa-upgrade itself? You'd just >>> need to return 0 for the case where IPA isn't installed. >>> >>> rob >> How about the case when ipa-server-upgrade is called by user from CLI? >> It should fail because IPA is not installed, instead of returning >> success. That check is in specfile anyway due service restart. >> >> Martin^2 > > Yeah, I was hoping you'd miss that :-) > > It just seems to me, as you point out, that it should check when run by > anything, user or spec, so adding it only to the spec seems wrong. I'm > not a huge fan of option bloat but that would be one way around this, > --graceful-exit or something. Could make it a hidden option if you wanted. I don't think adding the option is worth the effort, as we will be soon moving away from running the upgrade script directly from the spec file to a service based solution (#4552, #5373). -- Jan Cholasta From mbasti at redhat.com Wed Mar 2 09:05:57 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 2 Mar 2016 10:05:57 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <56D621DF.406@redhat.com> References: <5640A90B.6030906@redhat.com> <564CA530.3060006@redhat.com> <5655D741.4010402@redhat.com> <56560124.4060904@redhat.com> <5656CB3B.8010000@redhat.com> <5656D5EE.7010208@redhat.com> <565862E6.4020100@redhat.com> <56586807.9080805@redhat.com> <565870D6.40908@redhat.com> <56587616.5030609@redhat.com> <565DB7D3.5040500@redhat.com> <565F0BDD.8080206@redhat.com> <565F17EE.3020701@redhat.com> <5666DC18.2040906@redhat.com> <56675E31.3050203@redhat.com> <5667F49B.5020709@redhat.com> <5667FEFB.6090904@redhat.com> <56680C2E.7060805@redhat.com> <56680DDD.2000106@redhat.com> <566FDD80.7030805@redhat.com> <56717785.4020304@redhat.com> <567195B9.9070104@redhat.com> <56727AA7.2030809@redhat.com> <5675E08C.7030109@redhat.com> <56D43687.10502@redhat.com> <56D57DDE.3020306@redhat.com> <56D57F0C.1060103@redhat.com> <56D59F78.1000000@redhat.com> <56D5D9C3.8000102@redhat.com> <56D621DF.406@redhat.com> Message-ID: <56D6ACF5.4070402@redhat.com> On 02.03.2016 00:12, Oleg Fayans wrote: > Hi Martin, > > On 03/01/2016 07:04 PM, Martin Basti wrote: >> >> On 01.03.2016 14:56, Martin Basti wrote: >>> >>> >>> On 01.03.2016 12:37, Martin Basti wrote: >>>> >>>> On 01.03.2016 12:32, Martin Basti wrote: >>>>> >>>>> On 29.02.2016 13:16, Oleg Fayans wrote: >>>>>> Hi all, >>>>>> >>>>>> Finally the tests pass. >>>>>> >>>>>> The patch 0024 applies on top of patch 0022 (please, consider >>>>>> reviewing >>>>>> it also). Besides, the whole functionality depends on Martin's >>>>>> patch N 0421 >>>>>> >>>>>> All patches pass pylint. >>>>> hello, >>>>> >>>>> I cannot apply patches on master branch >>>>> Martin^2 >>>> My bad I applied wrong patch >>>> >>>>>> >>>>>> On 12/19/2015 11:56 PM, Martin Basti wrote: >>>>>>> On 17.12.2015 10:04, Oleg Fayans wrote: >>>>>>>> Hi Martin, >>>>>>>> >>>>>>>> I am sorry, in my previous email I attached the old version of patch >>>>>>>> 0016. The correct on is attached. >>>>>>>> >>>>>>>> On 12/16/2015 05:47 PM, Martin Basti wrote: >>>>>>>>> On 16.12.2015 15:39, Martin Basti wrote: >>>>>>>>>> On 15.12.2015 10:29, Oleg Fayans wrote: >>>>>>>>>>> Hi Martin, >>>>>>>>>>> >>>>>>>>>>> The updated patches are attached. Patch 0017 includes all >>>>>>>>>>> changes from >>>>>>>>>>> patch 0018, so, if you approve this one, there would be no >>>>>>>>>>> need to >>>>>>>>>>> continue with the review of 0018. This one contains all changes >>>>>>>>>>> related >>>>>>>>>>> to you remarks from 0018 review. Please see my explanation on the >>>>>>>>>>> stdout+stderr part in the thread from patch 0018. >>>>>>>>>>> With these two patches applied one of the tests fails due this >>>>>>>>>>> bug: >>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5550 >>>>>>>>>>> >>>>>>>>>>> On 12/09/2015 12:17 PM, Martin Basti wrote: >>>>>>>>>>>> On 09.12.2015 12:10, Martin Basti wrote: >>>>>>>>>>>>> On 09.12.2015 11:14, Oleg Fayans wrote: >>>>>>>>>>>>>> Hi Martin >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 12/09/2015 10:30 AM, Martin Basti wrote: >>>>>>>>>>>>>>> On 08.12.2015 23:48, Oleg Fayans wrote: >>>>>>>>>>>>>>>> Substituted a hardcoded suffix name with a constant >>>>>>>>>>>>>>>> DOMAIN_SUFFIX_NAME >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 12/08/2015 02:33 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> The patches are rebased against the current master. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 12/02/2015 05:10 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>> On 02.12.2015 16:18, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On 12/01/2015 04:08 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>> On 27.11.2015 16:26, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>> And patch N 16 passes lint too: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On 11/27/2015 04:03 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> On 11/27/2015 03:26 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>> On 27.11.2015 15:04, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> All your suggestions were taken into account. Both >>>>>>>>>>>>>>>>>>>>>>>> patches are >>>>>>>>>>>>>>>>>>>>>>>> updated. Thank you for your help! >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> On 11/26/2015 10:50 AM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>> On 26.11.2015 10:04, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> I agree to all your points but one. please, see my >>>>>>>>>>>>>>>>>>>>>>>>>> comment >>>>>>>>>>>>>>>>>>>>>>>>>> below >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> On 11/25/2015 07:42 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> 0) Note >>>>>>>>>>>>>>>>>>>>>>>>>>> Please be aware of >>>>>>>>>>>>>>>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5469 >>>>>>>>>>>>>>>>>>>>>>>>>>> during >>>>>>>>>>>>>>>>>>>>>>>>>>> KRA testing >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>>>>>> Please do not use MIN and MAX_DOMAIN_LEVEL >>>>>>>>>>>>>>>>>>>>>>>>>>> constants, >>>>>>>>>>>>>>>>>>>>>>>>>>> this may >>>>>>>>>>>>>>>>>>>>>>>>>>> change >>>>>>>>>>>>>>>>>>>>>>>>>>> over time, use DOMAIN_LEVEL_0 and >>>>>>>>>>>>>>>>>>>>>>>>>>> DOMAIN_LEVEL_1 for >>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>> level 0 >>>>>>>>>>>>>>>>>>>>>>>>>>> and 1 >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>>>>>> Why uninstall KRA then server, is not enough just >>>>>>>>>>>>>>>>>>>>>>>>>>> uninstall >>>>>>>>>>>>>>>>>>>>>>>>>>> server >>>>>>>>>>>>>>>>>>>>>>>>>>> which >>>>>>>>>>>>>>>>>>>>>>>>>>> covers KRA uninstall? >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> + def teardown_method(self, method): >>>>>>>>>>>>>>>>>>>>>>>>>>> + for host in self.replicas: >>>>>>>>>>>>>>>>>>>>>>>>>>> + host.run_command(self.kra_uninstall, >>>>>>>>>>>>>>>>>>>>>>>>>>> raiseonerr=False) >>>>>>>>>>>>>>>>>>>>>>>>>>> + tasks.uninstall_master(host) >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>>>>>> Can be this function more generic? It should >>>>>>>>>>>>>>>>>>>>>>>>>>> allow >>>>>>>>>>>>>>>>>>>>>>>>>>> specify >>>>>>>>>>>>>>>>>>>>>>>>>>> host >>>>>>>>>>>>>>>>>>>>>>>>>>> where >>>>>>>>>>>>>>>>>>>>>>>>>>> KRA should be installed not just master >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> + def test_kra_install_master(self): >>>>>>>>>>>>>>>>>>>>>>>>>>> + self.master.run_command(self.kra_install) >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> TestLevel0(Dummy): >>>>>>>>>>>>>>>>>>>>>>>>>>> Can be the test name more specific, something >>>>>>>>>>>>>>>>>>>>>>>>>>> like >>>>>>>>>>>>>>>>>>>>>>>>>>> TestReplicaPromotionLevel0 >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> 5) >>>>>>>>>>>>>>>>>>>>>>>>>>> please remove this, the patch is on review and it >>>>>>>>>>>>>>>>>>>>>>>>>>> will be >>>>>>>>>>>>>>>>>>>>>>>>>>> pushed >>>>>>>>>>>>>>>>>>>>>>>>>>> sooner >>>>>>>>>>>>>>>>>>>>>>>>>>> than tests >>>>>>>>>>>>>>>>>>>>>>>>>>> + @pytest.mark.xfail # Ticket N 5455 >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> and as I mentioned in ticket #5455, I cannot >>>>>>>>>>>>>>>>>>>>>>>>>>> reproduce >>>>>>>>>>>>>>>>>>>>>>>>>>> it with >>>>>>>>>>>>>>>>>>>>>>>>>>> ipa-kra-install, so please provide steps to >>>>>>>>>>>>>>>>>>>>>>>>>>> reproduce if >>>>>>>>>>>>>>>>>>>>>>>>>>> you >>>>>>>>>>>>>>>>>>>>>>>>>>> insist >>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>> this still does not work as expected with KRA. >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> 6) This is completely wrong, it removes >>>>>>>>>>>>>>>>>>>>>>>>>>> everything >>>>>>>>>>>>>>>>>>>>>>>>>>> that we >>>>>>>>>>>>>>>>>>>>>>>>>>> tried to >>>>>>>>>>>>>>>>>>>>>>>>>>> achieve with previous patches with domain >>>>>>>>>>>>>>>>>>>>>>>>>>> level in CI >>>>>>>>>>>>>>>>>>>>>>>>>> Actually, being able to configure domain level per >>>>>>>>>>>>>>>>>>>>>>>>>> class >>>>>>>>>>>>>>>>>>>>>>>>>> is WAY >>>>>>>>>>>>>>>>>>>>>>>>>> more >>>>>>>>>>>>>>>>>>>>>>>>>> convenient, than to always have to think which >>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>> level is >>>>>>>>>>>>>>>>>>>>>>>>>> appropriate for which particular test during >>>>>>>>>>>>>>>>>>>>>>>>>> jenkins >>>>>>>>>>>>>>>>>>>>>>>>>> job >>>>>>>>>>>>>>>>>>>>>>>>>> configuration. In fact, I should have thought >>>>>>>>>>>>>>>>>>>>>>>>>> about it >>>>>>>>>>>>>>>>>>>>>>>>>> from the >>>>>>>>>>>>>>>>>>>>>>>>>> very >>>>>>>>>>>>>>>>>>>>>>>>>> beginning. For example, in >>>>>>>>>>>>>>>>>>>>>>>>>> test_replica_promotion.py we >>>>>>>>>>>>>>>>>>>>>>>>>> have on >>>>>>>>>>>>>>>>>>>>>>>>>> class, >>>>>>>>>>>>>>>>>>>>>>>>>> which intiates with domain level = 1, while >>>>>>>>>>>>>>>>>>>>>>>>>> others - >>>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>>> 0. With config-based approach, we would have to >>>>>>>>>>>>>>>>>>>>>>>>>> implement a >>>>>>>>>>>>>>>>>>>>>>>>>> separate >>>>>>>>>>>>>>>>>>>>>>>>>> step that raises domain level. Overall, I am >>>>>>>>>>>>>>>>>>>>>>>>>> against >>>>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>>>> approach, >>>>>>>>>>>>>>>>>>>>>>>>>> when you have to remember to set certain domain >>>>>>>>>>>>>>>>>>>>>>>>>> level in >>>>>>>>>>>>>>>>>>>>>>>>>> config >>>>>>>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>>>>>>> any particular test. The tests themselves >>>>>>>>>>>>>>>>>>>>>>>>>> should be >>>>>>>>>>>>>>>>>>>>>>>>>> aware of >>>>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>>>> domain level they need. >>>>>>>>>>>>>>>>>>>>>>>>> I do not say that we should not have something that >>>>>>>>>>>>>>>>>>>>>>>>> overrides >>>>>>>>>>>>>>>>>>>>>>>>> settings >>>>>>>>>>>>>>>>>>>>>>>>> in from config in a particular test case, I say >>>>>>>>>>>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>>>>>>>>>>> patch is >>>>>>>>>>>>>>>>>>>>>>>>> doing it >>>>>>>>>>>>>>>>>>>>>>>>> wrong. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> I agree it is useful to have param domain_level in >>>>>>>>>>>>>>>>>>>>>>>>> install_master, >>>>>>>>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>>>>>>>> intall_topo methods, but is cannot be >>>>>>>>>>>>>>>>>>>>>>>>> MAX_DOMAIN_LEVEL by >>>>>>>>>>>>>>>>>>>>>>>>> default, >>>>>>>>>>>>>>>>>>>>>>>>> because with your current patch the domain_level in >>>>>>>>>>>>>>>>>>>>>>>>> config is >>>>>>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>>>>>> used >>>>>>>>>>>>>>>>>>>>>>>>> at all, it will be always MAX_DOMAIN_LEVEL >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> For example I want to achieve this goal: >>>>>>>>>>>>>>>>>>>>>>>>> test_vault.py, this test suite can run on domain >>>>>>>>>>>>>>>>>>>>>>>>> level1 >>>>>>>>>>>>>>>>>>>>>>>>> and on >>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>> level0, so with one test we can test 2 domain >>>>>>>>>>>>>>>>>>>>>>>>> levels >>>>>>>>>>>>>>>>>>>>>>>>> just >>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>> putting >>>>>>>>>>>>>>>>>>>>>>>>> domain level into config file. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> I agree that with extraordinary test like replica >>>>>>>>>>>>>>>>>>>>>>>>> promotion test >>>>>>>>>>>>>>>>>>>>>>>>> is, we >>>>>>>>>>>>>>>>>>>>>>>>> need something that allows override the config >>>>>>>>>>>>>>>>>>>>>>>>> file. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> As I said bellow, domain_level default value >>>>>>>>>>>>>>>>>>>>>>>>> should be >>>>>>>>>>>>>>>>>>>>>>>>> None in >>>>>>>>>>>>>>>>>>>>>>>>> install_master and install_topo plugin. If >>>>>>>>>>>>>>>>>>>>>>>>> domain level >>>>>>>>>>>>>>>>>>>>>>>>> was >>>>>>>>>>>>>>>>>>>>>>>>> specified >>>>>>>>>>>>>>>>>>>>>>>>> use the specified one, if not (value is None) >>>>>>>>>>>>>>>>>>>>>>>>> use the >>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>>>>>>>>> config file. >>>>>>>>>>>>>>>>>>>>>>>> Agreed :) >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Martin >>>>>>>>>>>>>>>>>>>>>>>>>>> [PATCH] Enabled setting domain_level per class >>>>>>>>>>>>>>>>>>>>>>>>>>> derived from >>>>>>>>>>>>>>>>>>>>>>>>>>> TestIntegration >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> When I configure domain level 0 in yaml >>>>>>>>>>>>>>>>>>>>>>>>>>> config, how >>>>>>>>>>>>>>>>>>>>>>>>>>> is this >>>>>>>>>>>>>>>>>>>>>>>>>>> supposed to >>>>>>>>>>>>>>>>>>>>>>>>>>> get into install methods when you removed that >>>>>>>>>>>>>>>>>>>>>>>>>>> code? >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> - "--domain-level=%i" % >>>>>>>>>>>>>>>>>>>>>>>>>>> host.config.domain_level >>>>>>>>>>>>>>>>>>>>>>>>>>> + "--domain-level=%i" % domain_level >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> You always use MAX_DOMAIN_LEVEL in this case or >>>>>>>>>>>>>>>>>>>>>>>>>>> whatever is >>>>>>>>>>>>>>>>>>>>>>>>>>> specified in >>>>>>>>>>>>>>>>>>>>>>>>>>> domain_level option. >>>>>>>>>>>>>>>>>>>>>>>>>>> I suggest to use domain_level=None, and when >>>>>>>>>>>>>>>>>>>>>>>>>>> it is >>>>>>>>>>>>>>>>>>>>>>>>>>> None use >>>>>>>>>>>>>>>>>>>>>>>>>>> 'host.config.domain_level', if it is not None, >>>>>>>>>>>>>>>>>>>>>>>>>>> use >>>>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> With this we can specify domain level in config >>>>>>>>>>>>>>>>>>>>>>>>>>> file for >>>>>>>>>>>>>>>>>>>>>>>>>>> test >>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>> can >>>>>>>>>>>>>>>>>>>>>>>>>>> be used for both domain levels and you can >>>>>>>>>>>>>>>>>>>>>>>>>>> manually >>>>>>>>>>>>>>>>>>>>>>>>>>> specify >>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>>>> for test that requires specific domain level. >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> Also this should go away >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> @classmethod >>>>>>>>>>>>>>>>>>>>>>>>>>> def install(cls, mh): >>>>>>>>>>>>>>>>>>>>>>>>>>> + if hasattr(cls, "domain_level") and >>>>>>>>>>>>>>>>>>>>>>>>>>> cls.master: >>>>>>>>>>>>>>>>>>>>>>>>>>> + cls.master.config.domain_level = >>>>>>>>>>>>>>>>>>>>>>>>>>> cls.domain_level >>>>>>>>>>>>>>>>>>>>>>>>>>> if cls.topology is None: >>>>>>>>>>>>>>>>>>>>>>>>>>> return >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> I do not see reason why test should override >>>>>>>>>>>>>>>>>>>>>>>>>>> configuration in >>>>>>>>>>>>>>>>>>>>>>>>>>> config in >>>>>>>>>>>>>>>>>>>>>>>>>>> this case. >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> Martin >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> On 25.11.2015 16:44, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> Here is the updated version of the patch (more >>>>>>>>>>>>>>>>>>>>>>>>>>>> tests + >>>>>>>>>>>>>>>>>>>>>>>>>>>> fixed the >>>>>>>>>>>>>>>>>>>>>>>>>>>> issues of the first one) + patch 0017, that >>>>>>>>>>>>>>>>>>>>>>>>>>>> implements the >>>>>>>>>>>>>>>>>>>>>>>>>>>> necessary >>>>>>>>>>>>>>>>>>>>>>>>>>>> changes in the background code, i. e. patch 16 >>>>>>>>>>>>>>>>>>>>>>>>>>>> does not >>>>>>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>>>>>> without >>>>>>>>>>>>>>>>>>>>>>>>>>>> patch 17 >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> On 11/18/2015 05:20 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 09.11.2015 15:09, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi guys, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Here are first two automated testcases from >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> this >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> (so far >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> incomplete) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> testplan: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Testplan review is highly appreciated >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> PATCH 16: NACK >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>>>>>>>> What is the reason to add an unused >>>>>>>>>>>>>>>>>>>>>>>>>>>>> parameter to >>>>>>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' to >>>>>>>>>>>>>>>>>>>>>>>>>>>>> install_topo()? >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Also it is good practise to add new option >>>>>>>>>>>>>>>>>>>>>>>>>>>>> as the >>>>>>>>>>>>>>>>>>>>>>>>>>>>> last >>>>>>>>>>>>>>>>>>>>>>>>>>>>> parameter. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>>>>>>>> cab you in both tests specify a domain level >>>>>>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>>>>>> constant >>>>>>>>>>>>>>>>>>>>>>>>>>>>> instead of >>>>>>>>>>>>>>>>>>>>>>>>>>>>> number literal? >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>>>>>>>> both test call install_topo with custom domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>> level, >>>>>>>>>>>>>>>>>>>>>>>>>>>>> but it >>>>>>>>>>>>>>>>>>>>>>>>>>>>> cannot >>>>>>>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>>>>>>> because 1) (did you run the test?) >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>>>>>>>> How the test "TestLevel1" is supposed to work? >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Respectively why there is call of >>>>>>>>>>>>>>>>>>>>>>>>>>>>> install_topo() >>>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>>> installs >>>>>>>>>>>>>>>>>>>>>>>>>>>>> replica. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> As this test just tests that >>>>>>>>>>>>>>>>>>>>>>>>>>>>> ipa-replica-prepare is >>>>>>>>>>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>>>>>>>>>> working >>>>>>>>>>>>>>>>>>>>>>>>>>>>> anymore, >>>>>>>>>>>>>>>>>>>>>>>>>>>>> is it worth to spend 20 minutes with installing >>>>>>>>>>>>>>>>>>>>>>>>>>>>> replica and >>>>>>>>>>>>>>>>>>>>>>>>>>>>> then >>>>>>>>>>>>>>>>>>>>>>>>>>>>> just no >>>>>>>>>>>>>>>>>>>>>>>>>>>>> tot use it? IMO to install master in install >>>>>>>>>>>>>>>>>>>>>>>>>>>>> step is >>>>>>>>>>>>>>>>>>>>>>>>>>>>> enough. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> ./make-lint >>>>>>>>>>>>>>>>>>>>>>> ************* Module ipatests.test_integration.base >>>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/base.py:66: >>>>>>>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>>>>>>> IntegrationTest.install] Class 'IntegrationTest' >>>>>>>>>>>>>>>>>>>>>>> has no >>>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>>>> ************* Module >>>>>>>>>>>>>>>>>>>>>>> ipatests.test_integration.test_replica_promotion >>>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:16: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> [E1101(no-member), Dummy.install] Class 'Dummy' >>>>>>>>>>>>>>>>>>>>>>> has no >>>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:117: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>>>>>>> TestCAInstall.test_ca_install_without_replica_file] >>>>>>>>>>>>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no >>>>>>>>>>>>>>>>>>>>>>> 'setup_replica' >>>>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Is it so hard to run pylint before patch is posted >>>>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>>>> review? >>>>>>>>>>>>>>>>>>>>>> Sorry, my bad. Fixed. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>> Why is this change in the patch? >>>>>>>>>>>>>>>>>>>> - # Clean up the test directory >>>>>>>>>>>>>>>>>>>> - host.run_command(['rm', '-rvf', >>>>>>>>>>>>>>>>>>>> host.config.test_dir]) >>>>>>>>>>>>>>>>>>> Otherwise 2 out of 8 tests fail with IOError at line >>>>>>>>>>>>>>>>>>> 78 of >>>>>>>>>>>>>>>>>>> ipatests/test_integration/tasks.py >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I do not understand yet how does this happen, but if you >>>>>>>>>>>>>>>>>>> remove >>>>>>>>>>>>>>>>>>> ipatests folder once, it then fails to be created again. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> So this should be in separated patch and investigated >>>>>>>>>>>>>>>>>> properly. >>>>>>>>>>>>>>>>> Agree. Removed >>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>> is enough to have this check only in install_master, >>>>>>>>>>>>>>>>>>>> install_topo can >>>>>>>>>>>>>>>>>>>> pass None to install_master >>>>>>>>>>>>>>>>>>>> + if domain_level is None: >>>>>>>>>>>>>>>>>>>> + domain_level = master.config.domain_level >>>>>>>>>>>>>>>>>>> Done >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>> IMO replica-manage del should cleanup hosts entry, so >>>>>>>>>>>>>>>>>>>> following >>>>>>>>>>>>>>>>>>>> code >>>>>>>>>>>>>>>>>>>> should not be needed. >>>>>>>>>>>>>>>>>>>> + if cleanhost: >>>>>>>>>>>>>>>>>>>> + kinit_admin(master) >>>>>>>>>>>>>>>>>>>> + master.run_command(["ipa", "host-del", >>>>>>>>>>>>>>>>>>>> "--updatedns", >>>>>>>>>>>>>>>>>>>> replica.hostname], >>>>>>>>>>>>>>>>>>>> + raiseonerr=False) >>>>>>>>>>>>>>>>>>> Well, in fact it does not. At least the corresponding dns >>>>>>>>>>>>>>>>>>> record >>>>>>>>>>>>>>>>>>> stays >>>>>>>>>>>>>>>>>>> and causes the subsequent ipa-client-install to fail. >>>>>>>>>>>>>>>>>>> Probably >>>>>>>>>>>>>>>>>>> it's a >>>>>>>>>>>>>>>>>>> bug. On the other hand, if I promote an existing >>>>>>>>>>>>>>>>>>> client to >>>>>>>>>>>>>>>>>>> replica and >>>>>>>>>>>>>>>>>>> then delete this replica, then, I probably want the host >>>>>>>>>>>>>>>>>>> record >>>>>>>>>>>>>>>>>>> (that >>>>>>>>>>>>>>>>>>> was created during client-install) to stay in the >>>>>>>>>>>>>>>>>>> system. So, >>>>>>>>>>>>>>>>>>> does not >>>>>>>>>>>>>>>>>>> look like a bug to me. >>>>>>>>>>>>>>>>>> No you don't, because replica uninstallation also >>>>>>>>>>>>>>>>>> removes the >>>>>>>>>>>>>>>>>> client. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I tried it with ipa42, ipa-replica-manage del removes host >>>>>>>>>>>>>>>>>> entry, >>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>> DNS A records, only SSHFP records stay there (I'm not sure >>>>>>>>>>>>>>>>>> if it >>>>>>>>>>>>>>>>>> is bug >>>>>>>>>>>>>>>>>> or feature) >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Also I received this message >>>>>>>>>>>>>>>>>> """ >>>>>>>>>>>>>>>>>> Failed to cleanup replica1.ipa.test DNS entries: no >>>>>>>>>>>>>>>>>> matching >>>>>>>>>>>>>>>>>> entry >>>>>>>>>>>>>>>>>> found >>>>>>>>>>>>>>>>>> You may need to manually remove them from the tree >>>>>>>>>>>>>>>>>> """ >>>>>>>>>>>>>>>>>> But, A record has been removed, so this is probably false >>>>>>>>>>>>>>>>>> positive and >>>>>>>>>>>>>>>>>> it needs to have a ticket. >>>>>>>>>>>>>>>>> Agree, that was an issue with my setup. >>>>>>>>>>>>>>>>> Removed >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>> This variable is not used >>>>>>>>>>>>>>>>>>>> + kra_uninstall = ["ipa-kra-install", >>>>>>>>>>>>>>>>>>>> "--uninstall", "-U"] >>>>>>>>>>>>>>>>>>> Removed >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> 5) >>>>>>>>>>>>>>>>>>>> Why do you need this >>>>>>>>>>>>>>>>>>>> + kra_install = ["ipa-kra-install", "-U", "-p", >>>>>>>>>>>>>>>>>>>> config.dirman_password] >>>>>>>>>>>>>>>>>>>> when you implemented tasks.install_kra that returns the >>>>>>>>>>>>>>>>>>>> exactly >>>>>>>>>>>>>>>>>>>> the same >>>>>>>>>>>>>>>>>>>> result? >>>>>>>>>>>>>>>>>>> Right. Removed >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> 6) >>>>>>>>>>>>>>>>>>>> PEP8 >>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:928:1: E302 >>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:934:1: E302 >>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:939:1: E302 >>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:943:1: E302 >>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:950:80: E501 >>>>>>>>>>>>>>>>>>>> line too >>>>>>>>>>>>>>>>>>>> long >>>>>>>>>>>>>>>>>>>> (80 > 79 >>>>>>>>>>>>>>>>>>>> characters) >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:29:80: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>> too long (85 > 79 characters) >>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:64:80: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>> too long (85 > 79 characters) >>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:67:80: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>> too long (88 > 79 characters) >>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:93:80: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:94:80: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>> too long (83 > 79 characters) >>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:118:80: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>> too long (81 > 79 characters) >>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:128:80: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:129:80: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>> too long (82 > 79 characters) >>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:181:80: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>>> Most of these complaints are unrelated to the current >>>>>>>>>>>>>>>>>>> patches. >>>>>>>>>>>>>>>>>>> It's better to create a separate patch addressing PEP8 >>>>>>>>>>>>>>>>>>> errors. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I beg for your pardon, those PEP8 errors have been >>>>>>>>>>>>>>>>>> introduced by >>>>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>>>> patches. >>>>>>>>>>>>>>>>> Fixed >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> 7) >>>>>>>>>>>>>>>>>>>> Why this must be stored in instance? IMO to have it >>>>>>>>>>>>>>>>>>>> stored as >>>>>>>>>>>>>>>>>>>> local >>>>>>>>>>>>>>>>>>>> variable is perfect >>>>>>>>>>>>>>>>>>>> TestKRAInstall, TestCAInstall >>>>>>>>>>>>>>>>>>>> self.replica1_filename = >>>>>>>>>>>>>>>>>>>> tasks.get_replica_filename(replica1) >>>>>>>>>>>>>>>>>>>> self.replica2_filename = >>>>>>>>>>>>>>>>>>>> tasks.get_replica_filename(replica2) >>>>>>>>>>>>>>>>>>> Agree. Fixed >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> This patch is missing something. >>>>>>>>>>>>>> I am sorry, I forgot to revert my previous change. The correct >>>>>>>>>>>>>> patch is >>>>>>>>>>>>>> attached >>>>>>>>>>>>>> >>>>>>>>>>>>> ************* Module >>>>>>>>>>>>> ipatests.test_integration.test_replica_promotion >>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:15: >>>>>>>>>>>>> [E1123(unexpected-keyword-arg), Dummy.install] Unexpected >>>>>>>>>>>>> keyword >>>>>>>>>>>>> argument 'domain_level' in function call) >>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:15: >>>>>>>>>>>>> [E1101(no-member), Dummy.install] Class 'Dummy' has no >>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>> member) >>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:19: >>>>>>>>>>>>> [E1101(no-member), Dummy.teardown_method] Module >>>>>>>>>>>>> 'ipatests.test_integration.tasks' has no 'uninstall_replica' >>>>>>>>>>>>> member) >>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:67: >>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>> TestReplicaPromotionLevel0.test_backup_restore] >>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no 'ipa_backup' >>>>>>>>>>>>> member) >>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:72: >>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>> TestReplicaPromotionLevel0.test_backup_restore] >>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no 'ipa_restore' >>>>>>>>>>>>> member) >>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:120: >>>>>>>>>>>>> [E1123(unexpected-keyword-arg), TestCAInstall.install] >>>>>>>>>>>>> Unexpected >>>>>>>>>>>>> keyword argument 'domain_level' in function call) >>>>>>>>>>>>> >>>>>>>>>>>> Sorry I forgot to apply patch 17, my bad, I'm continuing with >>>>>>>>>>>> review >>>>>>>>>> LGTM, I haven't had time to test it, but if you are sure that >>>>>>>>>> test is >>>>>>>>>> working, we may push this. >>>>>>>>>> >>>>>>>>> Is this expected due the bug you mentioned? >>>>>>>>> _____ >>>>>>>>> __________________________________________________________________________ >>>>>>>>> >>>>>>>>> >>>>>>>>> TestReplicaPromotionLevel0.test_kra_install_master >>>>>>>>> ________________________________________________________________________________ >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> self = >>>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> object at 0x7f5071a59e50> >>>>>>>>> >>>>>>>>> def test_kra_install_master(self): >>>>>>>>> result1 = tasks.install_kra(self.master, >>>>>>>>> raiseonerr=False) >>>>>>>>>> assert result1.returncode == 0, result1.stderr_text >>>>>>>>> E AssertionError: Usage: ipa-kra-install [options] >>>>>>>>> [replica_file] >>>>>>>>> E >>>>>>>>> E ipa-kra-install: error: Replica file >>>>>>>>> /root/ipatests/replica-info.gpg does not exist >>>>>>>>> E The ipa-kra-install command failed. See >>>>>>>>> /var/log/ipaserver-kra-install.log for more information >>>>>>>>> E >>>>>>>>> E assert 2 == 0 >>>>>>>>> E + where 2 = >>>>>>>> object at >>>>>>>>> 0x7f5071adbd50>.returncode >>>>>>>>> >>>>>>> IMO the test needs fix, KRA on replica file needs KRA related >>>>>>> certificates in replica file >>>>>>> >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>>> RUN >>>>>>> ['ipa-kra-install', '-U', '-p', 'Secret123', >>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] RUN >>>>>>> ['ipa-kra-install', '-U', '-p', 'Secret123', >>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] Missing KRA >>>>>>> certificates, please create a new replica file. >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] The >>>>>>> ipa-kra-install command failed. See >>>>>>> /var/log/ipaserver-kra-install.log >>>>>>> for more information >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] Exit code: 1 >>>>>>> FAILED >>>>>>> traceback >>>>>>> >>>>>>> self = >>>>>>> >>>>>> object at 0x7f660bc1a590> >>>>>>> >>> I just read the code. >>> >>> PATCH 16: >>> 0) >>> PEP8 >>> ./ipatests/test_integration/test_replica_promotion.py:24:14: E111 >>> indentation is not a multiple of four >>> ./ipatests/test_integration/test_replica_promotion.py:24:14: E113 >>> unexpected indentation >>> ./ipatests/test_integration/test_replica_promotion.py:148:80: E501 >>> line too long (80 > 79 characters) >>> ./ipatests/test_integration/test_replica_promotion.py:150:80: E501 >>> line too long (81 > 79 characters) >>> >>> 1) >>> workaround is not workaround, because the host entry is removed >>> anyway, the error is raised from POST callback, please remove it >>> + # Workaround for 5627 >>> + if "host not found" in result.stderr_text: >>> + self.master.run_command(["ipa", >>> + "host-del", >>> + host.hostname], >>> raiseonerr=False) >> sorry, I was wrong with this, check is in pre_callback, but please >> remove it anyway, I will send patch to fix it ASAP > Done I realized that the fix I'm working on is for 4.4 only, so for 4.3 add this as separated patch. >>> 2) >>> Please name it better, for example "replica" instead of "i" >>> + for i in self.replicas: >>> + tasks.install_replica(master, i, setup_ca=False, >>> + setup_dns=True) > Done > >>> 3) >>> Please use constant for domain level (multiple times) >>> + result1 = tasks.install_ca(replica1, domain_level=1, raiseonerr=False) >>> >>> + tasks.install_ca(replica1, domain_level=0) >>> + result2 = tasks.install_ca(replica2, domain_level=0, >>> raiseonerr=False) >>> ... more times > Done > >>> 4) >>> This link does not exists, only connect is deprecated not >>> ipa-replica-manage at all >>> + def test_replica_manage_commands(self): >>> + """ >>> + TestCase: >>> http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan >>> + #Test_case:_ipa-replica-manage_is_deprecated_in_domain_level_1 >>> + """ > Fixed > >>> 5) >>> Missing testcases: >>> >>> Test case: Unprivileged users are not allowed to enroll and promote >>> clients >>> Test case: Replica created using old workflow is functional after >>> domain upgrade >>> Test case: ipa-csreplica-manage connect is deprecated in domain level 1 >>> Test case: Replica can be installed using one command >>> Test case: Prohibit ipa server uninstallation from disconnecting >>> topology segment >>> > They are on the way, not fully ready yet > >>> PATCH 24: >>> >>> 1) >>> why there is this change, how it is related to this patch?: >>> def apply_common_fixes(host): >>> + prepare_host(host) >>> fix_etc_hosts(host) >>> fix_hostname(host) >>> - prepare_host(host) > Good catch! That was one of my attempts to address the issue that was > successfully resolved in patch 0025. Will remove it once we agree on the > rest of the changes > >>> 2) >>> Why is there this change, how it is related to this patch?: >>> def replica_prepare(master, replica): >>> - apply_common_fixes(replica) >>> fix_apache_semaphores(replica) >>> ... >>> def install_replica(master, replica, setup_ca=True, setup_dns=False, >>> ... >>> + apply_common_fixes(replica) > Just to make this call independent from domain level (at domain_level 1 > replica_prepare never gets called) It should be in separate commit, because it is not related to adding domain_level in class functionality > > >>> 3) >>> why is there this change, how it is related to this patch?: >>> - >>> + args.extend(['-n', replica.domain.name, >>> + '-r', replica.domain.realm]) > At least -r is a required parameter. -n was added for further > robustness. Can be safely removed, though It should be in separate commit, as this is not related to domain levels > >>> 4) >>> why there force, how is this change related to this patch (domain >>> levels)? >>> '-w', client.config.admin_password, >>> - '--server', master.hostname] >>> + '--server', master.hostname, >>> + '--force'] >>> + list(extra_args)) > client refuses to install unless everything is super clear in the dns > setup (including reverse zone). Otherwise the installer fails and > informs you that you may use '--force' at your own risk. I can rerun the > tests without this option to provide you with the exact output, if you like. It should be in separated commit, because it is not related to domain levels > >>> Otherwise domain level related changes LGTM >>> >>> PATCH 25 >>> >>> LGTM >>> >>> Martin^2 >>> From pvoborni at redhat.com Wed Mar 2 09:40:49 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 2 Mar 2016 10:40:49 +0100 Subject: [Freeipa-devel] [PATCH 0427] fix broken configuration of sidgen and extdom plugins In-Reply-To: <56D5D225.1090004@redhat.com> References: <56C6E324.2090509@redhat.com> <20160219101226.GQ4492@redhat.com> <56C71F3E.4080102@redhat.com> <20160219140216.GZ4492@redhat.com> <56CB31E3.7030002@redhat.com> <56CB5052.5040803@redhat.com> <56CB5D57.3070300@redhat.com> <56CC45C1.1010805@redhat.com> <20160223120249.GG4492@redhat.com> <56CC4F9C.5040705@redhat.com> <56CC8962.40201@redhat.com> <56CC93B8.2050307@redhat.com> <56D5B79E.9020606@redhat.com> <56D5BCFB.7010406@redhat.com> <56D5BF8E.3050308@redhat.com> <56D5BFCA.6060707@redhat.com> <56D5D225.1090004@redhat.com> Message-ID: <56D6B521.1000100@redhat.com> On 03/01/2016 06:32 PM, Martin Basti wrote: > > > On 01.03.2016 17:14, Martin Basti wrote: >> >> >> On 01.03.2016 17:13, Petr Vobornik wrote: >>> On 03/01/2016 05:02 PM, Martin Basti wrote: >>>> >>>> >>>> On 01.03.2016 16:39, Petr Vobornik wrote: >>>>> On 02/23/2016 06:15 PM, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 23.02.2016 17:31, Tomas Babej wrote: >>>>>>> >>>>>>> On 02/23/2016 01:25 PM, Martin Basti wrote: >>>>>>>> >>>>>>>> On 23.02.2016 13:02, Alexander Bokovoy wrote: >>>>>>>>> On Tue, 23 Feb 2016, Martin Basti wrote: >>>>>>>>>> From f2ae1bd129a1741500d2f3dcb86a0da553604d15 Mon Sep 17 >>>>>>>>>> 00:00:00 >>>>>>>>>> 2001 >>>>>>>>>> From: Martin Basti >>>>>>>>>> Date: Tue, 23 Feb 2016 10:37:47 +0100 >>>>>>>>>> Subject: [PATCH 4/4] fix upgrade: wait for proper DS socket >>>>>>>>>> after DS >>>>>>>>>> restart >>>>>>>>>> >>>>>>>>>> Restarting DS executed by upgrade plugin causes that upgrade >>>>>>>>>> frameworg >>>>>>>>>> was waiting for not proper socket to be ready. This commit fix >>>>>>>>>> issue. >>>>>>>>> Please fix the commit message typos. >>>>>>>>> >>>>>>>> Fixed. Updated patches attached. >>>>>>> ACK. >>>>>>> >>>>>>> Tomas >>>>>> Pushed to master: 0accf8ccb64963954dbe7c137d23f52e5901ac4f >>>>>> Pushed to ipa-4-3: 4734012c8063460f93f3b819a5bbcca797f6059e >>>>>> Pushed to ipa-4-2: 63d8caf0d105f02decc0b5d865fedf6ad063bc1a >>>>>> >>>>> >>>>> Testing freeipa-4.2.4 build and it fails at >>>>> install/dsinstance.py:add_sidgen_plugin:936 >>>>> >>>>> adding self.ldap_connect() on line 937 fixed the issue. >>>> >>>> Well I may rework PATCH 0416, and fix it in different way, or I can add >>>> self.ldap_connect() to sidgen and extdom steps. >>>> >>>> Which is better? >>>> >>> >>> I would avoid reworking it in all 3 branches if in 4.3 and master it >>> works and is actually correct. Doesn't make sense to change new code >>> because of missing features in old branches. Adding connect to >>> ipa-4-2 seems enough to me. >> >> IMO it works accidentaly there, any additional patch or restart can >> break it in 4.3 and master too >> > Patch attached. > > ipa-4-2 needs to have backported ca8f63624b204f0c4f2d1ac5f4ed93551f7e62df ACK pushed to: master: * fcc540bbdc5daa24990940124ec3bd439b05257d Fix connections to DS during installation ipa-4-3: * c14fb0b9e0f4cb977e897645126ef7d1bbf9aa9e Fix connections to DS during installation ipa-4-2: *e2ef561375c63a375710254f159f75d7318c514d Insure the admin_conn is disconnected on stop * 0af81913258b2f4c9841c5baddda146667282b2c Fix connections to DS during installation -- Petr Vobornik From abokovoy at redhat.com Wed Mar 2 10:13:33 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 2 Mar 2016 12:13:33 +0200 Subject: [Freeipa-devel] External trust to AD Message-ID: <20160302101333.GI4492@redhat.com> Hi, http://www.freeipa.org/page/V4/External_trust_to_AD documents a design for external trust to AD feature. The text is included below for easier review. ----------------------------------------------------------------------- {{Feature|version=TODO|ticket=TODO|author=Ab}} == Overview == Support for external trust to a domain from Active Directory forest An external trust is a trust relationship between Active Directory domains that are in different Active Directory forests. While forest trust always requires to establish trust between root domains of the Active Directory forests, external trust can be established to any domain within the forest. == Use Cases == As an Active Directory domain admin, I want to establish trust between IPA and my domain only. The trust between IPA and an external Active Directory domain will be non-transitive as no users or groups from other Active Directory domains will have access to IPA resources. == Design== External trust between Active Directory domains is by definition non-transitive and enforces SID filtering between the domain boundaries. This means only users and groups with SIDs from the trusted domain can use the resources and be visible on IPA systems. None of other users and groups from domains the trusted domain trusts within its own Active Directory forest or other externally trusted domains will be allowed to access IPA resources. == Implementation == External trust feature re-uses existing forest trust infrastructure. There are several specific changes to allow supporting external trust: * '''Non-transitivity''': since external trust is non-transitive by * definition, any attempt to set transitivity feature of the trust link * with LSA SetInformationTrustedDomain() command will fail. Thus, there * is no need to set transitivity for the external trust. * '''Trust attributes''': external trust can be detected by looking into * absense of ipaNTTrustAttributes LDAP attribute of the trusted domain * object. == Feature Management == === UI === An option 'external trust' needs to be added to Web UI, corresponding to '--external' flag in 'trust-add' command in CLI. === CLI === An external trust creation can be requested by passing additional flag '--external=true' to the 'trust-add' command. The flag defaults to 'false', e.g. no external trust would be created. {| class="wikitable" |- ! Command ! Options |- | trust-add | --external=true/false |} === Configuration === No configuration options needed. == Upgrade == No changes on upgrades. The trust properties are only set up at trust creation time. == How to Test == In order to test the external trust, attempt to create a trust to non-root domain in an Active Directory forest. It should fail without '--external=true' option and should be able to establish the external trust with '--external=true' option to 'trust-add' command. A type of the trust can be seen with 'trust-show' command. == Test Plan == ----------------------------------------------------------------------- -- / Alexander Bokovoy From dkupka at redhat.com Wed Mar 2 10:18:37 2016 From: dkupka at redhat.com (David Kupka) Date: Wed, 2 Mar 2016 05:18:37 -0500 (EST) Subject: [Freeipa-devel] [PATCH] man: Decribe ipa-client-install workaround for broken D-Bus enviroment. In-Reply-To: <1119358720.40519983.1456913836314.JavaMail.zimbra@redhat.com> Message-ID: <1194734610.40520786.1456913917730.JavaMail.zimbra@redhat.com> https://fedorahosted.org/freeipa/ticket/5694 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0094.0-man-Decribe-ipa-client-install-workaround-for-broken.patch Type: text/x-patch Size: 1444 bytes Desc: not available URL: From abokovoy at redhat.com Wed Mar 2 10:55:25 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 2 Mar 2016 12:55:25 +0200 Subject: [Freeipa-devel] Supporting UPNs of trusted forests Message-ID: <20160302105525.GJ4492@redhat.com> Hi, http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains describes a design page to support name suffixes from trusted Active Directory domains. A prototype code exists (written by me and Sumit) and was tested by Sumit against recent releases of SSSD. Text is provided below for easier commenting. ----------------------------------------------------------------- {{Feature|version=TODO|ticket=TODO|author=Ab}} == Overview == User principal name (UPN) in Active Directory is the primary form of addressing users. UPN has structure of 'user name at suffix' where both user name and suffix parts may vary. By default the suffix is the same as the Active Directory domain name but AD administrators may create additional name suffixes and associate them with specific users. These additional UPNs for users may then be used for Kerberos authentication against Active Directory domains. Alternative UPNs are often used when several companies with Active Directory deployments merge and want to provide unified logon namespace. The purpose of this feature is to allow using alternative UPNs associated with the Active Directory users when accessing resources in FreeIPA domain. == Use Cases == As an Active Directory user, I want to login using my user at EXAMPLE user principal name even if my Active Directory domain is named REGION.EXAMPLE.COM. == Design== Support for UPNs is split to three different components: ;Client-side : SSSD already supports logon with UPN by asking a KDC to accept enterprise logon names. By default, the use of enterprise principals is disabled, therefore, krb5_use_enterprise_principal = True needs to be added to sssd.conf to enable it. ;KDC : IPA KDC does understand multiple domains associated with the trusted AD forest. However, since no information about name suffixes associated with the forest is available, it cannot take them into account when processing enteprise logon names to issue referrals to the correct realm. Support needs to be added to allow IPA KDC to look up name suffixes associated with a trusted forest. ; IPA framework : Changes needed on IPA framework side to fetch from Active Directory a list of name suffixes and store them in the trusted domain objects. == Implementation == For retrieving name suffixes, IPA framework needs to move to use NETLOGON netr_DsRGetForestTrustInformation function instead of netr_DsrEnumerateDomainTrusts. This allows to retrieve both domains and top level names associated with the forest. As top level names (TLNs) have only a single string as a name suffix, they cannot be stored as trusted domains (they lack SID and NetBIOS name). Thus, either IPA KDB driver needs to be extended to understand trusted domains without SID and NetBIOS name, or TLNs need to be stored as a property of tree root domains of the forest. == Feature Management == === UI === If TLNs are added as a property of tree root domains of the forest, appropriate panel needs to be extended to display them. === CLI === If TLNs are added as a property of tree root domains of the forest, appropriate attribute need to be handled by '''trust-show''' command. If TLNs represented as separate 'trusted domains' of the trusted forest, no work is needed on CLI other than being able to support 'trusted domains' without SID and NetBIOS name. === Configuration === No configuration options. == Upgrade == No impact to upgrade. == How to Test == In order to test UPN-based logons, create additional name suffixes in Active Directory and establish trust to it. After trust is established, the name suffixes should be usable when trying to kinit as enterprise principal. == Test Plan == ----------------------------------------------------------------- -- / Alexander Bokovoy From pvoborni at redhat.com Wed Mar 2 11:42:46 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 2 Mar 2016 12:42:46 +0100 Subject: [Freeipa-devel] [PATCH] 954 fix incorrect name of ipa-winsync-migrate command in help Message-ID: <56D6D1B6.1030804@redhat.com> Help and status text used incorrect name "ipa-migrate-winsync" https://fedorahosted.org/freeipa/ticket/5713 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0954-fix-incorrect-name-of-ipa-winsync-migrate-command-in.patch Type: text/x-patch Size: 1506 bytes Desc: not available URL: From tbabej at redhat.com Wed Mar 2 11:55:15 2016 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 2 Mar 2016 12:55:15 +0100 Subject: [Freeipa-devel] [PATCH] 954 fix incorrect name of ipa-winsync-migrate command in help In-Reply-To: <56D6D1B6.1030804@redhat.com> References: <56D6D1B6.1030804@redhat.com> Message-ID: <56D6D4A3.3040101@redhat.com> On 03/02/2016 12:42 PM, Petr Vobornik wrote: > Help and status text used incorrect name "ipa-migrate-winsync" > > https://fedorahosted.org/freeipa/ticket/5713 > > ACK, Pushed to: ipa-4-2: 7151ea394aac00ca596a8d7460a2fcefd258b36e ipa-4-3: 57e02c7140fe2ad6fe6a6bc9823f84500bb78732 master: c68e9510d03abb75d353e209ea32ac9d1ed362bc From dkupka at redhat.com Wed Mar 2 12:35:31 2016 From: dkupka at redhat.com (David Kupka) Date: Wed, 2 Mar 2016 07:35:31 -0500 (EST) Subject: [Freeipa-devel] [PATCH 0425] pylint: suppress false positive no-member errors In-Reply-To: <56D5C99A.4050201@redhat.com> References: <56CF1455.3020904@redhat.com> <56CF30E6.5080902@redhat.com> <56D5C99A.4050201@redhat.com> Message-ID: <1699917844.40576197.1456922131613.JavaMail.zimbra@redhat.com> Tested with pylint-1.5.4-2, works for me, ACK. ----- Original Message ----- From: "Martin Basti" To: "freeipa-devel" Sent: Tuesday, March 1, 2016 5:55:54 PM Subject: Re: [Freeipa-devel] [PATCH 0425] pylint: suppress false positive no-member errors On 25.02.2016 17:50, Martin Basti wrote: On 25.02.2016 15:48, Martin Basti wrote: The last pylint 1.5 patch, \o/ https://fedorahosted.org/freeipa/ticket/5615 self-NACK too broad disables Updated patches attached. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From ofayans at redhat.com Wed Mar 2 12:47:35 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 2 Mar 2016 13:47:35 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <56D6ACF5.4070402@redhat.com> References: <5640A90B.6030906@redhat.com> <564CA530.3060006@redhat.com> <5655D741.4010402@redhat.com> <56560124.4060904@redhat.com> <5656CB3B.8010000@redhat.com> <5656D5EE.7010208@redhat.com> <565862E6.4020100@redhat.com> <56586807.9080805@redhat.com> <565870D6.40908@redhat.com> <56587616.5030609@redhat.com> <565DB7D3.5040500@redhat.com> <565F0BDD.8080206@redhat.com> <565F17EE.3020701@redhat.com> <5666DC18.2040906@redhat.com> <56675E31.3050203@redhat.com> <5667F49B.5020709@redhat.com> <5667FEFB.6090904@redhat.com> <56680C2E.7060805@redhat.com> <56680DDD.2000106@redhat.com> <566FDD80.7030805@redhat.com> <56717785.4020304@redhat.com> <567195B9.9070104@redhat.com> <56727AA7.2030809@redhat.com> <5675E08C.7030109@redhat.com> <56D43687.10502@redhat.com> <56D57DDE.3020306@redhat.com> <56D57F0C.1060103@redhat.com> <56D59F78.1000000@redhat.com> <56D5D9C3.8000102@redhat.com> <56D621DF.406@redhat.com> <56D6ACF5.4070402@redhat.com> Message-ID: <56D6E0E7.8020503@redhat.com> Hi Martin, I've made the requested changes. The full set of necessary patches is attached. On 03/02/2016 10:05 AM, Martin Basti wrote: > > > On 02.03.2016 00:12, Oleg Fayans wrote: >> Hi Martin, >> >> On 03/01/2016 07:04 PM, Martin Basti wrote: >>> >>> On 01.03.2016 14:56, Martin Basti wrote: >>>> >>>> >>>> On 01.03.2016 12:37, Martin Basti wrote: >>>>> >>>>> On 01.03.2016 12:32, Martin Basti wrote: >>>>>> >>>>>> On 29.02.2016 13:16, Oleg Fayans wrote: >>>>>>> Hi all, >>>>>>> >>>>>>> Finally the tests pass. >>>>>>> >>>>>>> The patch 0024 applies on top of patch 0022 (please, consider >>>>>>> reviewing >>>>>>> it also). Besides, the whole functionality depends on Martin's >>>>>>> patch N 0421 >>>>>>> >>>>>>> All patches pass pylint. >>>>>> hello, >>>>>> >>>>>> I cannot apply patches on master branch >>>>>> Martin^2 >>>>> My bad I applied wrong patch >>>>> >>>>>>> >>>>>>> On 12/19/2015 11:56 PM, Martin Basti wrote: >>>>>>>> On 17.12.2015 10:04, Oleg Fayans wrote: >>>>>>>>> Hi Martin, >>>>>>>>> >>>>>>>>> I am sorry, in my previous email I attached the old version of >>>>>>>>> patch >>>>>>>>> 0016. The correct on is attached. >>>>>>>>> >>>>>>>>> On 12/16/2015 05:47 PM, Martin Basti wrote: >>>>>>>>>> On 16.12.2015 15:39, Martin Basti wrote: >>>>>>>>>>> On 15.12.2015 10:29, Oleg Fayans wrote: >>>>>>>>>>>> Hi Martin, >>>>>>>>>>>> >>>>>>>>>>>> The updated patches are attached. Patch 0017 includes all >>>>>>>>>>>> changes from >>>>>>>>>>>> patch 0018, so, if you approve this one, there would be no >>>>>>>>>>>> need to >>>>>>>>>>>> continue with the review of 0018. This one contains all changes >>>>>>>>>>>> related >>>>>>>>>>>> to you remarks from 0018 review. Please see my explanation >>>>>>>>>>>> on the >>>>>>>>>>>> stdout+stderr part in the thread from patch 0018. >>>>>>>>>>>> With these two patches applied one of the tests fails due this >>>>>>>>>>>> bug: >>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5550 >>>>>>>>>>>> >>>>>>>>>>>> On 12/09/2015 12:17 PM, Martin Basti wrote: >>>>>>>>>>>>> On 09.12.2015 12:10, Martin Basti wrote: >>>>>>>>>>>>>> On 09.12.2015 11:14, Oleg Fayans wrote: >>>>>>>>>>>>>>> Hi Martin >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 12/09/2015 10:30 AM, Martin Basti wrote: >>>>>>>>>>>>>>>> On 08.12.2015 23:48, Oleg Fayans wrote: >>>>>>>>>>>>>>>>> Substituted a hardcoded suffix name with a constant >>>>>>>>>>>>>>>>> DOMAIN_SUFFIX_NAME >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 12/08/2015 02:33 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> The patches are rebased against the current master. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 12/02/2015 05:10 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>> On 02.12.2015 16:18, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On 12/01/2015 04:08 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>> On 27.11.2015 16:26, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>> And patch N 16 passes lint too: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> On 11/27/2015 04:03 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> On 11/27/2015 03:26 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>> On 27.11.2015 15:04, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> All your suggestions were taken into account. Both >>>>>>>>>>>>>>>>>>>>>>>>> patches are >>>>>>>>>>>>>>>>>>>>>>>>> updated. Thank you for your help! >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> On 11/26/2015 10:50 AM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>>> On 26.11.2015 10:04, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> I agree to all your points but one. please, >>>>>>>>>>>>>>>>>>>>>>>>>>> see my >>>>>>>>>>>>>>>>>>>>>>>>>>> comment >>>>>>>>>>>>>>>>>>>>>>>>>>> below >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> On 11/25/2015 07:42 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> 0) Note >>>>>>>>>>>>>>>>>>>>>>>>>>>> Please be aware of >>>>>>>>>>>>>>>>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5469 >>>>>>>>>>>>>>>>>>>>>>>>>>>> during >>>>>>>>>>>>>>>>>>>>>>>>>>>> KRA testing >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>>>>>>> Please do not use MIN and MAX_DOMAIN_LEVEL >>>>>>>>>>>>>>>>>>>>>>>>>>>> constants, >>>>>>>>>>>>>>>>>>>>>>>>>>>> this may >>>>>>>>>>>>>>>>>>>>>>>>>>>> change >>>>>>>>>>>>>>>>>>>>>>>>>>>> over time, use DOMAIN_LEVEL_0 and >>>>>>>>>>>>>>>>>>>>>>>>>>>> DOMAIN_LEVEL_1 for >>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>> level 0 >>>>>>>>>>>>>>>>>>>>>>>>>>>> and 1 >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>>>>>>> Why uninstall KRA then server, is not enough >>>>>>>>>>>>>>>>>>>>>>>>>>>> just >>>>>>>>>>>>>>>>>>>>>>>>>>>> uninstall >>>>>>>>>>>>>>>>>>>>>>>>>>>> server >>>>>>>>>>>>>>>>>>>>>>>>>>>> which >>>>>>>>>>>>>>>>>>>>>>>>>>>> covers KRA uninstall? >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> + def teardown_method(self, method): >>>>>>>>>>>>>>>>>>>>>>>>>>>> + for host in self.replicas: >>>>>>>>>>>>>>>>>>>>>>>>>>>> + host.run_command(self.kra_uninstall, >>>>>>>>>>>>>>>>>>>>>>>>>>>> raiseonerr=False) >>>>>>>>>>>>>>>>>>>>>>>>>>>> + tasks.uninstall_master(host) >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>>>>>>> Can be this function more generic? It should >>>>>>>>>>>>>>>>>>>>>>>>>>>> allow >>>>>>>>>>>>>>>>>>>>>>>>>>>> specify >>>>>>>>>>>>>>>>>>>>>>>>>>>> host >>>>>>>>>>>>>>>>>>>>>>>>>>>> where >>>>>>>>>>>>>>>>>>>>>>>>>>>> KRA should be installed not just master >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> + def test_kra_install_master(self): >>>>>>>>>>>>>>>>>>>>>>>>>>>> + self.master.run_command(self.kra_install) >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> TestLevel0(Dummy): >>>>>>>>>>>>>>>>>>>>>>>>>>>> Can be the test name more specific, something >>>>>>>>>>>>>>>>>>>>>>>>>>>> like >>>>>>>>>>>>>>>>>>>>>>>>>>>> TestReplicaPromotionLevel0 >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> 5) >>>>>>>>>>>>>>>>>>>>>>>>>>>> please remove this, the patch is on review >>>>>>>>>>>>>>>>>>>>>>>>>>>> and it >>>>>>>>>>>>>>>>>>>>>>>>>>>> will be >>>>>>>>>>>>>>>>>>>>>>>>>>>> pushed >>>>>>>>>>>>>>>>>>>>>>>>>>>> sooner >>>>>>>>>>>>>>>>>>>>>>>>>>>> than tests >>>>>>>>>>>>>>>>>>>>>>>>>>>> + @pytest.mark.xfail # Ticket N 5455 >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> and as I mentioned in ticket #5455, I cannot >>>>>>>>>>>>>>>>>>>>>>>>>>>> reproduce >>>>>>>>>>>>>>>>>>>>>>>>>>>> it with >>>>>>>>>>>>>>>>>>>>>>>>>>>> ipa-kra-install, so please provide steps to >>>>>>>>>>>>>>>>>>>>>>>>>>>> reproduce if >>>>>>>>>>>>>>>>>>>>>>>>>>>> you >>>>>>>>>>>>>>>>>>>>>>>>>>>> insist >>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>> this still does not work as expected with KRA. >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> 6) This is completely wrong, it removes >>>>>>>>>>>>>>>>>>>>>>>>>>>> everything >>>>>>>>>>>>>>>>>>>>>>>>>>>> that we >>>>>>>>>>>>>>>>>>>>>>>>>>>> tried to >>>>>>>>>>>>>>>>>>>>>>>>>>>> achieve with previous patches with domain >>>>>>>>>>>>>>>>>>>>>>>>>>>> level in CI >>>>>>>>>>>>>>>>>>>>>>>>>>> Actually, being able to configure domain >>>>>>>>>>>>>>>>>>>>>>>>>>> level per >>>>>>>>>>>>>>>>>>>>>>>>>>> class >>>>>>>>>>>>>>>>>>>>>>>>>>> is WAY >>>>>>>>>>>>>>>>>>>>>>>>>>> more >>>>>>>>>>>>>>>>>>>>>>>>>>> convenient, than to always have to think which >>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>> level is >>>>>>>>>>>>>>>>>>>>>>>>>>> appropriate for which particular test during >>>>>>>>>>>>>>>>>>>>>>>>>>> jenkins >>>>>>>>>>>>>>>>>>>>>>>>>>> job >>>>>>>>>>>>>>>>>>>>>>>>>>> configuration. In fact, I should have thought >>>>>>>>>>>>>>>>>>>>>>>>>>> about it >>>>>>>>>>>>>>>>>>>>>>>>>>> from the >>>>>>>>>>>>>>>>>>>>>>>>>>> very >>>>>>>>>>>>>>>>>>>>>>>>>>> beginning. For example, in >>>>>>>>>>>>>>>>>>>>>>>>>>> test_replica_promotion.py we >>>>>>>>>>>>>>>>>>>>>>>>>>> have on >>>>>>>>>>>>>>>>>>>>>>>>>>> class, >>>>>>>>>>>>>>>>>>>>>>>>>>> which intiates with domain level = 1, while >>>>>>>>>>>>>>>>>>>>>>>>>>> others - >>>>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>>>> 0. With config-based approach, we would have to >>>>>>>>>>>>>>>>>>>>>>>>>>> implement a >>>>>>>>>>>>>>>>>>>>>>>>>>> separate >>>>>>>>>>>>>>>>>>>>>>>>>>> step that raises domain level. Overall, I am >>>>>>>>>>>>>>>>>>>>>>>>>>> against >>>>>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>>>>> approach, >>>>>>>>>>>>>>>>>>>>>>>>>>> when you have to remember to set certain domain >>>>>>>>>>>>>>>>>>>>>>>>>>> level in >>>>>>>>>>>>>>>>>>>>>>>>>>> config >>>>>>>>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>>>>>>>> any particular test. The tests themselves >>>>>>>>>>>>>>>>>>>>>>>>>>> should be >>>>>>>>>>>>>>>>>>>>>>>>>>> aware of >>>>>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>>>>> domain level they need. >>>>>>>>>>>>>>>>>>>>>>>>>> I do not say that we should not have something >>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>> overrides >>>>>>>>>>>>>>>>>>>>>>>>>> settings >>>>>>>>>>>>>>>>>>>>>>>>>> in from config in a particular test case, I say >>>>>>>>>>>>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>>>>>>>>>>>> patch is >>>>>>>>>>>>>>>>>>>>>>>>>> doing it >>>>>>>>>>>>>>>>>>>>>>>>>> wrong. >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> I agree it is useful to have param >>>>>>>>>>>>>>>>>>>>>>>>>> domain_level in >>>>>>>>>>>>>>>>>>>>>>>>>> install_master, >>>>>>>>>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>>>>>>>>> intall_topo methods, but is cannot be >>>>>>>>>>>>>>>>>>>>>>>>>> MAX_DOMAIN_LEVEL by >>>>>>>>>>>>>>>>>>>>>>>>>> default, >>>>>>>>>>>>>>>>>>>>>>>>>> because with your current patch the >>>>>>>>>>>>>>>>>>>>>>>>>> domain_level in >>>>>>>>>>>>>>>>>>>>>>>>>> config is >>>>>>>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>>>>>>> used >>>>>>>>>>>>>>>>>>>>>>>>>> at all, it will be always MAX_DOMAIN_LEVEL >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> For example I want to achieve this goal: >>>>>>>>>>>>>>>>>>>>>>>>>> test_vault.py, this test suite can run on domain >>>>>>>>>>>>>>>>>>>>>>>>>> level1 >>>>>>>>>>>>>>>>>>>>>>>>>> and on >>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>> level0, so with one test we can test 2 domain >>>>>>>>>>>>>>>>>>>>>>>>>> levels >>>>>>>>>>>>>>>>>>>>>>>>>> just >>>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>>> putting >>>>>>>>>>>>>>>>>>>>>>>>>> domain level into config file. >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> I agree that with extraordinary test like replica >>>>>>>>>>>>>>>>>>>>>>>>>> promotion test >>>>>>>>>>>>>>>>>>>>>>>>>> is, we >>>>>>>>>>>>>>>>>>>>>>>>>> need something that allows override the config >>>>>>>>>>>>>>>>>>>>>>>>>> file. >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> As I said bellow, domain_level default value >>>>>>>>>>>>>>>>>>>>>>>>>> should be >>>>>>>>>>>>>>>>>>>>>>>>>> None in >>>>>>>>>>>>>>>>>>>>>>>>>> install_master and install_topo plugin. If >>>>>>>>>>>>>>>>>>>>>>>>>> domain level >>>>>>>>>>>>>>>>>>>>>>>>>> was >>>>>>>>>>>>>>>>>>>>>>>>>> specified >>>>>>>>>>>>>>>>>>>>>>>>>> use the specified one, if not (value is None) >>>>>>>>>>>>>>>>>>>>>>>>>> use the >>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>>>>>>>>>> config file. >>>>>>>>>>>>>>>>>>>>>>>>> Agreed :) >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> Martin >>>>>>>>>>>>>>>>>>>>>>>>>>>> [PATCH] Enabled setting domain_level per class >>>>>>>>>>>>>>>>>>>>>>>>>>>> derived from >>>>>>>>>>>>>>>>>>>>>>>>>>>> TestIntegration >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> When I configure domain level 0 in yaml >>>>>>>>>>>>>>>>>>>>>>>>>>>> config, how >>>>>>>>>>>>>>>>>>>>>>>>>>>> is this >>>>>>>>>>>>>>>>>>>>>>>>>>>> supposed to >>>>>>>>>>>>>>>>>>>>>>>>>>>> get into install methods when you removed that >>>>>>>>>>>>>>>>>>>>>>>>>>>> code? >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> - "--domain-level=%i" % >>>>>>>>>>>>>>>>>>>>>>>>>>>> host.config.domain_level >>>>>>>>>>>>>>>>>>>>>>>>>>>> + "--domain-level=%i" % domain_level >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> You always use MAX_DOMAIN_LEVEL in this case or >>>>>>>>>>>>>>>>>>>>>>>>>>>> whatever is >>>>>>>>>>>>>>>>>>>>>>>>>>>> specified in >>>>>>>>>>>>>>>>>>>>>>>>>>>> domain_level option. >>>>>>>>>>>>>>>>>>>>>>>>>>>> I suggest to use domain_level=None, and when >>>>>>>>>>>>>>>>>>>>>>>>>>>> it is >>>>>>>>>>>>>>>>>>>>>>>>>>>> None use >>>>>>>>>>>>>>>>>>>>>>>>>>>> 'host.config.domain_level', if it is not None, >>>>>>>>>>>>>>>>>>>>>>>>>>>> use >>>>>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> With this we can specify domain level in config >>>>>>>>>>>>>>>>>>>>>>>>>>>> file for >>>>>>>>>>>>>>>>>>>>>>>>>>>> test >>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>> can >>>>>>>>>>>>>>>>>>>>>>>>>>>> be used for both domain levels and you can >>>>>>>>>>>>>>>>>>>>>>>>>>>> manually >>>>>>>>>>>>>>>>>>>>>>>>>>>> specify >>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>>>>> for test that requires specific domain level. >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> Also this should go away >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> @classmethod >>>>>>>>>>>>>>>>>>>>>>>>>>>> def install(cls, mh): >>>>>>>>>>>>>>>>>>>>>>>>>>>> + if hasattr(cls, "domain_level") and >>>>>>>>>>>>>>>>>>>>>>>>>>>> cls.master: >>>>>>>>>>>>>>>>>>>>>>>>>>>> + cls.master.config.domain_level = >>>>>>>>>>>>>>>>>>>>>>>>>>>> cls.domain_level >>>>>>>>>>>>>>>>>>>>>>>>>>>> if cls.topology is None: >>>>>>>>>>>>>>>>>>>>>>>>>>>> return >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> I do not see reason why test should override >>>>>>>>>>>>>>>>>>>>>>>>>>>> configuration in >>>>>>>>>>>>>>>>>>>>>>>>>>>> config in >>>>>>>>>>>>>>>>>>>>>>>>>>>> this case. >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> Martin >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> On 25.11.2015 16:44, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Here is the updated version of the patch (more >>>>>>>>>>>>>>>>>>>>>>>>>>>>> tests + >>>>>>>>>>>>>>>>>>>>>>>>>>>>> fixed the >>>>>>>>>>>>>>>>>>>>>>>>>>>>> issues of the first one) + patch 0017, that >>>>>>>>>>>>>>>>>>>>>>>>>>>>> implements the >>>>>>>>>>>>>>>>>>>>>>>>>>>>> necessary >>>>>>>>>>>>>>>>>>>>>>>>>>>>> changes in the background code, i. e. patch 16 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> does not >>>>>>>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>>>>>>> without >>>>>>>>>>>>>>>>>>>>>>>>>>>>> patch 17 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 11/18/2015 05:20 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 09.11.2015 15:09, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi guys, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Here are first two automated testcases from >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> this >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> (so far >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> incomplete) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> testplan: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Testplan review is highly appreciated >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> PATCH 16: NACK >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> What is the reason to add an unused >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> parameter to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> install_topo()? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Also it is good practise to add new option >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> as the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> last >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> parameter. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cab you in both tests specify a domain level >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> constant >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> instead of >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> number literal? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> both test call install_topo with custom >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> but it >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cannot >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> because 1) (did you run the test?) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> How the test "TestLevel1" is supposed to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> work? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Respectively why there is call of >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> install_topo() >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> installs >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> replica. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> As this test just tests that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ipa-replica-prepare is >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> working >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> anymore, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> is it worth to spend 20 minutes with >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> installing >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> replica and >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> then >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> just no >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tot use it? IMO to install master in install >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> step is >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> enough. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> ./make-lint >>>>>>>>>>>>>>>>>>>>>>>> ************* Module ipatests.test_integration.base >>>>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/base.py:66: >>>>>>>>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>>>>>>>> IntegrationTest.install] Class 'IntegrationTest' >>>>>>>>>>>>>>>>>>>>>>>> has no >>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>>>>> ************* Module >>>>>>>>>>>>>>>>>>>>>>>> ipatests.test_integration.test_replica_promotion >>>>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:16: >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> [E1101(no-member), Dummy.install] Class 'Dummy' >>>>>>>>>>>>>>>>>>>>>>>> has no >>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:117: >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>>>>>>>> TestCAInstall.test_ca_install_without_replica_file] >>>>>>>>>>>>>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no >>>>>>>>>>>>>>>>>>>>>>>> 'setup_replica' >>>>>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Is it so hard to run pylint before patch is posted >>>>>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>>>>> review? >>>>>>>>>>>>>>>>>>>>>>> Sorry, my bad. Fixed. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>> Why is this change in the patch? >>>>>>>>>>>>>>>>>>>>> - # Clean up the test directory >>>>>>>>>>>>>>>>>>>>> - host.run_command(['rm', '-rvf', >>>>>>>>>>>>>>>>>>>>> host.config.test_dir]) >>>>>>>>>>>>>>>>>>>> Otherwise 2 out of 8 tests fail with IOError at line >>>>>>>>>>>>>>>>>>>> 78 of >>>>>>>>>>>>>>>>>>>> ipatests/test_integration/tasks.py >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I do not understand yet how does this happen, but if >>>>>>>>>>>>>>>>>>>> you >>>>>>>>>>>>>>>>>>>> remove >>>>>>>>>>>>>>>>>>>> ipatests folder once, it then fails to be created >>>>>>>>>>>>>>>>>>>> again. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> So this should be in separated patch and investigated >>>>>>>>>>>>>>>>>>> properly. >>>>>>>>>>>>>>>>>> Agree. Removed >>>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>> is enough to have this check only in install_master, >>>>>>>>>>>>>>>>>>>>> install_topo can >>>>>>>>>>>>>>>>>>>>> pass None to install_master >>>>>>>>>>>>>>>>>>>>> + if domain_level is None: >>>>>>>>>>>>>>>>>>>>> + domain_level = master.config.domain_level >>>>>>>>>>>>>>>>>>>> Done >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>> IMO replica-manage del should cleanup hosts entry, so >>>>>>>>>>>>>>>>>>>>> following >>>>>>>>>>>>>>>>>>>>> code >>>>>>>>>>>>>>>>>>>>> should not be needed. >>>>>>>>>>>>>>>>>>>>> + if cleanhost: >>>>>>>>>>>>>>>>>>>>> + kinit_admin(master) >>>>>>>>>>>>>>>>>>>>> + master.run_command(["ipa", "host-del", >>>>>>>>>>>>>>>>>>>>> "--updatedns", >>>>>>>>>>>>>>>>>>>>> replica.hostname], >>>>>>>>>>>>>>>>>>>>> + raiseonerr=False) >>>>>>>>>>>>>>>>>>>> Well, in fact it does not. At least the >>>>>>>>>>>>>>>>>>>> corresponding dns >>>>>>>>>>>>>>>>>>>> record >>>>>>>>>>>>>>>>>>>> stays >>>>>>>>>>>>>>>>>>>> and causes the subsequent ipa-client-install to fail. >>>>>>>>>>>>>>>>>>>> Probably >>>>>>>>>>>>>>>>>>>> it's a >>>>>>>>>>>>>>>>>>>> bug. On the other hand, if I promote an existing >>>>>>>>>>>>>>>>>>>> client to >>>>>>>>>>>>>>>>>>>> replica and >>>>>>>>>>>>>>>>>>>> then delete this replica, then, I probably want the >>>>>>>>>>>>>>>>>>>> host >>>>>>>>>>>>>>>>>>>> record >>>>>>>>>>>>>>>>>>>> (that >>>>>>>>>>>>>>>>>>>> was created during client-install) to stay in the >>>>>>>>>>>>>>>>>>>> system. So, >>>>>>>>>>>>>>>>>>>> does not >>>>>>>>>>>>>>>>>>>> look like a bug to me. >>>>>>>>>>>>>>>>>>> No you don't, because replica uninstallation also >>>>>>>>>>>>>>>>>>> removes the >>>>>>>>>>>>>>>>>>> client. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I tried it with ipa42, ipa-replica-manage del removes >>>>>>>>>>>>>>>>>>> host >>>>>>>>>>>>>>>>>>> entry, >>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>> DNS A records, only SSHFP records stay there (I'm not >>>>>>>>>>>>>>>>>>> sure >>>>>>>>>>>>>>>>>>> if it >>>>>>>>>>>>>>>>>>> is bug >>>>>>>>>>>>>>>>>>> or feature) >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Also I received this message >>>>>>>>>>>>>>>>>>> """ >>>>>>>>>>>>>>>>>>> Failed to cleanup replica1.ipa.test DNS entries: no >>>>>>>>>>>>>>>>>>> matching >>>>>>>>>>>>>>>>>>> entry >>>>>>>>>>>>>>>>>>> found >>>>>>>>>>>>>>>>>>> You may need to manually remove them from the tree >>>>>>>>>>>>>>>>>>> """ >>>>>>>>>>>>>>>>>>> But, A record has been removed, so this is probably >>>>>>>>>>>>>>>>>>> false >>>>>>>>>>>>>>>>>>> positive and >>>>>>>>>>>>>>>>>>> it needs to have a ticket. >>>>>>>>>>>>>>>>>> Agree, that was an issue with my setup. >>>>>>>>>>>>>>>>>> Removed >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>> This variable is not used >>>>>>>>>>>>>>>>>>>>> + kra_uninstall = ["ipa-kra-install", >>>>>>>>>>>>>>>>>>>>> "--uninstall", "-U"] >>>>>>>>>>>>>>>>>>>> Removed >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> 5) >>>>>>>>>>>>>>>>>>>>> Why do you need this >>>>>>>>>>>>>>>>>>>>> + kra_install = ["ipa-kra-install", "-U", "-p", >>>>>>>>>>>>>>>>>>>>> config.dirman_password] >>>>>>>>>>>>>>>>>>>>> when you implemented tasks.install_kra that returns >>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>> exactly >>>>>>>>>>>>>>>>>>>>> the same >>>>>>>>>>>>>>>>>>>>> result? >>>>>>>>>>>>>>>>>>>> Right. Removed >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> 6) >>>>>>>>>>>>>>>>>>>>> PEP8 >>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:928:1: E302 >>>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:934:1: E302 >>>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:939:1: E302 >>>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:943:1: E302 >>>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:950:80: E501 >>>>>>>>>>>>>>>>>>>>> line too >>>>>>>>>>>>>>>>>>>>> long >>>>>>>>>>>>>>>>>>>>> (80 > 79 >>>>>>>>>>>>>>>>>>>>> characters) >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:29:80: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>> too long (85 > 79 characters) >>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:64:80: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>> too long (85 > 79 characters) >>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:67:80: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>> too long (88 > 79 characters) >>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:93:80: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:94:80: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>> too long (83 > 79 characters) >>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:118:80: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>> too long (81 > 79 characters) >>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:128:80: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:129:80: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>> too long (82 > 79 characters) >>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:181:80: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>>>> Most of these complaints are unrelated to the current >>>>>>>>>>>>>>>>>>>> patches. >>>>>>>>>>>>>>>>>>>> It's better to create a separate patch addressing PEP8 >>>>>>>>>>>>>>>>>>>> errors. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I beg for your pardon, those PEP8 errors have been >>>>>>>>>>>>>>>>>>> introduced by >>>>>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>>>>> patches. >>>>>>>>>>>>>>>>>> Fixed >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> 7) >>>>>>>>>>>>>>>>>>>>> Why this must be stored in instance? IMO to have it >>>>>>>>>>>>>>>>>>>>> stored as >>>>>>>>>>>>>>>>>>>>> local >>>>>>>>>>>>>>>>>>>>> variable is perfect >>>>>>>>>>>>>>>>>>>>> TestKRAInstall, TestCAInstall >>>>>>>>>>>>>>>>>>>>> self.replica1_filename = >>>>>>>>>>>>>>>>>>>>> tasks.get_replica_filename(replica1) >>>>>>>>>>>>>>>>>>>>> self.replica2_filename = >>>>>>>>>>>>>>>>>>>>> tasks.get_replica_filename(replica2) >>>>>>>>>>>>>>>>>>>> Agree. Fixed >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> This patch is missing something. >>>>>>>>>>>>>>> I am sorry, I forgot to revert my previous change. The >>>>>>>>>>>>>>> correct >>>>>>>>>>>>>>> patch is >>>>>>>>>>>>>>> attached >>>>>>>>>>>>>>> >>>>>>>>>>>>>> ************* Module >>>>>>>>>>>>>> ipatests.test_integration.test_replica_promotion >>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:15: >>>>>>>>>>>>>> [E1123(unexpected-keyword-arg), Dummy.install] Unexpected >>>>>>>>>>>>>> keyword >>>>>>>>>>>>>> argument 'domain_level' in function call) >>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:15: >>>>>>>>>>>>>> [E1101(no-member), Dummy.install] Class 'Dummy' has no >>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>> member) >>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:19: >>>>>>>>>>>>>> [E1101(no-member), Dummy.teardown_method] Module >>>>>>>>>>>>>> 'ipatests.test_integration.tasks' has no 'uninstall_replica' >>>>>>>>>>>>>> member) >>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:67: >>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>> TestReplicaPromotionLevel0.test_backup_restore] >>>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no 'ipa_backup' >>>>>>>>>>>>>> member) >>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:72: >>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>> TestReplicaPromotionLevel0.test_backup_restore] >>>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no 'ipa_restore' >>>>>>>>>>>>>> member) >>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:120: >>>>>>>>>>>>>> [E1123(unexpected-keyword-arg), TestCAInstall.install] >>>>>>>>>>>>>> Unexpected >>>>>>>>>>>>>> keyword argument 'domain_level' in function call) >>>>>>>>>>>>>> >>>>>>>>>>>>> Sorry I forgot to apply patch 17, my bad, I'm continuing with >>>>>>>>>>>>> review >>>>>>>>>>> LGTM, I haven't had time to test it, but if you are sure that >>>>>>>>>>> test is >>>>>>>>>>> working, we may push this. >>>>>>>>>>> >>>>>>>>>> Is this expected due the bug you mentioned? >>>>>>>>>> _____ >>>>>>>>>> __________________________________________________________________________ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> TestReplicaPromotionLevel0.test_kra_install_master >>>>>>>>>> ________________________________________________________________________________ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> self = >>>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> object at 0x7f5071a59e50> >>>>>>>>>> >>>>>>>>>> def test_kra_install_master(self): >>>>>>>>>> result1 = tasks.install_kra(self.master, >>>>>>>>>> raiseonerr=False) >>>>>>>>>>> assert result1.returncode == 0, result1.stderr_text >>>>>>>>>> E AssertionError: Usage: ipa-kra-install [options] >>>>>>>>>> [replica_file] >>>>>>>>>> E >>>>>>>>>> E ipa-kra-install: error: Replica file >>>>>>>>>> /root/ipatests/replica-info.gpg does not exist >>>>>>>>>> E The ipa-kra-install command failed. See >>>>>>>>>> /var/log/ipaserver-kra-install.log for more information >>>>>>>>>> E >>>>>>>>>> E assert 2 == 0 >>>>>>>>>> E + where 2 = >>>>>>>>> object at >>>>>>>>>> 0x7f5071adbd50>.returncode >>>>>>>>>> >>>>>>>> IMO the test needs fix, KRA on replica file needs KRA related >>>>>>>> certificates in replica file >>>>>>>> >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>>>> >>>>>>>> RUN >>>>>>>> ['ipa-kra-install', '-U', '-p', 'Secret123', >>>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] RUN >>>>>>>> ['ipa-kra-install', '-U', '-p', 'Secret123', >>>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] Missing >>>>>>>> KRA >>>>>>>> certificates, please create a new replica file. >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] The >>>>>>>> ipa-kra-install command failed. See >>>>>>>> /var/log/ipaserver-kra-install.log >>>>>>>> for more information >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] Exit >>>>>>>> code: 1 >>>>>>>> FAILED >>>>>>>> traceback >>>>>>>> >>>>>>>> self = >>>>>>>> >>>>>>> object at 0x7f660bc1a590> >>>>>>>> >>>> I just read the code. >>>> >>>> PATCH 16: >>>> 0) >>>> PEP8 >>>> ./ipatests/test_integration/test_replica_promotion.py:24:14: E111 >>>> indentation is not a multiple of four >>>> ./ipatests/test_integration/test_replica_promotion.py:24:14: E113 >>>> unexpected indentation >>>> ./ipatests/test_integration/test_replica_promotion.py:148:80: E501 >>>> line too long (80 > 79 characters) >>>> ./ipatests/test_integration/test_replica_promotion.py:150:80: E501 >>>> line too long (81 > 79 characters) >>>> >>>> 1) >>>> workaround is not workaround, because the host entry is removed >>>> anyway, the error is raised from POST callback, please remove it >>>> + # Workaround for 5627 >>>> + if "host not found" in result.stderr_text: >>>> + self.master.run_command(["ipa", >>>> + "host-del", >>>> + host.hostname], >>>> raiseonerr=False) >>> sorry, I was wrong with this, check is in pre_callback, but please >>> remove it anyway, I will send patch to fix it ASAP >> Done > I realized that the fix I'm working on is for 4.4 only, so for 4.3 add > this as separated patch. Done, patch 0027 >>>> 2) >>>> Please name it better, for example "replica" instead of "i" >>>> + for i in self.replicas: >>>> + tasks.install_replica(master, i, setup_ca=False, >>>> + setup_dns=True) >> Done >> >>>> 3) >>>> Please use constant for domain level (multiple times) >>>> + result1 = tasks.install_ca(replica1, domain_level=1, >>>> raiseonerr=False) >>>> >>>> + tasks.install_ca(replica1, domain_level=0) >>>> + result2 = tasks.install_ca(replica2, domain_level=0, >>>> raiseonerr=False) >>>> ... more times >> Done >> >>>> 4) >>>> This link does not exists, only connect is deprecated not >>>> ipa-replica-manage at all >>>> + def test_replica_manage_commands(self): >>>> + """ >>>> + TestCase: >>>> http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan >>>> + #Test_case:_ipa-replica-manage_is_deprecated_in_domain_level_1 >>>> + """ >> Fixed >> >>>> 5) >>>> Missing testcases: >>>> >>>> Test case: Unprivileged users are not allowed to enroll and promote >>>> clients >>>> Test case: Replica created using old workflow is functional after >>>> domain upgrade >>>> Test case: ipa-csreplica-manage connect is deprecated in domain level 1 >>>> Test case: Replica can be installed using one command >>>> Test case: Prohibit ipa server uninstallation from disconnecting >>>> topology segment >>>> >> They are on the way, not fully ready yet >> >>>> PATCH 24: >>>> >>>> 1) >>>> why there is this change, how it is related to this patch?: >>>> def apply_common_fixes(host): >>>> + prepare_host(host) >>>> fix_etc_hosts(host) >>>> fix_hostname(host) >>>> - prepare_host(host) >> Good catch! That was one of my attempts to address the issue that was >> successfully resolved in patch 0025. Will remove it once we agree on the >> rest of the changes Removed >> >>>> 2) >>>> Why is there this change, how it is related to this patch?: >>>> def replica_prepare(master, replica): >>>> - apply_common_fixes(replica) >>>> fix_apache_semaphores(replica) >>>> ... >>>> def install_replica(master, replica, setup_ca=True, setup_dns=False, >>>> ... >>>> + apply_common_fixes(replica) >> Just to make this call independent from domain level (at domain_level 1 >> replica_prepare never gets called) > It should be in separate commit, because it is not related to adding > domain_level in class functionality Done. Patch 0026 >> >> >>>> 3) >>>> why is there this change, how it is related to this patch?: >>>> - >>>> + args.extend(['-n', replica.domain.name, >>>> + '-r', replica.domain.realm]) >> At least -r is a required parameter. -n was added for further >> robustness. Can be safely removed, though > It should be in separate commit, as this is not related to domain levels Done. Patch 0026 >> >>>> 4) >>>> why there force, how is this change related to this patch (domain >>>> levels)? >>>> '-w', client.config.admin_password, >>>> - '--server', master.hostname] >>>> + '--server', master.hostname, >>>> + '--force'] >>>> + list(extra_args)) >> client refuses to install unless everything is super clear in the dns >> setup (including reverse zone). Otherwise the installer fails and >> informs you that you may use '--force' at your own risk. I can rerun the >> tests without this option to provide you with the exact output, if you >> like. > It should be in separated commit, because it is not related to domain > levels I've run the tests without this option again at it passed. Must have been some temporary issue. Removed this change. >> >>>> Otherwise domain level related changes LGTM >>>> >>>> PATCH 25 >>>> >>>> LGTM >>>> >>>> Martin^2 >>>> > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0016.9-Integration-tests-for-replica-promotion-feature.patch Type: text/x-patch Size: 10939 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0022.2-Removed-messing-around-with-resolv.conf.patch Type: text/x-patch Size: 3289 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0024.1-Enabled-setting-domain-level-explicitly-in-test-clas.patch Type: text/x-patch Size: 4116 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0025-Removed-a-constantly-failing-call-to-prepare_host.patch Type: text/x-patch Size: 1531 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0026-replica-installation-fixes.patch Type: text/x-patch Size: 1841 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0027-Workaround-for-ticket-5627.patch Type: text/x-patch Size: 1213 bytes Desc: not available URL: From tbabej at redhat.com Wed Mar 2 13:58:17 2016 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 2 Mar 2016 14:58:17 +0100 Subject: [Freeipa-devel] [PATCH 0425] pylint: suppress false positive no-member errors In-Reply-To: <1699917844.40576197.1456922131613.JavaMail.zimbra@redhat.com> References: <56CF1455.3020904@redhat.com> <56CF30E6.5080902@redhat.com> <56D5C99A.4050201@redhat.com> <1699917844.40576197.1456922131613.JavaMail.zimbra@redhat.com> Message-ID: <56D6F179.8030808@redhat.com> On 03/02/2016 01:35 PM, David Kupka wrote: > Tested with pylint-1.5.4-2, works for me, ACK. > > ----- Original Message ----- > From: "Martin Basti" > To: "freeipa-devel" > Sent: Tuesday, March 1, 2016 5:55:54 PM > Subject: Re: [Freeipa-devel] [PATCH 0425] pylint: suppress false positive no-member errors > > > > On 25.02.2016 17:50, Martin Basti wrote: > > > > > On 25.02.2016 15:48, Martin Basti wrote: > > > The last pylint 1.5 patch, \o/ > > https://fedorahosted.org/freeipa/ticket/5615 > > > self-NACK too broad disables > > > Updated patches attached. > Pushed to: ipa-4-2: aaad91d32ee855813bac5f57f8af128cfee327a5 ipa-4-3: 76545e2a54ebbfc5422d2a4bcd51fad1bbd8a79a master: 72d5499c5a902c860c5496ee6e604526672e5777 From pviktori at redhat.com Wed Mar 2 13:58:53 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Wed, 2 Mar 2016 14:58:53 +0100 Subject: [Freeipa-devel] [PATCHES] 0772-0774 Python3 fixes in for client installation In-Reply-To: <56D54B73.6000500@redhat.com> References: <56CAF30F.7010306@redhat.com> <56D079F2.2020501@redhat.com> <56D3EF5C.1090008@redhat.com> <56D46E6A.2050600@redhat.com> <56D54B73.6000500@redhat.com> Message-ID: <56D6F19D.4020605@redhat.com> On 03/01/2016 08:57 AM, Jan Cholasta wrote: > On 29.2.2016 17:14, Petr Viktorin wrote: >> On 02/29/2016 08:12 AM, Jan Cholasta wrote: >>> Hi, >>> >>> On 26.2.2016 17:14, Petr Viktorin wrote: >>>> On 02/22/2016 12:37 PM, Petr Viktorin wrote: >>>>> Hello, >>>>> These fixes are needed for the "happy path" of ipa-client-install >>>>> --server on Python 3. >>>> >>>> Hello, >>>> Could someone please look at these patches? >>> >>> Patch 0772: > > It seems this bit: > > + [cn] = lres.raw['cn'] > + lrealms.append(cn.decode('utf-8')) > > breaks ipa-client-install: > > Traceback (most recent call last): > File "/sbin/ipa-client-install", line 3099, in > sys.exit(main()) > File "/sbin/ipa-client-install", line 3080, in main > rval = install(options, env, fstore, statestore) > File "/sbin/ipa-client-install", line 2769, in install > delete_persistent_client_session_data(host_principal) > File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 145, in > delete_persistent_client_session_data > kernel_keyring.del_key(keyname) > File "/usr/lib/python2.7/site-packages/ipapython/kernel_keyring.py", > line 130, in del_key > assert isinstance(key, str) > AssertionError > > because realm is returned as unicode from ipadiscovery. Ah, thhanks for the catch. This should fix it. > >>> >>> 1) Instead of decoding when the type is bytes in get_ipa_basedn(), read >>> attribute values from 'entry.raw' rather than 'entry' and decode always. >> >> Done. >> >>> 2) get_ipa_basedn() is used only in ipadiscovery, perhaps we should move >>> it there? >> >> I did that in an extra patch, mainly to make the diff more meaningful. > > OK. The patch needs a rebase for ipa-4-3, there is a stray > get_ipa_basedn import in install/migration/migration.py. Attaching patch 0775 for that, please apply it before the others. >>> Patch 0773: ACK, but the patch does not apply on ipa-4-3. Could you try `git cherry-pick` from the master branch after applying to master? >>> Patch 0774: ACK. > > -- Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0771.3-Move-get_ipa_basedn-from-ipautil-to-ipadiscovery.patch Type: text/x-patch Size: 5126 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0772.3-ipadiscovery-Decode-to-unicode-in-ipacheckldap-get_i.patch Type: text/x-patch Size: 2661 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0773.3-ipapython.sysrestore-Use-str-methods-instead-of-func.patch Type: text/x-patch Size: 2705 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0774.3-ipalib.x809-Accept-bytes-for-make_pem.patch Type: text/x-patch Size: 928 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pviktori-0775-ipa-4-3-migration.py-Remove-stray-get_ipa_basedn-import.patch Type: text/x-patch Size: 824 bytes Desc: not available URL: From jcholast at redhat.com Wed Mar 2 14:35:58 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 2 Mar 2016 15:35:58 +0100 Subject: [Freeipa-devel] [PATCHES 548-549] ipalib: add convenient Command method for adding messages Message-ID: <56D6FA4E.6060905@redhat.com> Hi, these patches are for master only, see commit messages for details. Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-548-ipalib-provide-per-call-command-context.patch Type: text/x-patch Size: 2569 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-549-ipalib-add-convenient-Command-method-for-adding-mess.patch Type: text/x-patch Size: 2556 bytes Desc: not available URL: From pvoborni at redhat.com Wed Mar 2 15:06:24 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 2 Mar 2016 16:06:24 +0100 Subject: [Freeipa-devel] Supporting UPNs of trusted forests In-Reply-To: <20160302105525.GJ4492@redhat.com> References: <20160302105525.GJ4492@redhat.com> Message-ID: <56D70170.1080201@redhat.com> On 03/02/2016 11:55 AM, Alexander Bokovoy wrote: > Hi, > > http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains > describes a design page to support name suffixes from trusted Active > Directory domains. > > A prototype code exists (written by me and Sumit) and was tested by Sumit > against recent releases of SSSD. > > Text is provided below for easier commenting. > ----------------------------------------------------------------- > {{Feature|version=TODO|ticket=TODO|author=Ab}} > > == Overview == > User principal name (UPN) in Active Directory is the primary form of > addressing users. UPN has structure of 'user name at suffix' where both > user name and suffix parts may vary. By default the suffix is the same > as the Active Directory domain name but AD administrators may create > additional name suffixes and associate them with specific users. These > additional UPNs for users may then be used for Kerberos authentication > against Active Directory domains. > > Alternative UPNs are often used when several companies with Active > Directory deployments merge and want to provide unified logon namespace. > > The purpose of this feature is to allow using alternative UPNs > associated with the Active Directory users when accessing resources in > FreeIPA domain. > > == Use Cases == > > As an Active Directory user, I want to login using my user at EXAMPLE user > principal name even if my Active Directory domain is named > REGION.EXAMPLE.COM. > == Design== > Support for UPNs is split to three different components: > ;Client-side > : SSSD already supports logon with UPN by asking a KDC to accept > enterprise logon names. By default, the use of enterprise principals is > disabled, therefore, krb5_use_enterprise_principal = True > needs to be added to sssd.conf to enable it. > > ;KDC > : IPA KDC does understand multiple domains associated with the trusted > AD forest. However, since no information about name suffixes associated > with the forest is available, it cannot take them into account when > processing enteprise logon names to issue referrals to the correct > realm. Support needs to be added to allow IPA KDC to look up name > suffixes associated with a trusted forest. > > ; IPA framework > : Changes needed on IPA framework side to fetch from Active Directory a > list of name suffixes and store them in the trusted domain objects. > > == Implementation == > For retrieving name suffixes, IPA framework needs to move to use > NETLOGON netr_DsRGetForestTrustInformation function instead of > netr_DsrEnumerateDomainTrusts. This allows to retrieve both domains and > top level names associated with the forest. > > As top level names (TLNs) have only a single string as a name suffix, > they cannot be stored as trusted domains (they lack SID and NetBIOS > name). Thus, either IPA KDB driver needs to be extended to understand > trusted domains without SID and NetBIOS name, or TLNs need to be stored > as a property of tree root domains of the forest. > > == Feature Management == > > === UI === > If TLNs are added as a property of tree root domains of the forest, > appropriate panel needs to be extended to display them. > > === CLI === > If TLNs are added as a property of tree root domains of the forest, > appropriate attribute need to be handled by '''trust-show''' command. If > TLNs represented as separate 'trusted domains' of the trusted forest, no > work is needed on CLI other than being able to support 'trusted domains' > without SID and NetBIOS name. What is meant by 'tree root domains of the forest' in IPA context? The trust object? Btw trustdomain object has ipantflatname and ipanttrusteddomainsid attributes as optional so it is possible to store it there assuming modification of KDB driver. > > === Configuration === > No configuration options. > > == Upgrade == > No impact to upgrade. > > == How to Test == > In order to test UPN-based logons, create additional name suffixes in > Active Directory and establish trust to it. After trust is established, > the name suffixes should be usable when trying to kinit as enterprise > principal. > > == Test Plan == > > ----------------------------------------------------------------- > -- Petr Vobornik From abokovoy at redhat.com Wed Mar 2 15:24:55 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 2 Mar 2016 17:24:55 +0200 Subject: [Freeipa-devel] Supporting UPNs of trusted forests In-Reply-To: <56D70170.1080201@redhat.com> References: <20160302105525.GJ4492@redhat.com> <56D70170.1080201@redhat.com> Message-ID: <20160302152455.GP4492@redhat.com> On Wed, 02 Mar 2016, Petr Vobornik wrote: >On 03/02/2016 11:55 AM, Alexander Bokovoy wrote: >>Hi, >> >>http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains >>describes a design page to support name suffixes from trusted Active >>Directory domains. >> >>A prototype code exists (written by me and Sumit) and was tested by Sumit >>against recent releases of SSSD. >> >>Text is provided below for easier commenting. >>----------------------------------------------------------------- >>{{Feature|version=TODO|ticket=TODO|author=Ab}} >> >>== Overview == >>User principal name (UPN) in Active Directory is the primary form of >>addressing users. UPN has structure of 'user name at suffix' where both >>user name and suffix parts may vary. By default the suffix is the same >>as the Active Directory domain name but AD administrators may create >>additional name suffixes and associate them with specific users. These >>additional UPNs for users may then be used for Kerberos authentication >>against Active Directory domains. >> >>Alternative UPNs are often used when several companies with Active >>Directory deployments merge and want to provide unified logon namespace. >> >>The purpose of this feature is to allow using alternative UPNs >>associated with the Active Directory users when accessing resources in >>FreeIPA domain. >> >>== Use Cases == >> >>As an Active Directory user, I want to login using my user at EXAMPLE user >>principal name even if my Active Directory domain is named >>REGION.EXAMPLE.COM. >>== Design== >>Support for UPNs is split to three different components: >>;Client-side >>: SSSD already supports logon with UPN by asking a KDC to accept >>enterprise logon names. By default, the use of enterprise principals is >>disabled, therefore, krb5_use_enterprise_principal = True >>needs to be added to sssd.conf to enable it. >> >>;KDC >>: IPA KDC does understand multiple domains associated with the trusted >>AD forest. However, since no information about name suffixes associated >>with the forest is available, it cannot take them into account when >>processing enteprise logon names to issue referrals to the correct >>realm. Support needs to be added to allow IPA KDC to look up name >>suffixes associated with a trusted forest. >> >>; IPA framework >>: Changes needed on IPA framework side to fetch from Active Directory a >>list of name suffixes and store them in the trusted domain objects. >> >>== Implementation == >>For retrieving name suffixes, IPA framework needs to move to use >>NETLOGON netr_DsRGetForestTrustInformation function instead of >>netr_DsrEnumerateDomainTrusts. This allows to retrieve both domains and >>top level names associated with the forest. >> >>As top level names (TLNs) have only a single string as a name suffix, >>they cannot be stored as trusted domains (they lack SID and NetBIOS >>name). Thus, either IPA KDB driver needs to be extended to understand >>trusted domains without SID and NetBIOS name, or TLNs need to be stored >>as a property of tree root domains of the forest. >> >>== Feature Management == >> >>=== UI === >>If TLNs are added as a property of tree root domains of the forest, >>appropriate panel needs to be extended to display them. >> >>=== CLI === >>If TLNs are added as a property of tree root domains of the forest, >>appropriate attribute need to be handled by '''trust-show''' command. If >>TLNs represented as separate 'trusted domains' of the trusted forest, no >>work is needed on CLI other than being able to support 'trusted domains' >>without SID and NetBIOS name. > >What is meant by 'tree root domains of the forest' in IPA context? The >trust object? Yes. A forest might have multiple tree roots. We establish trust with one of them (forest root domain) but you can have distinct tree roots too. For a forest example.com a separate tree root could be ad.test which is still a part of the forest. In Windows' UI for domains and forests trust you'll see it as a separate entry at the top level. Each tree root may have associated name suffixes. There are actually two different approaches we discussed with Sumit -- one is to store TLNs as attributes of TDO, another is to create separate TDOs, building on the fact you noticed: >Btw trustdomain object has ipantflatname and ipanttrusteddomainsid >attributes as optional so it is possible to store it there assuming >modification of KDB driver. This is what I did already in the prototype: https://abbra.fedorapeople.org/.paste/0001-WIP-support-UPNs-for-trusted-domain-users.master.patch So we are sure that either way would work, the question is what would be more usable UX-wise. -- / Alexander Bokovoy From pvoborni at redhat.com Wed Mar 2 15:31:52 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 2 Mar 2016 16:31:52 +0100 Subject: [Freeipa-devel] External trust to AD In-Reply-To: <20160302101333.GI4492@redhat.com> References: <20160302101333.GI4492@redhat.com> Message-ID: <56D70768.7030907@redhat.com> On 03/02/2016 11:13 AM, Alexander Bokovoy wrote: > Hi, > > http://www.freeipa.org/page/V4/External_trust_to_AD documents a design > for external trust to AD feature. > > The text is included below for easier review. > ----------------------------------------------------------------------- > {{Feature|version=TODO|ticket=TODO|author=Ab}} > > == Overview == > Support for external trust to a domain from Active Directory forest > > An external trust is a trust relationship between Active Directory > domains that are in different Active Directory forests. While forest > trust always requires to establish trust between root domains of the > Active Directory forests, external trust can be established to any > domain within the forest. > > == Use Cases == > > As an Active Directory domain admin, I want to establish trust between > IPA and my domain only. The trust between IPA and an external Active > Directory domain will be non-transitive as no users or groups from other > Active Directory domains will have access to IPA resources. > > == Design== > > External trust between Active Directory domains is by definition > non-transitive and enforces SID filtering between the domain boundaries. > This means only users and groups with SIDs from the trusted domain can > use the resources and be visible on IPA systems. None of other users and > groups from domains the trusted domain trusts within its own Active > Directory forest or other externally trusted domains will be allowed to > access IPA resources. > > == Implementation == > > External trust feature re-uses existing forest trust infrastructure. > There are several specific changes to allow supporting external trust: > * '''Non-transitivity''': since external trust is non-transitive by > * definition, any attempt to set transitivity feature of the trust link > * with LSA SetInformationTrustedDomain() command will fail. Thus, there > * is no need to set transitivity for the external trust. Sounds very simple :) Do I get it right that it is possible to do it today? Because now the code just do: root_logger.error('unable to set trust to transitive: %s' % (str(e))) pass > * '''Trust attributes''': external trust can be detected by looking into > * absense of ipaNTTrustAttributes LDAP attribute of the trusted domain > * object. > > == Feature Management == > > === UI === > An option 'external trust' needs to be added to Web UI, corresponding to > '--external' flag in 'trust-add' command in CLI. > > === CLI === > An external trust creation can be requested by passing additional flag > '--external=true' to the 'trust-add' command. The flag defaults to > 'false', e.g. no external trust would be created. > > {| class="wikitable" > |- > ! Command > ! Options > |- > | trust-add > | --external=true/false > |} We should also add 'external' param to output of trust_find and trust_show + corresponding change in Web UI and CLI. > === Configuration === > No configuration options needed. > > == Upgrade == > No changes on upgrades. The trust properties are only set up at trust > creation time. > > == How to Test == > In order to test the external trust, attempt to create a trust to > non-root domain in an Active Directory forest. It should fail without > '--external=true' option and should be able to establish the external > trust with '--external=true' option to 'trust-add' command. > > A type of the trust can be seen with 'trust-show' command. > > == Test Plan == > > ----------------------------------------------------------------------- > -- Petr Vobornik From sbose at redhat.com Wed Mar 2 15:33:29 2016 From: sbose at redhat.com (Sumit Bose) Date: Wed, 2 Mar 2016 16:33:29 +0100 Subject: [Freeipa-devel] Supporting UPNs of trusted forests In-Reply-To: <56D70170.1080201@redhat.com> References: <20160302105525.GJ4492@redhat.com> <56D70170.1080201@redhat.com> Message-ID: <20160302153329.GF3079@p.redhat.com> On Wed, Mar 02, 2016 at 04:06:24PM +0100, Petr Vobornik wrote: > On 03/02/2016 11:55 AM, Alexander Bokovoy wrote: > >Hi, > > > >http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains > >describes a design page to support name suffixes from trusted Active > >Directory domains. > > > >A prototype code exists (written by me and Sumit) and was tested by Sumit > >against recent releases of SSSD. > > > >Text is provided below for easier commenting. > >----------------------------------------------------------------- > >{{Feature|version=TODO|ticket=TODO|author=Ab}} > > > >== Overview == > >User principal name (UPN) in Active Directory is the primary form of > >addressing users. UPN has structure of 'user name at suffix' where both > >user name and suffix parts may vary. By default the suffix is the same > >as the Active Directory domain name but AD administrators may create > >additional name suffixes and associate them with specific users. These > >additional UPNs for users may then be used for Kerberos authentication > >against Active Directory domains. > > > >Alternative UPNs are often used when several companies with Active > >Directory deployments merge and want to provide unified logon namespace. > > > >The purpose of this feature is to allow using alternative UPNs > >associated with the Active Directory users when accessing resources in > >FreeIPA domain. > > > >== Use Cases == > > > >As an Active Directory user, I want to login using my user at EXAMPLE user > >principal name even if my Active Directory domain is named > >REGION.EXAMPLE.COM. > >== Design== > >Support for UPNs is split to three different components: > >;Client-side > >: SSSD already supports logon with UPN by asking a KDC to accept > >enterprise logon names. By default, the use of enterprise principals is > >disabled, therefore, krb5_use_enterprise_principal = True > >needs to be added to sssd.conf to enable it. > > > >;KDC > >: IPA KDC does understand multiple domains associated with the trusted > >AD forest. However, since no information about name suffixes associated > >with the forest is available, it cannot take them into account when > >processing enteprise logon names to issue referrals to the correct > >realm. Support needs to be added to allow IPA KDC to look up name > >suffixes associated with a trusted forest. > > > >; IPA framework > >: Changes needed on IPA framework side to fetch from Active Directory a > >list of name suffixes and store them in the trusted domain objects. > > > >== Implementation == > >For retrieving name suffixes, IPA framework needs to move to use > >NETLOGON netr_DsRGetForestTrustInformation function instead of > >netr_DsrEnumerateDomainTrusts. This allows to retrieve both domains and > >top level names associated with the forest. > > > >As top level names (TLNs) have only a single string as a name suffix, > >they cannot be stored as trusted domains (they lack SID and NetBIOS > >name). Thus, either IPA KDB driver needs to be extended to understand > >trusted domains without SID and NetBIOS name, or TLNs need to be stored > >as a property of tree root domains of the forest. > > > >== Feature Management == > > > >=== UI === > >If TLNs are added as a property of tree root domains of the forest, > >appropriate panel needs to be extended to display them. > > > >=== CLI === > >If TLNs are added as a property of tree root domains of the forest, > >appropriate attribute need to be handled by '''trust-show''' command. If > >TLNs represented as separate 'trusted domains' of the trusted forest, no > >work is needed on CLI other than being able to support 'trusted domains' > >without SID and NetBIOS name. > > What is meant by 'tree root domains of the forest' in IPA context? The trust > object? yes > > Btw trustdomain object has ipantflatname and ipanttrusteddomainsid > attributes as optional so it is possible to store it there assuming > modification of KDB driver. yes, Alexander has a POC patch which does exactly that. Nevertheless I would prefer to store the list in the ipaNTTrustedDomain object of the forest root where we also store the SID blacklist. I think this makes sense because the alternative domain suffixes are a feature of the whole forest. Any domain in the forest can use them and they basically have no meaning on their own. Additionally I think it is more clear the have them in properly named attributes than adding some heuristics like: ipaNTTrustedDomain with no SID and flat name == alternative domain suffix ipaNTTrustedDomain with SID and flat name and nothing else == member domain in the trusted forest ipaNTTrustedDomain with SID, flat name and more == forest root bye, Sumit > > > > >=== Configuration === > >No configuration options. > > > >== Upgrade == > >No impact to upgrade. > > > >== How to Test == > >In order to test UPN-based logons, create additional name suffixes in > >Active Directory and establish trust to it. After trust is established, > >the name suffixes should be usable when trying to kinit as enterprise > >principal. > > > >== Test Plan == > > > >----------------------------------------------------------------- > > > -- > Petr Vobornik > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From sbose at redhat.com Wed Mar 2 15:38:49 2016 From: sbose at redhat.com (Sumit Bose) Date: Wed, 2 Mar 2016 16:38:49 +0100 Subject: [Freeipa-devel] Supporting UPNs of trusted forests In-Reply-To: <20160302152455.GP4492@redhat.com> References: <20160302105525.GJ4492@redhat.com> <56D70170.1080201@redhat.com> <20160302152455.GP4492@redhat.com> Message-ID: <20160302153849.GG3079@p.redhat.com> On Wed, Mar 02, 2016 at 05:24:55PM +0200, Alexander Bokovoy wrote: > On Wed, 02 Mar 2016, Petr Vobornik wrote: > >On 03/02/2016 11:55 AM, Alexander Bokovoy wrote: > >>Hi, > >> > >>http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains > >>describes a design page to support name suffixes from trusted Active > >>Directory domains. > >> > >>A prototype code exists (written by me and Sumit) and was tested by Sumit > >>against recent releases of SSSD. > >> > >>Text is provided below for easier commenting. > >>----------------------------------------------------------------- > >>{{Feature|version=TODO|ticket=TODO|author=Ab}} > >> > >>== Overview == > >>User principal name (UPN) in Active Directory is the primary form of > >>addressing users. UPN has structure of 'user name at suffix' where both > >>user name and suffix parts may vary. By default the suffix is the same > >>as the Active Directory domain name but AD administrators may create > >>additional name suffixes and associate them with specific users. These > >>additional UPNs for users may then be used for Kerberos authentication > >>against Active Directory domains. > >> > >>Alternative UPNs are often used when several companies with Active > >>Directory deployments merge and want to provide unified logon namespace. > >> > >>The purpose of this feature is to allow using alternative UPNs > >>associated with the Active Directory users when accessing resources in > >>FreeIPA domain. > >> > >>== Use Cases == > >> > >>As an Active Directory user, I want to login using my user at EXAMPLE user > >>principal name even if my Active Directory domain is named > >>REGION.EXAMPLE.COM. > >>== Design== > >>Support for UPNs is split to three different components: > >>;Client-side > >>: SSSD already supports logon with UPN by asking a KDC to accept > >>enterprise logon names. By default, the use of enterprise principals is > >>disabled, therefore, krb5_use_enterprise_principal = True > >>needs to be added to sssd.conf to enable it. > >> > >>;KDC > >>: IPA KDC does understand multiple domains associated with the trusted > >>AD forest. However, since no information about name suffixes associated > >>with the forest is available, it cannot take them into account when > >>processing enteprise logon names to issue referrals to the correct > >>realm. Support needs to be added to allow IPA KDC to look up name > >>suffixes associated with a trusted forest. > >> > >>; IPA framework > >>: Changes needed on IPA framework side to fetch from Active Directory a > >>list of name suffixes and store them in the trusted domain objects. > >> > >>== Implementation == > >>For retrieving name suffixes, IPA framework needs to move to use > >>NETLOGON netr_DsRGetForestTrustInformation function instead of > >>netr_DsrEnumerateDomainTrusts. This allows to retrieve both domains and > >>top level names associated with the forest. > >> > >>As top level names (TLNs) have only a single string as a name suffix, > >>they cannot be stored as trusted domains (they lack SID and NetBIOS > >>name). Thus, either IPA KDB driver needs to be extended to understand > >>trusted domains without SID and NetBIOS name, or TLNs need to be stored > >>as a property of tree root domains of the forest. > >> > >>== Feature Management == > >> > >>=== UI === > >>If TLNs are added as a property of tree root domains of the forest, > >>appropriate panel needs to be extended to display them. > >> > >>=== CLI === > >>If TLNs are added as a property of tree root domains of the forest, > >>appropriate attribute need to be handled by '''trust-show''' command. If > >>TLNs represented as separate 'trusted domains' of the trusted forest, no > >>work is needed on CLI other than being able to support 'trusted domains' > >>without SID and NetBIOS name. > > > >What is meant by 'tree root domains of the forest' in IPA context? The > >trust object? > Yes. A forest might have multiple tree roots. We establish trust with > one of them (forest root domain) but you can have distinct tree roots > too. For a forest example.com a separate tree root could be ad.test > which is still a part of the forest. In Windows' UI for domains and > forests trust you'll see it as a separate entry at the top level. Each > tree root may have associated name suffixes. But I thought they still can be used across the whole forest, e.g. if you assign an alternative domain suffix in the UI of ad.test you can use this suffix for users from example.com as well? bye, Sumit > > There are actually two different approaches we discussed with Sumit > -- one is to store TLNs as attributes of TDO, another is to create > separate TDOs, building on the fact you noticed: > >Btw trustdomain object has ipantflatname and ipanttrusteddomainsid > >attributes as optional so it is possible to store it there assuming > >modification of KDB driver. > This is what I did already in the prototype: https://abbra.fedorapeople.org/.paste/0001-WIP-support-UPNs-for-trusted-domain-users.master.patch > > So we are sure that either way would work, the question is what would be > more usable UX-wise. > > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From mbasti at redhat.com Wed Mar 2 15:41:50 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 2 Mar 2016 16:41:50 +0100 Subject: [Freeipa-devel] [TEST][Patch 0022] small refactoring in integration tests due to BZ 1303095 In-Reply-To: <56D5A5B8.7080108@redhat.com> References: <56AB80BE.4090604@redhat.com> <56B1C6E2.60106@redhat.com> <56B1FE4C.4080600@redhat.com> <56B3029F.70001@redhat.com> <56BDF43D.70503@redhat.com> <56C7147A.1090407@redhat.com> <56D5A5B8.7080108@redhat.com> Message-ID: <56D709BE.9050707@redhat.com> On 01.03.2016 15:22, Milan Kub?k wrote: > On 02/19/2016 02:11 PM, Oleg Fayans wrote: >> Hi Milan, >> >> On 02/12/2016 04:03 PM, Milan Kub?k wrote: >>> >> Agreed. The latest patch gets rid of all resolv.conf related >> manipulations. The tests work (where not affected by >> https://fedorahosted.org/bind-dyndb-ldap/ticket/160) >> >> >>> -- >>> Milan Kubik >>> > Works for me, tested on sudo test that requires autodiscovery. ACK > Pushed to: ipa-4-3: a8f53296f633a8c2a0f6a041dd1d4bec854d206e master: cfbb7769a70f4cac4bb6d6b7fe36116b43c830e7 From mbasti at redhat.com Wed Mar 2 15:46:03 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 2 Mar 2016 16:46:03 +0100 Subject: [Freeipa-devel] [PATCH] 0017 configure DNA shared config entry to allow connection with GSSAPI In-Reply-To: <56D59E27.6070508@redhat.com> References: <56A0D0EC.3010009@redhat.com> <56A1018D.101@redhat.com> <56CDCC82.30108@redhat.com> <56CEDF98.7060809@redhat.com> <56CF452E.30503@redhat.com> <56D06E27.2050408@redhat.com> <56D081E4.4070702@redhat.com> <56D473D7.2050103@redhat.com> <56D59E27.6070508@redhat.com> Message-ID: <56D70ABB.9070408@redhat.com> On 01.03.2016 14:50, Martin Babinsky wrote: > On 02/29/2016 05:37 PM, thierry bordaz wrote: >> On 02/26/2016 05:48 PM, Martin Babinsky wrote: >>> On 02/26/2016 04:24 PM, thierry bordaz wrote: >>>> On 02/25/2016 07:17 PM, thierry bordaz wrote: >>>>> On 02/25/2016 12:03 PM, Martin Babinsky wrote: >>>>>> On 02/24/2016 04:30 PM, thierry bordaz wrote: >>>>>>> On 01/21/2016 05:04 PM, Martin Babinsky wrote: >>>>>>>> On 01/21/2016 01:37 PM, thierry bordaz wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> Hi Thierry, >>>>>>>> >>>>>>>> I have couple of comments to your patch: >>>>>>>> >>>>>>>> 1.) >>>>>>>> there is a number of PEP8 errors in the patch >>>>>>>> (http://paste.fedoraproject.org/313246/33893701), please fix them. >>>>>>>> >>>>>>>> See http://www.freeipa.org/page/Python_Coding_Style for our >>>>>>>> conventions used in Python code. >>>>>>>> >>>>>>>> 2.) >>>>>>>> + DNA_BIND_METHOD = "dnaRemoteBindMethod" >>>>>>>> + DNA_CONN_PROTOCOL = "dnaRemoteConnProtocol" >>>>>>>> + DNA_PLUGIN_DN = 'cn=Distributed Numeric Assignment >>>>>>>> Plugin,cn=plugins,cn=config' >>>>>>>> + dna_config_base = 'cn=Posix IDs,%s' % DNA_PLUGIN_DN >>>>>>>> >>>>>>>> Uppercase names are usually reserved for module-level constants. >>>>>>>> OTOH, >>>>>>>> local variables should be lowercase. Also you can instantiate >>>>>>>> dna_config_base directly as DN, using 2-member tuples, i. e: >>>>>>>> >>>>>>>> """ >>>>>>>> dna_config_base = DN(('cn', 'posix IDs'), ('cn', 'Distributed >>>>>>>> Numeric >>>>>>>> Assignment Plugin'), ('cn', 'plugins'), ('cn', 'config')) >>>>>>>> """ >>>>>>>> >>>>>>>> When passing DN object to the formatting functions/operators, >>>>>>>> it is >>>>>>>> automatically converted to string so no need to hold string and DN >>>>>>>> object separately. This is done in other places (see >>>>>>>> function/methods >>>>>>>> in replication.py). >>>>>>>> >>>>>>>> 3.) >>>>>>>> >>>>>>>> + for i in range(len(entries)) : >>>>>>>> + >>>>>>>> + mod = [] >>>>>>>> + if entries[i].single_value.get(DNA_BIND_METHOD) != >>>>>>>> method: >>>>>>>> + mod.append((ldap.MOD_REPLACE, DNA_BIND_METHOD, >>>>>>>> method)) >>>>>>>> + >>>>>>>> + if entries[i].single_value.get(DNA_CONN_PROTOCOL) != >>>>>>>> protocol: >>>>>>>> + mod.append((ldap.MOD_REPLACE, DNA_CONN_PROTOCOL, >>>>>>>> protocol)) >>>>>>>> >>>>>>>> >>>>>>>> please use idiomatic Python when handling list of entries, e.g.: >>>>>>>> >>>>>>>> """ >>>>>>>> for entry in entries: >>>>>>>> mod = [] >>>>>>>> if entry.single_value.get(DNA_BIND_METHOD) != method: >>>>>>>> ... >>>>>>>> """ >>>>>>>> >>>>>>>> 4.) I think that this method should in DSInstance class since it >>>>>>>> deals >>>>>>>> with directory server configuration. Service is a parent object >>>>>>>> of all >>>>>>>> other service installers/configurators and should contain only >>>>>>>> methods >>>>>>>> common to more children. >>>>>>>> >>>>>>>> 5.) Since the method is called from every installer, it could be >>>>>>>> beneficial to call it in DSInstance.__common_post_setup() as a >>>>>>>> part of >>>>>>>> Directory server installation. Is there any reason why this is >>>>>>>> not the >>>>>>>> case? >>>>>>>> >>>>>>>> 6.) >>>>>>>> >>>>>>>> + while attempt != MAX_WAIT: >>>>>>>> + try: >>>>>>>> + entries = conn.get_entries(sharedcfgdn, >>>>>>>> scope=ldap.SCOPE_ONELEVEL, filter='dnaHostname=%s' % self.fqdn) >>>>>>>> + break >>>>>>>> + except errors.NotFound: >>>>>>>> + root_logger.debug("So far enable not find DNA >>>>>>>> shared >>>>>>>> config entry for dnaHostname=%s under %s. Retry in 2sec" % >>>>>>>> (self.fqdn, >>>>>>>> sharedcfgdn)) >>>>>>>> + attempt = attempt + 1 >>>>>>>> + time.sleep(2) >>>>>>>> + continue >>>>>>>> + >>>>>>>> + # safety checking >>>>>>>> + # there is no return, if there are several entries, as a >>>>>>>> workaround of #5510 >>>>>>>> + if len(entries) != 1: >>>>>>>> >>>>>>>> I am quite afraid what would happen if the server does not return >>>>>>>> any >>>>>>>> entries until 30 s timeout. The code will then continue to the >>>>>>>> condition which can potentially test an uninitialized variable and >>>>>>>> blow up with 'NameError'. This should be handled more robustly, >>>>>>>> e. g. >>>>>>>> raise an exception when a timeout is reached and no entries were >>>>>>>> returned. >>>>>>>> >>>>>>>> 7.) >>>>>>>> >>>>>>>> + if len(mod) > 0: >>>>>>>> >>>>>>>> A Pythonic way to test for non-empty container is >>>>>>>> >>>>>>>> """ >>>>>>>> if mods: >>>>>>>> # do stuff >>>>>>>> """ >>>>>>>> >>>>>>>> since an empty list/dict/set evaluates to False and non-empty >>>>>>>> containers are True. >>>>>>>> >>>>>>>> >>>>>>>> 8.) >>>>>>>> >>>>>>>> + entry = conn.get_entry(entries[i].dn) >>>>>>>> + if entry.single_value.get(DNA_BIND_METHOD) != >>>>>>>> method: >>>>>>>> + root_logger.error("Fail to set SASL/GSSAPI >>>>>>>> bind >>>>>>>> method to %s" % (entries[i].dn)) >>>>>>>> + if entry.single_value.get(DNA_CONN_PROTOCOL) != >>>>>>>> protocol: >>>>>>>> + root_logger.error("Fail to set LDAP >>>>>>>> protocol to >>>>>>>> %s" % (entries[i].dn)) >>>>>>>> >>>>>>>> rather than re-fetching the modified entry and testing what >>>>>>>> happened, >>>>>>>> you can just catch an exception raised by unsuccessfull mod and >>>>>>>> log an >>>>>>>> error like this: >>>>>>>> >>>>>>>> """ >>>>>>>> try: >>>>>>>> conn.modify_s(entry.dn, mod) >>>>>>>> except Exception as e: >>>>>>>> root_logger.error("Failed to modify entry {}: >>>>>>>> {}".format(entry, e)) >>>>>>>> """ >>>>>>>> >>>>>>>> as a matter of fact, if the modify_s operation would fail for some >>>>>>>> reason, an ldap exception would be raised and you checks would not >>>>>>>> even be executed. >>>>>>>> >>>>>>>> 9.) >>>>>>>> The debug message on line 219 should read "Unable to find DNA >>>>>>>> shared >>>>>>>> config entry for dnaHostname=%s so far. Retry in 2 sec.". The >>>>>>>> errors >>>>>>>> at the end of the method should have "Failed" instead of "Fail". >>>>>>>> >>>>>>> Hi Martin, >>>>>>> >>>>>>> Finally tested... here is the updated patch. Thanks for you >>>>>>> patience >>>>>>> >>>>>>> >>>>>>> thanks >>>>>>> thierry >>>>>> >>>>>> Hi Thierry, >>>>>> >>>>>> the patch works as expected. I have some more nitpicks though: >>>>>> >>>>>> 1.) Please fix the following pep8 errors: >>>>>> >>>>>> http://paste.fedoraproject.org/329086/56397841/ >>>>>> >>>>>> you can check whether you recent commit conforms to PEP8 by running >>>>>> >>>>>> "git show -U0 | pep8 --diff" >>>>>> >>>>>> 2.) >>>>>> + self.step("update DNA shared config entry", >>>>>> self.update_dna_shared_config) >>>>>> >>>>>> I would rather change the message to "Updating DNA shared config >>>>>> entry" since all other messages use continuous tense. >>>>>> >>>>>> 3.) >>>>>> + else: >>>>>> + raise RuntimeError("Could not get dnaHostname >>>>>> entries in {} seconds".format(max_wait * 2)) >>>>>> >>>>>> Please use root_logger.error() and then return as is used elsewhere >>>>>> in the method. We do not want a runaway exception crashing upgrade. >>>>>> >>>>> Hi Martin, >>>>> >>>>> Updated/tested the patch with your help/recommendations. pep8 is >>>>> clear >>>>> now :-) >>>>> >>>>> thanks >>>>> thierry >>>> >>>> Hi Martin, >>>> >>>> Following your recommendation it is an updated patch to not >>>> check/update >>>> shared config entry in DSinstance.__post_common_setup(). >>>> In fact at this step, DNA plugin is disabled and such the check >>>> would be >>>> a no-op. >>>> >>>> thanks >>>> thierry >>> >>> Thanks Thierry, >>> >>> the patch will need a rebased version which applies cleanly on top of >>> ipa-4-3 branch, but otherwise ACK. >>> >> Thanks Martin for all the reviews. >> >> Here is the patch for ipa-4.3 >> >> thnaks >> thierry > > Thanks, ACK. > Pushed to master: 6851e560dd1c9f4df98fd6b9d3063cd7dcc3bafc Pushed to ipa-4-3: 4531eaedfbc45bd8b1d11ebda48b92d1589ad1b3 From mbasti at redhat.com Wed Mar 2 15:50:43 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 2 Mar 2016 16:50:43 +0100 Subject: [Freeipa-devel] [PATCH 0422] CI: allow customized DS install test to run under different domain levels In-Reply-To: <56CDF007.5030200@redhat.com> References: <56CDF007.5030200@redhat.com> Message-ID: <56D70BD3.2060809@redhat.com> On 24.02.2016 19:01, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5606 > > Patch attached. > > Bump for review -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Mar 2 15:53:12 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 2 Mar 2016 16:53:12 +0100 Subject: [Freeipa-devel] [PATCH 0128] ipalib/cli.py: pythonify Collector class In-Reply-To: <56AA42AA.2010407@redhat.com> References: <569D242C.2030903@redhat.com> <56A8DAFF.3080905@redhat.com> <56AA23BE.3070708@redhat.com> <56AA376F.1010102@redhat.com> <56AA3C6B.5080403@redhat.com> <56AA42AA.2010407@redhat.com> Message-ID: <56D70C68.40404@redhat.com> On 28.01.2016 17:32, Martin Babinsky wrote: > On 01/28/2016 05:06 PM, Tomas Babej wrote: >> >> >> On 01/28/2016 04:44 PM, Martin Babinsky wrote: >>> On 01/28/2016 03:20 PM, Tomas Babej wrote: >>>> >>>> >>>> On 01/27/2016 03:58 PM, Martin Babinsky wrote: >>>>> On 01/18/2016 06:43 PM, Martin Babinsky wrote: >>>>>> A little patch that should make some future pylint errors disappear. >>>>>> >>>>>> >>>>>> >>>>> Attaching updated patch that does not promote direct molestation of >>>>> instance dictionaries. >>>>> >>>>> >>>>> >>>> >>>> Patch looks good, one thing I am concerened about though is that >>>> __todict__ now returns a direct reference to the internal, mutable >>>> dict, >>>> and no longer a (shallow) copy. >>>> >>>> Maybe we should use dict.copy() there? >>>> >>>> Tomas >>>> >>> >>> Ah I didn't realize that. Fixed in updated patch. >>> >> >> Nitpick: Sorry for being misleading - I did not mean to suggest invoking >> the method using the dict type directly. While being equivalent, the >> >> dict.copy(self.__options) >> >> it's less idiomatic than: >> >> self.__options.copy() >> >> Tomas >> > > Ah sorry I forgot how to python again. > > Attaching patch. > > > Bump for review -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Mar 2 15:53:48 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 2 Mar 2016 16:53:48 +0100 Subject: [Freeipa-devel] [PATCH] 951 webui: fail nicely if cookies are disabled In-Reply-To: <56AA32DA.9000209@redhat.com> References: <56AA3080.4090600@redhat.com> <56AA3268.9050805@redhat.com> <56AA32DA.9000209@redhat.com> Message-ID: <56D70C8C.4070004@redhat.com> On 28.01.2016 16:25, Petr Vobornik wrote: > On 01/28/2016 04:23 PM, Tomas Babej wrote: >> >> >> On 01/28/2016 04:15 PM, Petr Vobornik wrote: >>> Reworks also sessionStorage test because disablement of cookies >>> might be >>> connected with sessionStorage and localStorage. E.g. Chrome raises >>> exception when *Storage is accessed with "Block sites from setting any >>> data" settings set in "Content Settings/Cookies" section. >>> >>> https://fedorahosted.org/freeipa/ticket/4338 >>> >>> >> >> Seems that two spaces inserted themselves to the error message for >> localStorage :) >> > > updated patch attached. > > Bump for review -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Mar 2 15:54:29 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 2 Mar 2016 16:54:29 +0100 Subject: [Freeipa-devel] [PATCH 0005] Refactor test_nesting, create HostGroupTracker In-Reply-To: <212120579.19163053.1453974347696.JavaMail.zimbra@redhat.com> References: <2134068455.1326509.1450781775764.JavaMail.zimbra@redhat.com> <1902672460.4566340.1452602887525.JavaMail.zimbra@redhat.com> <1118746236.11920442.1452868635399.JavaMail.zimbra@redhat.com> <569CD698.4020900@redhat.com> <1592657483.12984474.1453123591078.JavaMail.zimbra@redhat.com> <56A7B764.3080202@redhat.com> <212120579.19163053.1453974347696.JavaMail.zimbra@redhat.com> Message-ID: <56D70CB5.3010607@redhat.com> On 28.01.2016 10:45, Filip Skola wrote: > > ----- Original Message ----- >> On 01/18/2016 02:26 PM, Filip Skola wrote: >>> Hi, >>> >>> this should be fixed in this patch. >>> >>> F. >>> >>> ----- Original Message ----- >>>> On 01/15/2016 03:37 PM, Filip Skola wrote: >>>>> Hi, >>>>> >>>>> sending rebased patch. >>>>> >>>>> F. >>>>> >>>>> ----- Original Message ----- >>>>>> Hi, >>>>>> >>>>>> the patch no longer applies to master. Please rebase it. >>>>>> >>>>>> Thanks, >>>>>> Milan >>>>>> >>>>>> ----- Original Message ----- >>>>>> From: "Filip Skola" >>>>>> To: freeipa-devel at redhat.com >>>>>> Cc: "Milan Kub?k" , "Ale? Mare?ek" >>>>>> >>>>>> Sent: Tuesday, 22 December, 2015 11:56:15 AM >>>>>> Subject: [PATCH 0005] Refactor test_nesting, create HostGroupTracker >>>>>> >>>>>> Hi, >>>>>> >>>>>> another patch from refactoring-test_xmlrpc series. >>>>>> >>>>>> Filip >>>>>> >>>> NACK, something seems to be missing in the patch >>>> >>>> >>>> ************* Module ipatests.test_xmlrpc.tracker.hostgroup_plugin >>>> ipatests/test_xmlrpc/tracker/hostgroup_plugin.py:222: [E1101(no-member), >>>> HostGroupTracker.check_add_member_negative] Instance of >>>> 'HostGroupTracker' has no 'adds' member) >>>> >>>> -- >>>> Milan Kubik >>>> >>>> >> The same as with patch 0002: >> ************* Module ipatests.test_xmlrpc.tracker.hostgroup_plugin >> W:142,26: Calling a dict.iter*() method (dict-iter-method) >> >> Please use dict.items method. >> >> -- >> Milan Kubik >> >> > Hi, > > attaching a fixed patch. This patch is dependent on updated group plugin test patch 0002-7. > > Filip > > Bump for review -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Mar 2 16:17:32 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 2 Mar 2016 17:17:32 +0100 Subject: [Freeipa-devel] [PATCH 0429] fix suspicious except statement Message-ID: <56D7121C.90800@redhat.com> Patch attached, read commit message for more info. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0429-fix-suspicious-except-statement-in-update_ssh_key.patch Type: text/x-patch Size: 1071 bytes Desc: not available URL: From mbasti at redhat.com Wed Mar 2 16:33:18 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 2 Mar 2016 17:33:18 +0100 Subject: [Freeipa-devel] [PATCH 0430] remove unused argument from function update_ssh_keys Message-ID: <56D715CE.3040003@redhat.com> Patch attached, see commit message for details -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0430-Remove-unused-arguments-from-update_ssh_keys-method.patch Type: text/x-patch Size: 1403 bytes Desc: not available URL: From mbasti at redhat.com Wed Mar 2 16:51:38 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 2 Mar 2016 17:51:38 +0100 Subject: [Freeipa-devel] [PATCH 0001] Add new parameter --ssh-update to ipa-client-install In-Reply-To: <1456604366.2844.13.camel@stefany.eu> References: <1456175624.5411.4.camel@stefany.eu> <56CF0060.3090202@redhat.com> <56CF0353.5060705@redhat.com> <1456604366.2844.13.camel@stefany.eu> Message-ID: <56D71A1A.1060602@redhat.com> On 27.02.2016 21:19, Martin ?tefany wrote: > Hi, > > I did as Jan suggested, everything is now a new command 'ipa-sshupdate', > (so it's based on Jan's 'ipa-certupdate', yeah, a bit of copy-paste), > rest is based on ipa-client-install's code. I'm not sure if this is > correct, but you might want to change ipa-client-install to just 'import > ipaclient.ipa_sshupdate' for ssh update, or not - I'm not sure how this > is compatible with 'code deduplication', 're-usage', etc. > > Another open point from my side is PEP8 compliance, I've ran the new > code through pep8 utility with defaults and it's 'OK'. But so is code in > my employer's project and they look slightly 'different', mainly for > brackets, strings, etc. Please, have a look to that, too, I'm happy for > any guidance. > > Martin > > On ?t, 2016-02-25 at 14:36 +0100, Jan Cholasta wrote: >> Hi, >> >> On 25.2.2016 14:23, Martin Basti wrote: >>> >>> >>> On 22.02.2016 22:13, Martin ?tefany wrote: >>>> Hi, >>>> >>>> please, review the attached patch which adds --ssh-update to ipa- >>>> client- >>>> install. >>>> >>>> Ticket:https://fedorahosted.org/freeipa/ticket/2655 >>> Hello, >>> thank you for your patch. >>> Please attach a patch as a file next time. >>> >>> I have doubts that this should be part of ipa-client-install, this >>> needs >>> a broader discussion. >> +1, I think it should be a separate command (ignore my earlier >> suggestion from Trac to incorporate this into ipa-client-install, I >> was >> young and stupid). >> >> See client/ipa-certupdate and ipaclient/ipa_certupdate.py for an >> example >> of how such a command should be implemented. >> >>> >>> Code comments inline: >>>> >>>> --- >>>> Martin >>>> >>>>> From 4974a57f48a0cd48b83724297ae2af572bc530eb Mon Sep 17 >>>>> 00:00:00 2001 >>>> From: Martin Stefany >>>> Date: Mon, 22 Feb 2016 20:58:13 +0000 >>>> Subject: [PATCH] Add new parameter --ssh-update to ipa-client- >>>> install >>>> >>>> Add a new parameter '--ssh-update' which can be used later after >>>> freeipa >>>> client is installed to update SSH hostkeys and SSHFP DNS records >>>> for >>>> host. >>>> >>>> https://fedorahosted.org/freeipa/ticket/2655 >>>> --- >>>> ipa-client/ipa-install/ipa-client-install | 102 >>>> +++++++++++++++++++++++++++++- >>>> 1 file changed, 99 insertions(+), 3 deletions(-) >>>> >>>> diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa- >>>> client/ipa- >>>> install/ipa-client-install >>>> index >>>> 789ff591591673744ee3b922e5c0181233ad553c..97adfb6b449fb441bddada89 >>>> a3b151 >>>> 33e398ca50 100755 >>>> --- a/ipa-client/ipa-install/ipa-client-install >>>> +++ b/ipa-client/ipa-install/ipa-client-install >>>> @@ -71,6 +71,7 @@ CLIENT_INSTALL_ERROR = 1 >>>> CLIENT_NOT_CONFIGURED = 2 >>>> CLIENT_ALREADY_CONFIGURED = 3 >>>> CLIENT_UNINSTALL_ERROR = 4 # error after restoring files/state >>>> +CLIENT_SSHUPDATE_ERROR = 5 # error during update of SSH public >>>> keys >>>> >>>> def parse_options(): >>>> def validate_ca_cert_file_option(option, opt, value, >>>> parser): >>>> @@ -215,6 +216,12 @@ def parse_options(): >>>> "be run with -- >>>> unattended >>>> option") >>>> parser.add_option_group(uninstall_group) >>>> >>>> + sshupdate_group = OptionGroup(parser, "SSH key update >>>> options") >>>> + sshupdate_group.add_option("--ssh-update", dest="ssh_update", >>>> + action="store_true", default=False, >>>> + help="update local host's SSH public keys >>>> in host >>>> entry and DNS.") >>>> + parser.add_option_group(sshupdate_group) >>>> + >>>> options, args = parser.parse_args() >>>> safe_opts = parser.get_safe_opts(options) >>>> >>>> @@ -840,6 +847,92 @@ def uninstall(options, env): >>>> >>>> return rv >>>> >>>> +def sshupdate(options, env): >>>> + if not is_ipa_client_installed(): >>>> + root_logger.error("IPA client is not configured on this >>>> system.") >>>> + return CLIENT_NOT_CONFIGURED >>>> + >>>> + api.bootstrap(context='cli_installer', debug=options.debug) >>>> + api.finalize() >>>> + if 'config_loaded' not in api.env: >>>> + root_logger.error("Failed to initialize IPA API.") >>>> + return CLIENT_SSHUPDATE_ERROR >>>> + >>>> + # Now, let's try to connect to the server's RPC interface >>>> + connected = False >>>> + try: >>>> + api.Backend.rpcclient.connect() >>>> + connected = True >>>> + root_logger.debug("Try RPC connection") >>>> + api.Backend.rpcclient.forward('ping') >>>> + except errors.KerberosError as e: >>>> + if connected: >>>> + api.Backend.rpcclient.disconnect() >>>> + root_logger.info( >>>> + "Cannot connect to the server due to Kerberos error: >>>> %s. " >>>> + "Trying with delegate=True", e) >>>> + try: >>>> + api.Backend.rpcclient.connect(delegate=True) >>>> + root_logger.debug("Try RPC connection") >>>> + api.Backend.rpcclient.forward('ping') >>>> + >>>> + root_logger.info("Connection with delegate=True >>>> successful") >>>> + >>>> + # The remote server is not capable of Kerberos >>>> S4U2Proxy >>>> + # delegation. This features is implemented in IPA >>>> server >>>> + # version 2.2 and higher >>>> + root_logger.warning( >>>> + "Target IPA server has a lower version than the >>>> enrolled " >>>> + "client") >>>> + root_logger.warning( >>>> + "Some capabilities including the ipa command >>>> capability >>>> " >>>> + "may not be available") >>>> + except errors.PublicError as e2: >>>> + root_logger.warning( >>>> + "Second connect with delegate=True also failed: >>>> %s", >>>> e2) >>>> + root_logger.error( >>>> + "Cannot connect to the IPA server RPC interface: >>>> %s", >>>> e2) >>>> + return CLIENT_SSHUPDATE_ERROR >>>> + except errors.PublicError as e: >>>> + root_logger.error( >>>> + "Cannot connect to the server due to generic error: >>>> %s", e) >>>> + return CLIENT_SSHUPDATE_ERROR >>> I think you should be kinited with client keytab, client is allowed >>> to >>> modify its SSHpublic keys in ldap. I'd only require to be root to >>> execute it. >>> >>> kinit -kt /etc/krb5.keytab host/`hostname` >>> ipa host-mod `hostname` --sshpubkey="something" >>> >>> Also this rpcconnection looks to me too much complicated, I think it >>> should be just simple rpcconnect >>> >>>> + >>>> + # We need to pull IPA server address from default.conf >>>> + try: >>>> + parser = RawConfigParser() >>>> + parser.read(paths.IPA_DEFAULT_CONF) >>>> + cli_realm = parser.get('global', 'realm') >>>> + hostname = parser.get('global', 'host') >>>> + # TODO: consult with review team >>>> + # except ConfigParser.NoSectionError as e: >>>> + # pass >>>> + # except ConfigParser.ParsingError as e: >>>> + # pass >>>> + finally: >>>> + pass >>> You can raise error there. >>> >>>> + >>>> + host_principal = 'host/%s@%s' % (hostname, cli_realm) >>>> + # Obtain the TGT. We do it with the temporary krb5.conf, so >>>> that >>>> + # only the KDC we're installing under is contacted. >>>> + # Other KDCs might not have replicated the principal yet. >>>> + # Once we have the TGT, it's usable on any server. >>> I don't think that temporary krb5.conf should be used here >>>> + try: >>>> + ipautil.kinit_keytab(host_principal, paths.KRB5_KEYTAB, >>>> + CCACHE_FILE, >>>> + # config=krb_name, >>>> + attempts=options.kinit_attempts) >>>> + env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = >>>> CCACHE_FILE >>>> + except Krb5Error as e: >>>> + print_port_conf_info() >>>> + root_logger.error("Failed to obtain host TGT: %s" % e) >>>> + # failure to get ticket makes it impossible to login and >>>> bind >>>> + # from sssd to LDAP, abort installation and rollback >>>> changes >>>> + return CLIENT_INSTALL_ERROR >>> This is not install error. >>> >>>> + >>>> + # passing server parameter seems unneccessary, thus passing >>>> only "" >>>> + update_ssh_keys("", hostname, >>>> services.knownservices.sshd.get_config_dir(), >>>> options.create_sshfp) >>>> + >>>> def configure_ipa_conf(fstore, cli_basedn, cli_realm, >>>> cli_domain, >>>> cli_server, hostname): >>>> ipaconf = ipaclient.ipachangeconf.IPAChangeConf("IPA >>>> Installer") >>>> ipaconf.setOptionAssignment(" =") @@ -2797,7 +2890,7 @@ def >>>> install(options, env, fstore, >>>> statestore): connected = True >>>> root_logger.debug("Try RPC connection") >>>> api.Backend.rpcclient.forward('ping') >>>> - except errors.KerberosError, e: >>>> + except errors.KerberosError as e: >>> Please don't modify code that already exists and it is not related >>> to >>> this change >>>> if connected: >>>> api.Backend.rpcclient.disconnect() >>>> root_logger.info( >>>> @@ -2820,13 +2913,13 @@ def install(options, env, fstore, >>>> statestore): >>>> root_logger.warning( >>>> "Some capabilities including the ipa command >>>> capability " >>>> "may not be available") >>>> - except errors.PublicError, e2: >>>> + except errors.PublicError as e2: >>> Remove this from patch too >>>> root_logger.warning( >>>> "Second connect with delegate=True also >>>> failed: >>>> %s", e2) >>>> root_logger.error( >>>> "Cannot connect to the IPA server RPC >>>> interface: >>>> %s", e2) >>>> return CLIENT_INSTALL_ERROR >>>> - except errors.PublicError, e: >>>> + except errors.PublicError as e: >>> and this too >>>> root_logger.error( >>>> "Cannot connect to the server due to generic >>>> error: >>>> %s", e) >>>> return CLIENT_INSTALL_ERROR >>>> @@ -3088,6 +3181,9 @@ def main(): >>>> if options.uninstall: >>>> return uninstall(options, env) >>>> >>>> + if options.ssh_update: >>>> + return sshupdate(options, env) >>>> + >>>> if is_ipa_client_installed(on_master=options.on_master): >>>> root_logger.error("IPA client is already configured on >>>> this >>>> system.") >>>> root_logger.info( >>>> -- >>>> 1.8.3.1 >>>> >>>> >>> Martin^2 >>> >>> >> Honza Thanks, I have a few comments 1) Please use new license format in header of the new files # # Copyright (C) 2016 FreeIPA Contributors see COPYING for license # 2) This is very bad, I sent patch to fix it in client code + except ValueError as UnicodeDecodeError: + continue it should be except (ValueError, UnicodeDecodeError): and maybe debug log? 3) I see many errors, respectively not so nice code there, but I realized that everything is from ipa-client-install. I think it would be better to extract update_ssh_keys, and do_nsupdate to separate module and reuse it in both scripts. I have to find out which (ipaclient, ipalib, ...) module are the best. Then fix issues with these functions. stay tuned :) Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Mar 2 17:23:16 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 2 Mar 2016 18:23:16 +0100 Subject: [Freeipa-devel] [PATCH 0429] fix suspicious except statement In-Reply-To: <56D7121C.90800@redhat.com> References: <56D7121C.90800@redhat.com> Message-ID: <56D72184.4040906@redhat.com> On 02.03.2016 17:17, Martin Basti wrote: > Patch attached, read commit message for more info. > > https://fedorahosted.org/freeipa/ticket/5718 Updated patch attached. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0429.2-fix-suspicious-except-statements.patch Type: text/x-patch Size: 2189 bytes Desc: not available URL: From simo at redhat.com Wed Mar 2 18:55:27 2016 From: simo at redhat.com (Simo Sorce) Date: Wed, 02 Mar 2016 13:55:27 -0500 Subject: [Freeipa-devel] Supporting UPNs of trusted forests In-Reply-To: <20160302152455.GP4492@redhat.com> References: <20160302105525.GJ4492@redhat.com> <56D70170.1080201@redhat.com> <20160302152455.GP4492@redhat.com> Message-ID: <1456944927.8257.74.camel@redhat.com> On Wed, 2016-03-02 at 17:24 +0200, Alexander Bokovoy wrote: > On Wed, 02 Mar 2016, Petr Vobornik wrote: > >On 03/02/2016 11:55 AM, Alexander Bokovoy wrote: > >>Hi, > >> > >>http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains > >>describes a design page to support name suffixes from trusted Active > >>Directory domains. > >> > >>A prototype code exists (written by me and Sumit) and was tested by Sumit > >>against recent releases of SSSD. > >> > >>Text is provided below for easier commenting. > >>----------------------------------------------------------------- > >>{{Feature|version=TODO|ticket=TODO|author=Ab}} > >> > >>== Overview == > >>User principal name (UPN) in Active Directory is the primary form of > >>addressing users. UPN has structure of 'user name at suffix' where both > >>user name and suffix parts may vary. By default the suffix is the same > >>as the Active Directory domain name but AD administrators may create > >>additional name suffixes and associate them with specific users. These > >>additional UPNs for users may then be used for Kerberos authentication > >>against Active Directory domains. > >> > >>Alternative UPNs are often used when several companies with Active > >>Directory deployments merge and want to provide unified logon namespace. > >> > >>The purpose of this feature is to allow using alternative UPNs > >>associated with the Active Directory users when accessing resources in > >>FreeIPA domain. > >> > >>== Use Cases == > >> > >>As an Active Directory user, I want to login using my user at EXAMPLE user > >>principal name even if my Active Directory domain is named > >>REGION.EXAMPLE.COM. > >>== Design== > >>Support for UPNs is split to three different components: > >>;Client-side > >>: SSSD already supports logon with UPN by asking a KDC to accept > >>enterprise logon names. By default, the use of enterprise principals is > >>disabled, therefore, krb5_use_enterprise_principal = True > >>needs to be added to sssd.conf to enable it. > >> > >>;KDC > >>: IPA KDC does understand multiple domains associated with the trusted > >>AD forest. However, since no information about name suffixes associated > >>with the forest is available, it cannot take them into account when > >>processing enteprise logon names to issue referrals to the correct > >>realm. Support needs to be added to allow IPA KDC to look up name > >>suffixes associated with a trusted forest. > >> > >>; IPA framework > >>: Changes needed on IPA framework side to fetch from Active Directory a > >>list of name suffixes and store them in the trusted domain objects. > >> > >>== Implementation == > >>For retrieving name suffixes, IPA framework needs to move to use > >>NETLOGON netr_DsRGetForestTrustInformation function instead of > >>netr_DsrEnumerateDomainTrusts. This allows to retrieve both domains and > >>top level names associated with the forest. > >> > >>As top level names (TLNs) have only a single string as a name suffix, > >>they cannot be stored as trusted domains (they lack SID and NetBIOS > >>name). Thus, either IPA KDB driver needs to be extended to understand > >>trusted domains without SID and NetBIOS name, or TLNs need to be stored > >>as a property of tree root domains of the forest. > >> > >>== Feature Management == > >> > >>=== UI === > >>If TLNs are added as a property of tree root domains of the forest, > >>appropriate panel needs to be extended to display them. > >> > >>=== CLI === > >>If TLNs are added as a property of tree root domains of the forest, > >>appropriate attribute need to be handled by '''trust-show''' command. If > >>TLNs represented as separate 'trusted domains' of the trusted forest, no > >>work is needed on CLI other than being able to support 'trusted domains' > >>without SID and NetBIOS name. > > > >What is meant by 'tree root domains of the forest' in IPA context? The > >trust object? > Yes. A forest might have multiple tree roots. We establish trust with > one of them (forest root domain) but you can have distinct tree roots > too. For a forest example.com a separate tree root could be ad.test > which is still a part of the forest. In Windows' UI for domains and > forests trust you'll see it as a separate entry at the top level. Each > tree root may have associated name suffixes. > > There are actually two different approaches we discussed with Sumit > -- one is to store TLNs as attributes of TDO, another is to create > separate TDOs, building on the fact you noticed: > >Btw trustdomain object has ipantflatname and ipanttrusteddomainsid > >attributes as optional so it is possible to store it there assuming > >modification of KDB driver. > This is what I did already in the prototype: > https://abbra.fedorapeople.org/.paste/0001-WIP-support-UPNs-for-trusted-domain-users.master.patch > > So we are sure that either way would work, the question is what would be > more usable UX-wise. How does Windows represent them ? I'd try to stick to something close to what AD does to avoid pain if later is found that the way Windows does things is necessary (or just easier) to keep adding further options down the road. Simo. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Wed Mar 2 19:11:03 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 2 Mar 2016 21:11:03 +0200 Subject: [Freeipa-devel] External trust to AD In-Reply-To: <56D70768.7030907@redhat.com> References: <20160302101333.GI4492@redhat.com> <56D70768.7030907@redhat.com> Message-ID: <20160302191103.GQ4492@redhat.com> On Wed, 02 Mar 2016, Petr Vobornik wrote: >On 03/02/2016 11:13 AM, Alexander Bokovoy wrote: >>Hi, >> >>http://www.freeipa.org/page/V4/External_trust_to_AD documents a design >>for external trust to AD feature. >> >>The text is included below for easier review. >>----------------------------------------------------------------------- >>{{Feature|version=TODO|ticket=TODO|author=Ab}} >> >>== Overview == >>Support for external trust to a domain from Active Directory forest >> >>An external trust is a trust relationship between Active Directory >>domains that are in different Active Directory forests. While forest >>trust always requires to establish trust between root domains of the >>Active Directory forests, external trust can be established to any >>domain within the forest. >> >>== Use Cases == >> >>As an Active Directory domain admin, I want to establish trust between >>IPA and my domain only. The trust between IPA and an external Active >>Directory domain will be non-transitive as no users or groups from other >>Active Directory domains will have access to IPA resources. >> >>== Design== >> >>External trust between Active Directory domains is by definition >>non-transitive and enforces SID filtering between the domain boundaries. >>This means only users and groups with SIDs from the trusted domain can >>use the resources and be visible on IPA systems. None of other users and >>groups from domains the trusted domain trusts within its own Active >>Directory forest or other externally trusted domains will be allowed to >>access IPA resources. >> >>== Implementation == >> >>External trust feature re-uses existing forest trust infrastructure. >>There are several specific changes to allow supporting external trust: >>* '''Non-transitivity''': since external trust is non-transitive by >>* definition, any attempt to set transitivity feature of the trust link >>* with LSA SetInformationTrustedDomain() command will fail. Thus, there >>* is no need to set transitivity for the external trust. > >Sounds very simple :) > >Do I get it right that it is possible to do it today? Because now the >code just do: > root_logger.error('unable to set trust to transitive: %s' % (str(e))) > pass I have a patchset to add this support already. I want to clean up some parts of it, namely, reporting of the resulting trust type, but it all works. > >>* '''Trust attributes''': external trust can be detected by looking into >>* absense of ipaNTTrustAttributes LDAP attribute of the trusted domain >>* object. >> >>== Feature Management == >> >>=== UI === >>An option 'external trust' needs to be added to Web UI, corresponding to >>'--external' flag in 'trust-add' command in CLI. >> >>=== CLI === >>An external trust creation can be requested by passing additional flag >>'--external=true' to the 'trust-add' command. The flag defaults to >>'false', e.g. no external trust would be created. >> >>{| class="wikitable" >>|- >>! Command >>! Options >>|- >>| trust-add >>| --external=true/false >>|} > >We should also add 'external' param to output of trust_find and >trust_show + corresponding change in Web UI and CLI. It will be part of trust type string, not a separate param. -- / Alexander Bokovoy From abokovoy at redhat.com Wed Mar 2 19:19:58 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 2 Mar 2016 21:19:58 +0200 Subject: [Freeipa-devel] Supporting UPNs of trusted forests In-Reply-To: <1456944927.8257.74.camel@redhat.com> References: <20160302105525.GJ4492@redhat.com> <56D70170.1080201@redhat.com> <20160302152455.GP4492@redhat.com> <1456944927.8257.74.camel@redhat.com> Message-ID: <20160302191958.GR4492@redhat.com> On Wed, 02 Mar 2016, Simo Sorce wrote: >On Wed, 2016-03-02 at 17:24 +0200, Alexander Bokovoy wrote: >> On Wed, 02 Mar 2016, Petr Vobornik wrote: >> >On 03/02/2016 11:55 AM, Alexander Bokovoy wrote: >> >>Hi, >> >> >> >>http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains >> >>describes a design page to support name suffixes from trusted Active >> >>Directory domains. >> >> >> >>A prototype code exists (written by me and Sumit) and was tested by Sumit >> >>against recent releases of SSSD. >> >> >> >>Text is provided below for easier commenting. >> >>----------------------------------------------------------------- >> >>{{Feature|version=TODO|ticket=TODO|author=Ab}} >> >> >> >>== Overview == >> >>User principal name (UPN) in Active Directory is the primary form of >> >>addressing users. UPN has structure of 'user name at suffix' where both >> >>user name and suffix parts may vary. By default the suffix is the same >> >>as the Active Directory domain name but AD administrators may create >> >>additional name suffixes and associate them with specific users. These >> >>additional UPNs for users may then be used for Kerberos authentication >> >>against Active Directory domains. >> >> >> >>Alternative UPNs are often used when several companies with Active >> >>Directory deployments merge and want to provide unified logon namespace. >> >> >> >>The purpose of this feature is to allow using alternative UPNs >> >>associated with the Active Directory users when accessing resources in >> >>FreeIPA domain. >> >> >> >>== Use Cases == >> >> >> >>As an Active Directory user, I want to login using my user at EXAMPLE user >> >>principal name even if my Active Directory domain is named >> >>REGION.EXAMPLE.COM. >> >>== Design== >> >>Support for UPNs is split to three different components: >> >>;Client-side >> >>: SSSD already supports logon with UPN by asking a KDC to accept >> >>enterprise logon names. By default, the use of enterprise principals is >> >>disabled, therefore, krb5_use_enterprise_principal = True >> >>needs to be added to sssd.conf to enable it. >> >> >> >>;KDC >> >>: IPA KDC does understand multiple domains associated with the trusted >> >>AD forest. However, since no information about name suffixes associated >> >>with the forest is available, it cannot take them into account when >> >>processing enteprise logon names to issue referrals to the correct >> >>realm. Support needs to be added to allow IPA KDC to look up name >> >>suffixes associated with a trusted forest. >> >> >> >>; IPA framework >> >>: Changes needed on IPA framework side to fetch from Active Directory a >> >>list of name suffixes and store them in the trusted domain objects. >> >> >> >>== Implementation == >> >>For retrieving name suffixes, IPA framework needs to move to use >> >>NETLOGON netr_DsRGetForestTrustInformation function instead of >> >>netr_DsrEnumerateDomainTrusts. This allows to retrieve both domains and >> >>top level names associated with the forest. >> >> >> >>As top level names (TLNs) have only a single string as a name suffix, >> >>they cannot be stored as trusted domains (they lack SID and NetBIOS >> >>name). Thus, either IPA KDB driver needs to be extended to understand >> >>trusted domains without SID and NetBIOS name, or TLNs need to be stored >> >>as a property of tree root domains of the forest. >> >> >> >>== Feature Management == >> >> >> >>=== UI === >> >>If TLNs are added as a property of tree root domains of the forest, >> >>appropriate panel needs to be extended to display them. >> >> >> >>=== CLI === >> >>If TLNs are added as a property of tree root domains of the forest, >> >>appropriate attribute need to be handled by '''trust-show''' command. If >> >>TLNs represented as separate 'trusted domains' of the trusted forest, no >> >>work is needed on CLI other than being able to support 'trusted domains' >> >>without SID and NetBIOS name. >> > >> >What is meant by 'tree root domains of the forest' in IPA context? The >> >trust object? >> Yes. A forest might have multiple tree roots. We establish trust with >> one of them (forest root domain) but you can have distinct tree roots >> too. For a forest example.com a separate tree root could be ad.test >> which is still a part of the forest. In Windows' UI for domains and >> forests trust you'll see it as a separate entry at the top level. Each >> tree root may have associated name suffixes. >> >> There are actually two different approaches we discussed with Sumit >> -- one is to store TLNs as attributes of TDO, another is to create >> separate TDOs, building on the fact you noticed: >> >Btw trustdomain object has ipantflatname and ipanttrusteddomainsid >> >attributes as optional so it is possible to store it there assuming >> >modification of KDB driver. >> This is what I did already in the prototype: >> https://abbra.fedorapeople.org/.paste/0001-WIP-support-UPNs-for-trusted-domain-users.master.patch >> >> So we are sure that either way would work, the question is what would be >> more usable UX-wise. > >How does Windows represent them ? Weirdly. >I'd try to stick to something close to what AD does to avoid pain if >later is found that the way Windows does things is necessary (or just >easier) to keep adding further options down the road. See following article as an example, starting from third figure: http://bohemiangrove.co.uk/outlook-anywhere-with-additonal-upn-suffix/ It is totally hidden under tree root domain properties in Active Directory Domains and Trusts. There you can add name suffixes. To use them you need to go to a specific user properties in Active Directory Users and Computers and select the name suffix for user logon name under account tab. Once you chose a specific suffix, other suffixes cannot be used for this user -- other than the primary one which is always enabled. -- / Alexander Bokovoy From abokovoy at redhat.com Wed Mar 2 19:20:57 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 2 Mar 2016 21:20:57 +0200 Subject: [Freeipa-devel] Supporting UPNs of trusted forests In-Reply-To: <20160302153849.GG3079@p.redhat.com> References: <20160302105525.GJ4492@redhat.com> <56D70170.1080201@redhat.com> <20160302152455.GP4492@redhat.com> <20160302153849.GG3079@p.redhat.com> Message-ID: <20160302192057.GS4492@redhat.com> On Wed, 02 Mar 2016, Sumit Bose wrote: >On Wed, Mar 02, 2016 at 05:24:55PM +0200, Alexander Bokovoy wrote: >> On Wed, 02 Mar 2016, Petr Vobornik wrote: >> >On 03/02/2016 11:55 AM, Alexander Bokovoy wrote: >> >>Hi, >> >> >> >>http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains >> >>describes a design page to support name suffixes from trusted Active >> >>Directory domains. >> >> >> >>A prototype code exists (written by me and Sumit) and was tested by Sumit >> >>against recent releases of SSSD. >> >> >> >>Text is provided below for easier commenting. >> >>----------------------------------------------------------------- >> >>{{Feature|version=TODO|ticket=TODO|author=Ab}} >> >> >> >>== Overview == >> >>User principal name (UPN) in Active Directory is the primary form of >> >>addressing users. UPN has structure of 'user name at suffix' where both >> >>user name and suffix parts may vary. By default the suffix is the same >> >>as the Active Directory domain name but AD administrators may create >> >>additional name suffixes and associate them with specific users. These >> >>additional UPNs for users may then be used for Kerberos authentication >> >>against Active Directory domains. >> >> >> >>Alternative UPNs are often used when several companies with Active >> >>Directory deployments merge and want to provide unified logon namespace. >> >> >> >>The purpose of this feature is to allow using alternative UPNs >> >>associated with the Active Directory users when accessing resources in >> >>FreeIPA domain. >> >> >> >>== Use Cases == >> >> >> >>As an Active Directory user, I want to login using my user at EXAMPLE user >> >>principal name even if my Active Directory domain is named >> >>REGION.EXAMPLE.COM. >> >>== Design== >> >>Support for UPNs is split to three different components: >> >>;Client-side >> >>: SSSD already supports logon with UPN by asking a KDC to accept >> >>enterprise logon names. By default, the use of enterprise principals is >> >>disabled, therefore, krb5_use_enterprise_principal = True >> >>needs to be added to sssd.conf to enable it. >> >> >> >>;KDC >> >>: IPA KDC does understand multiple domains associated with the trusted >> >>AD forest. However, since no information about name suffixes associated >> >>with the forest is available, it cannot take them into account when >> >>processing enteprise logon names to issue referrals to the correct >> >>realm. Support needs to be added to allow IPA KDC to look up name >> >>suffixes associated with a trusted forest. >> >> >> >>; IPA framework >> >>: Changes needed on IPA framework side to fetch from Active Directory a >> >>list of name suffixes and store them in the trusted domain objects. >> >> >> >>== Implementation == >> >>For retrieving name suffixes, IPA framework needs to move to use >> >>NETLOGON netr_DsRGetForestTrustInformation function instead of >> >>netr_DsrEnumerateDomainTrusts. This allows to retrieve both domains and >> >>top level names associated with the forest. >> >> >> >>As top level names (TLNs) have only a single string as a name suffix, >> >>they cannot be stored as trusted domains (they lack SID and NetBIOS >> >>name). Thus, either IPA KDB driver needs to be extended to understand >> >>trusted domains without SID and NetBIOS name, or TLNs need to be stored >> >>as a property of tree root domains of the forest. >> >> >> >>== Feature Management == >> >> >> >>=== UI === >> >>If TLNs are added as a property of tree root domains of the forest, >> >>appropriate panel needs to be extended to display them. >> >> >> >>=== CLI === >> >>If TLNs are added as a property of tree root domains of the forest, >> >>appropriate attribute need to be handled by '''trust-show''' command. If >> >>TLNs represented as separate 'trusted domains' of the trusted forest, no >> >>work is needed on CLI other than being able to support 'trusted domains' >> >>without SID and NetBIOS name. >> > >> >What is meant by 'tree root domains of the forest' in IPA context? The >> >trust object? >> Yes. A forest might have multiple tree roots. We establish trust with >> one of them (forest root domain) but you can have distinct tree roots >> too. For a forest example.com a separate tree root could be ad.test >> which is still a part of the forest. In Windows' UI for domains and >> forests trust you'll see it as a separate entry at the top level. Each >> tree root may have associated name suffixes. > >But I thought they still can be used across the whole forest, e.g. if >you assign an alternative domain suffix in the UI of ad.test you can use >this suffix for users from example.com as well? That's something I need to test. It seems like that, though, from what I remember... -- / Alexander Bokovoy From martin at stefany.eu Wed Mar 2 21:15:39 2016 From: martin at stefany.eu (Martin =?UTF-8?Q?=C5=A0tefany?=) Date: Wed, 02 Mar 2016 22:15:39 +0100 Subject: [Freeipa-devel] [PATCH 0001] Add new parameter --ssh-update to ipa-client-install In-Reply-To: <56D71A1A.1060602@redhat.com> References: <1456175624.5411.4.camel@stefany.eu> <56CF0060.3090202@redhat.com> <56CF0353.5060705@redhat.com> <1456604366.2844.13.camel@stefany.eu> <56D71A1A.1060602@redhat.com> Message-ID: <1456953339.2507.7.camel@stefany.eu> Hi, On St, 2016-03-02 at 17:51 +0100, Martin Basti wrote: > > > On 27.02.2016 21:19, Martin ?tefany wrote: > > Hi, > > > > I did as Jan suggested, everything is now a new command 'ipa- > > sshupdate',? > > (so it's based on Jan's 'ipa-certupdate', yeah, a bit of copy- > > paste), > > rest is based on ipa-client-install's code. I'm not sure if this is > > correct, but you might want to change ipa-client-install to just > > 'import > > ipaclient.ipa_sshupdate' for ssh update, or not - I'm not sure how > > this > > is compatible with 'code deduplication', 're-usage', etc. > > > > Another open point from my side is PEP8 compliance, I've ran the new > > code through pep8 utility with defaults and it's 'OK'. But so is > > code in > > my employer's project and they look slightly 'different', mainly for > > brackets, strings, etc. Please, have a look to that, too, I'm happy > > for > > any guidance. > > > > Martin > > > > On ?t, 2016-02-25 at 14:36 +0100, Jan Cholasta wrote: > > > Hi, > > > > > > On 25.2.2016 14:23, Martin Basti wrote: > > > > > > > > > > > > On 22.02.2016 22:13, Martin ?tefany wrote: > > > > > Hi, > > > > > > > > > > please, review the attached patch which adds --ssh-update to > > > > > ipa- > > > > > client- > > > > > install. > > > > > > > > > > Ticket:https://fedorahosted.org/freeipa/ticket/2655 > > > > Hello, > > > > thank you for your patch. > > > > Please attach a patch as a file next time. > > > > > > > > I have doubts that this should be part of ipa-client-install, > > > > this > > > > needs > > > > a broader discussion. > > > +1, I think it should be a separate command (ignore my earlier? > > > suggestion from Trac to incorporate this into ipa-client-install, > > > I > > > was? > > > young and stupid). > > > > > > See client/ipa-certupdate and ipaclient/ipa_certupdate.py for an > > > example? > > > of how such a command should be implemented. > > > > > > > > > > > Code comments inline: > > > > > > > > > > --- > > > > > Martin > > > > > > > > > > > From 4974a57f48a0cd48b83724297ae2af572bc530eb Mon Sep 17 > > > > > > 00:00:00 2001 > > > > > From: Martin Stefany > > > > > Date: Mon, 22 Feb 2016 20:58:13 +0000 > > > > > Subject: [PATCH] Add new parameter --ssh-update to ipa-client- > > > > > install > > > > > > > > > > Add a new parameter '--ssh-update' which can be used later > > > > > after > > > > > freeipa > > > > > client is installed to update SSH hostkeys and SSHFP DNS > > > > > records > > > > > for > > > > > host. > > > > > > > > > > https://fedorahosted.org/freeipa/ticket/2655 > > > > > --- > > > > > ? ipa-client/ipa-install/ipa-client-install | 102 > > > > > +++++++++++++++++++++++++++++- > > > > > ? 1 file changed, 99 insertions(+), 3 deletions(-) > > > > > > > > > > diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa- > > > > > client/ipa- > > > > > install/ipa-client-install > > > > > index > > > > > 789ff591591673744ee3b922e5c0181233ad553c..97adfb6b449fb441bdda > > > > > da89 > > > > > a3b151 > > > > > 33e398ca50 100755 > > > > > --- a/ipa-client/ipa-install/ipa-client-install > > > > > +++ b/ipa-client/ipa-install/ipa-client-install > > > > > @@ -71,6 +71,7 @@ CLIENT_INSTALL_ERROR = 1 > > > > > ? CLIENT_NOT_CONFIGURED = 2 > > > > > ? CLIENT_ALREADY_CONFIGURED = 3 > > > > > ? CLIENT_UNINSTALL_ERROR = 4 # error after restoring > > > > > files/state > > > > > +CLIENT_SSHUPDATE_ERROR = 5 # error during update of SSH > > > > > public > > > > > keys > > > > > > > > > > ? def parse_options(): > > > > > ??????def validate_ca_cert_file_option(option, opt, value, > > > > > parser): > > > > > @@ -215,6 +216,12 @@ def parse_options(): > > > > > ????????????????????????????????????????????"be run with -- > > > > > unattended > > > > > option") > > > > > ??????parser.add_option_group(uninstall_group) > > > > > > > > > > +????sshupdate_group = OptionGroup(parser, "SSH key update > > > > > options") > > > > > +????sshupdate_group.add_option("--ssh-update", > > > > > dest="ssh_update", > > > > > +??????????????????????action="store_true", default=False, > > > > > +??????????????????????help="update local host's SSH public > > > > > keys > > > > > in host > > > > > entry and DNS.") > > > > > +????parser.add_option_group(sshupdate_group) > > > > > + > > > > > ??????options, args = parser.parse_args() > > > > > ??????safe_opts = parser.get_safe_opts(options) > > > > > > > > > > @@ -840,6 +847,92 @@ def uninstall(options, env): > > > > > > > > > > ??????return rv > > > > > > > > > > +def sshupdate(options, env): > > > > > +????if not is_ipa_client_installed(): > > > > > +????????root_logger.error("IPA client is not configured on > > > > > this > > > > > system.") > > > > > +????????return CLIENT_NOT_CONFIGURED > > > > > + > > > > > +????api.bootstrap(context='cli_installer', > > > > > debug=options.debug) > > > > > +????api.finalize() > > > > > +????if 'config_loaded' not in api.env: > > > > > +????????root_logger.error("Failed to initialize IPA API.") > > > > > +????????return CLIENT_SSHUPDATE_ERROR > > > > > + > > > > > +????# Now, let's try to connect to the server's RPC interface > > > > > +????connected = False > > > > > +????try: > > > > > +????????api.Backend.rpcclient.connect() > > > > > +????????connected = True > > > > > +????????root_logger.debug("Try RPC connection") > > > > > +????????api.Backend.rpcclient.forward('ping') > > > > > +????except errors.KerberosError as e: > > > > > +????????if connected: > > > > > +????????????api.Backend.rpcclient.disconnect() > > > > > +????????root_logger.info( > > > > > +????????????"Cannot connect to the server due to Kerberos > > > > > error: > > > > > %s. " > > > > > +????????????"Trying with delegate=True", e) > > > > > +????????try: > > > > > +????????????api.Backend.rpcclient.connect(delegate=True) > > > > > +????????????root_logger.debug("Try RPC connection") > > > > > +????????????api.Backend.rpcclient.forward('ping') > > > > > + > > > > > +????????????root_logger.info("Connection with delegate=True > > > > > successful") > > > > > + > > > > > +????????????# The remote server is not capable of Kerberos > > > > > S4U2Proxy > > > > > +????????????# delegation. This features is implemented in IPA > > > > > server > > > > > +????????????# version 2.2 and higher > > > > > +????????????root_logger.warning( > > > > > +????????????????"Target IPA server has a lower version than > > > > > the > > > > > enrolled " > > > > > +????????????????"client") > > > > > +????????????root_logger.warning( > > > > > +????????????????"Some capabilities including the ipa command > > > > > capability > > > > > " > > > > > +????????????????"may not be available") > > > > > +????????except errors.PublicError as e2: > > > > > +????????????root_logger.warning( > > > > > +????????????????"Second connect with delegate=True also > > > > > failed: > > > > > %s", > > > > > e2) > > > > > +????????????root_logger.error( > > > > > +????????????????"Cannot connect to the IPA server RPC > > > > > interface: > > > > > %s", > > > > > e2) > > > > > +????????????return CLIENT_SSHUPDATE_ERROR > > > > > +????except errors.PublicError as e: > > > > > +????????root_logger.error( > > > > > +????????????"Cannot connect to the server due to generic > > > > > error: > > > > > %s", e) > > > > > +????????return CLIENT_SSHUPDATE_ERROR > > > > I think you should be kinited with client keytab, client is > > > > allowed > > > > to > > > > modify its SSHpublic keys in ldap. I'd only require to be root > > > > to > > > > execute it. > > > > > > > > kinit -kt /etc/krb5.keytab host/`hostname` > > > > ipa host-mod `hostname` --sshpubkey="something" > > > > > > > > Also this rpcconnection looks to me too much complicated, I > > > > think it > > > > should be just simple rpcconnect > > > > > > > > > + > > > > > +????# We need to pull IPA server address from default.conf > > > > > +????try: > > > > > +????????parser = RawConfigParser() > > > > > +????????parser.read(paths.IPA_DEFAULT_CONF) > > > > > +????????cli_realm = parser.get('global', 'realm') > > > > > +????????hostname = parser.get('global', 'host') > > > > > +????# TODO: consult with review team > > > > > +????# except ConfigParser.NoSectionError as e: > > > > > +????#?????pass > > > > > +????# except ConfigParser.ParsingError as e: > > > > > +????#?????pass > > > > > +????finally: > > > > > +????????pass > > > > You can raise error there. > > > > > > > > > + > > > > > +????host_principal = 'host/%s@%s' % (hostname, cli_realm) > > > > > +????# Obtain the TGT. We do it with the temporary krb5.conf, > > > > > so > > > > > that > > > > > +????# only the KDC we're installing under is contacted. > > > > > +????# Other KDCs might not have replicated the principal yet. > > > > > +????# Once we have the TGT, it's usable on any server. > > > > I don't think that temporary krb5.conf should be used here > > > > > +????try: > > > > > +????????ipautil.kinit_keytab(host_principal, > > > > > paths.KRB5_KEYTAB, > > > > > +?????????????????????????????CCACHE_FILE, > > > > > +?????????????????????????????# config=krb_name, > > > > > +?????????????????????????????attempts=options.kinit_attempts) > > > > > +????????env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = > > > > > CCACHE_FILE > > > > > +????except Krb5Error as e: > > > > > +????????print_port_conf_info() > > > > > +????????root_logger.error("Failed to obtain host TGT: %s" % > > > > > e) > > > > > +????????# failure to get ticket makes it impossible to login > > > > > and > > > > > bind > > > > > +????????# from sssd to LDAP, abort installation and rollback > > > > > changes > > > > > +????????return CLIENT_INSTALL_ERROR > > > > This is not install error. > > > > > > > > > + > > > > > +????# passing server parameter seems unneccessary, thus > > > > > passing > > > > > only "" > > > > > +????update_ssh_keys("", hostname, > > > > > services.knownservices.sshd.get_config_dir(), > > > > > options.create_sshfp) > > > > > + > > > > > ? def configure_ipa_conf(fstore, cli_basedn, cli_realm, > > > > > cli_domain, > > > > > cli_server, hostname): > > > > > ??????ipaconf = ipaclient.ipachangeconf.IPAChangeConf("IPA > > > > > Installer") > > > > > ??????ipaconf.setOptionAssignment(" =") @@ -2797,7 +2890,7 @@ > > > > > def > > > > > install(options, env, fstore, > > > > > statestore):??????????????connected = True > > > > > ?????????????root_logger.debug("Try RPC connection") > > > > > ??????????????api.Backend.rpcclient.forward('ping') > > > > > -????????except errors.KerberosError, e: > > > > > +????????except errors.KerberosError as e: > > > > Please don't modify code that already exists and it is not > > > > related > > > > to > > > > this change > > > > > ??????????????if connected: > > > > > ??????????????????api.Backend.rpcclient.disconnect() > > > > > ??????????????root_logger.info( > > > > > @@ -2820,13 +2913,13 @@ def install(options, env, fstore, > > > > > statestore): > > > > > ??????????????????root_logger.warning( > > > > > ??????????????????????"Some capabilities including the ipa > > > > > command > > > > > capability " > > > > > ??????????????????????"may not be available") > > > > > -????????????except errors.PublicError, e2: > > > > > +????????????except errors.PublicError as e2: > > > > Remove this from patch too > > > > > ??????????????????root_logger.warning( > > > > > ??????????????????????"Second connect with delegate=True also > > > > > failed: > > > > > %s", e2) > > > > > ??????????????????root_logger.error( > > > > > ??????????????????????"Cannot connect to the IPA server RPC > > > > > interface: > > > > > %s", e2) > > > > > ??????????????????return CLIENT_INSTALL_ERROR > > > > > -????????except errors.PublicError, e: > > > > > +????????except errors.PublicError as e: > > > > and this too > > > > > ??????????????root_logger.error( > > > > > ??????????????????"Cannot connect to the server due to generic > > > > > error: > > > > > %s", e) > > > > > ??????????????return CLIENT_INSTALL_ERROR > > > > > @@ -3088,6 +3181,9 @@ def main(): > > > > > ??????if options.uninstall: > > > > > ??????????return uninstall(options, env) > > > > > > > > > > +????if options.ssh_update: > > > > > +????????return sshupdate(options, env) > > > > > + > > > > > ??????if is_ipa_client_installed(on_master=options.on_master): > > > > > ??????????root_logger.error("IPA client is already configured > > > > > on > > > > > this > > > > > system.") > > > > > ??????????root_logger.info( > > > > > -- > > > > > 1.8.3.1 > > > > > > > > > > > > > > Martin^2 > > > > > > > > > > > Honza > ? > Thanks, > > I have a few comments > > 1) > Please use new license format in header of the new files > > # > # Copyright (C) 2016??FreeIPA Contributors see COPYING for license > # OK > > 2) > This is very bad, I sent patch to fix it in client code > +??????????????? except ValueError as UnicodeDecodeError: > +??????????????????? continue > > it should be except (ValueError, UnicodeDecodeError): > and maybe debug log? Something like? : +????????????for line in f: +????????????????line = line[:-1].lstrip() +????????????????if not line or line.startswith('#'): +????????????????????continue +????????????????try: +????????????????????pubkey = ssh.SSHPublicKey(line) +????????????????????self.log.info("Adding SSH public key from %s", filename) +????????????????????pubkeys.append(pubkey) +????????????????except (ValueError, UnicodeDecodeError) as e: +????????????????????self.log.debug( +????????????????????????"Skipping SSH public key from %s due to error: %s", +????????????????????????filename, e +????????????????????) I had to move it inside try-except clause since not assigning pubkey and handling exception causes then "exception: UnboundLocalError: local variable 'pubkey' referenced before assignment" :\ Should it be debug or warning? > > 3) > I see many errors, respectively not so nice code there, but I realized > that everything is from ipa-client-install. I think it would be better > to extract update_ssh_keys, and do_nsupdate to separate module and > reuse it in both scripts. > > I have to find out which (ipaclient, ipalib, ...) module are the best. > > Then fix issues with these functions. > > stay tuned :) > Martin^2 > Thank you! Regards, Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part URL: From jcholast at redhat.com Thu Mar 3 07:18:31 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 3 Mar 2016 08:18:31 +0100 Subject: [Freeipa-devel] [PATCH 0001] Add new parameter --ssh-update to ipa-client-install In-Reply-To: <1456953339.2507.7.camel@stefany.eu> References: <1456175624.5411.4.camel@stefany.eu> <56CF0060.3090202@redhat.com> <56CF0353.5060705@redhat.com> <1456604366.2844.13.camel@stefany.eu> <56D71A1A.1060602@redhat.com> <1456953339.2507.7.camel@stefany.eu> Message-ID: <56D7E547.30208@redhat.com> On 2.3.2016 22:15, Martin ?tefany wrote: > Hi, > > On St, 2016-03-02 at 17:51 +0100, Martin Basti wrote: >> >> >> On 27.02.2016 21:19, Martin ?tefany wrote: >>> Hi, >>> >>> I did as Jan suggested, everything is now a new command 'ipa- >>> sshupdate', >>> (so it's based on Jan's 'ipa-certupdate', yeah, a bit of copy- >>> paste), >>> rest is based on ipa-client-install's code. I'm not sure if this is >>> correct, but you might want to change ipa-client-install to just >>> 'import >>> ipaclient.ipa_sshupdate' for ssh update, or not - I'm not sure how >>> this >>> is compatible with 'code deduplication', 're-usage', etc. >>> >>> Another open point from my side is PEP8 compliance, I've ran the new >>> code through pep8 utility with defaults and it's 'OK'. But so is >>> code in >>> my employer's project and they look slightly 'different', mainly for >>> brackets, strings, etc. Please, have a look to that, too, I'm happy >>> for >>> any guidance. >>> >>> Martin >>> >>> On ?t, 2016-02-25 at 14:36 +0100, Jan Cholasta wrote: >>>> Hi, >>>> >>>> On 25.2.2016 14:23, Martin Basti wrote: >>>>> >>>>> >>>>> On 22.02.2016 22:13, Martin ?tefany wrote: >>>>>> Hi, >>>>>> >>>>>> please, review the attached patch which adds --ssh-update to >>>>>> ipa- >>>>>> client- >>>>>> install. >>>>>> >>>>>> Ticket:https://fedorahosted.org/freeipa/ticket/2655 >>>>> Hello, >>>>> thank you for your patch. >>>>> Please attach a patch as a file next time. >>>>> >>>>> I have doubts that this should be part of ipa-client-install, >>>>> this >>>>> needs >>>>> a broader discussion. >>>> +1, I think it should be a separate command (ignore my earlier >>>> suggestion from Trac to incorporate this into ipa-client-install, >>>> I >>>> was >>>> young and stupid). >>>> >>>> See client/ipa-certupdate and ipaclient/ipa_certupdate.py for an >>>> example >>>> of how such a command should be implemented. >>>> >>>>> >>>>> Code comments inline: >>>>>> >>>>>> --- >>>>>> Martin >>>>>> >>>>>>> From 4974a57f48a0cd48b83724297ae2af572bc530eb Mon Sep 17 >>>>>>> 00:00:00 2001 >>>>>> From: Martin Stefany >>>>>> Date: Mon, 22 Feb 2016 20:58:13 +0000 >>>>>> Subject: [PATCH] Add new parameter --ssh-update to ipa-client- >>>>>> install >>>>>> >>>>>> Add a new parameter '--ssh-update' which can be used later >>>>>> after >>>>>> freeipa >>>>>> client is installed to update SSH hostkeys and SSHFP DNS >>>>>> records >>>>>> for >>>>>> host. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/2655 >>>>>> --- >>>>>> ipa-client/ipa-install/ipa-client-install | 102 >>>>>> +++++++++++++++++++++++++++++- >>>>>> 1 file changed, 99 insertions(+), 3 deletions(-) >>>>>> >>>>>> diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa- >>>>>> client/ipa- >>>>>> install/ipa-client-install >>>>>> index >>>>>> 789ff591591673744ee3b922e5c0181233ad553c..97adfb6b449fb441bdda >>>>>> da89 >>>>>> a3b151 >>>>>> 33e398ca50 100755 >>>>>> --- a/ipa-client/ipa-install/ipa-client-install >>>>>> +++ b/ipa-client/ipa-install/ipa-client-install >>>>>> @@ -71,6 +71,7 @@ CLIENT_INSTALL_ERROR = 1 >>>>>> CLIENT_NOT_CONFIGURED = 2 >>>>>> CLIENT_ALREADY_CONFIGURED = 3 >>>>>> CLIENT_UNINSTALL_ERROR = 4 # error after restoring >>>>>> files/state >>>>>> +CLIENT_SSHUPDATE_ERROR = 5 # error during update of SSH >>>>>> public >>>>>> keys >>>>>> >>>>>> def parse_options(): >>>>>> def validate_ca_cert_file_option(option, opt, value, >>>>>> parser): >>>>>> @@ -215,6 +216,12 @@ def parse_options(): >>>>>> "be run with -- >>>>>> unattended >>>>>> option") >>>>>> parser.add_option_group(uninstall_group) >>>>>> >>>>>> + sshupdate_group = OptionGroup(parser, "SSH key update >>>>>> options") >>>>>> + sshupdate_group.add_option("--ssh-update", >>>>>> dest="ssh_update", >>>>>> + action="store_true", default=False, >>>>>> + help="update local host's SSH public >>>>>> keys >>>>>> in host >>>>>> entry and DNS.") >>>>>> + parser.add_option_group(sshupdate_group) >>>>>> + >>>>>> options, args = parser.parse_args() >>>>>> safe_opts = parser.get_safe_opts(options) >>>>>> >>>>>> @@ -840,6 +847,92 @@ def uninstall(options, env): >>>>>> >>>>>> return rv >>>>>> >>>>>> +def sshupdate(options, env): >>>>>> + if not is_ipa_client_installed(): >>>>>> + root_logger.error("IPA client is not configured on >>>>>> this >>>>>> system.") >>>>>> + return CLIENT_NOT_CONFIGURED >>>>>> + >>>>>> + api.bootstrap(context='cli_installer', >>>>>> debug=options.debug) >>>>>> + api.finalize() >>>>>> + if 'config_loaded' not in api.env: >>>>>> + root_logger.error("Failed to initialize IPA API.") >>>>>> + return CLIENT_SSHUPDATE_ERROR >>>>>> + >>>>>> + # Now, let's try to connect to the server's RPC interface >>>>>> + connected = False >>>>>> + try: >>>>>> + api.Backend.rpcclient.connect() >>>>>> + connected = True >>>>>> + root_logger.debug("Try RPC connection") >>>>>> + api.Backend.rpcclient.forward('ping') >>>>>> + except errors.KerberosError as e: >>>>>> + if connected: >>>>>> + api.Backend.rpcclient.disconnect() >>>>>> + root_logger.info( >>>>>> + "Cannot connect to the server due to Kerberos >>>>>> error: >>>>>> %s. " >>>>>> + "Trying with delegate=True", e) >>>>>> + try: >>>>>> + api.Backend.rpcclient.connect(delegate=True) >>>>>> + root_logger.debug("Try RPC connection") >>>>>> + api.Backend.rpcclient.forward('ping') >>>>>> + >>>>>> + root_logger.info("Connection with delegate=True >>>>>> successful") >>>>>> + >>>>>> + # The remote server is not capable of Kerberos >>>>>> S4U2Proxy >>>>>> + # delegation. This features is implemented in IPA >>>>>> server >>>>>> + # version 2.2 and higher >>>>>> + root_logger.warning( >>>>>> + "Target IPA server has a lower version than >>>>>> the >>>>>> enrolled " >>>>>> + "client") >>>>>> + root_logger.warning( >>>>>> + "Some capabilities including the ipa command >>>>>> capability >>>>>> " >>>>>> + "may not be available") >>>>>> + except errors.PublicError as e2: >>>>>> + root_logger.warning( >>>>>> + "Second connect with delegate=True also >>>>>> failed: >>>>>> %s", >>>>>> e2) >>>>>> + root_logger.error( >>>>>> + "Cannot connect to the IPA server RPC >>>>>> interface: >>>>>> %s", >>>>>> e2) >>>>>> + return CLIENT_SSHUPDATE_ERROR >>>>>> + except errors.PublicError as e: >>>>>> + root_logger.error( >>>>>> + "Cannot connect to the server due to generic >>>>>> error: >>>>>> %s", e) >>>>>> + return CLIENT_SSHUPDATE_ERROR >>>>> I think you should be kinited with client keytab, client is >>>>> allowed >>>>> to >>>>> modify its SSHpublic keys in ldap. I'd only require to be root >>>>> to >>>>> execute it. >>>>> >>>>> kinit -kt /etc/krb5.keytab host/`hostname` >>>>> ipa host-mod `hostname` --sshpubkey="something" >>>>> >>>>> Also this rpcconnection looks to me too much complicated, I >>>>> think it >>>>> should be just simple rpcconnect >>>>> >>>>>> + >>>>>> + # We need to pull IPA server address from default.conf >>>>>> + try: >>>>>> + parser = RawConfigParser() >>>>>> + parser.read(paths.IPA_DEFAULT_CONF) >>>>>> + cli_realm = parser.get('global', 'realm') >>>>>> + hostname = parser.get('global', 'host') >>>>>> + # TODO: consult with review team >>>>>> + # except ConfigParser.NoSectionError as e: >>>>>> + # pass >>>>>> + # except ConfigParser.ParsingError as e: >>>>>> + # pass >>>>>> + finally: >>>>>> + pass >>>>> You can raise error there. >>>>> >>>>>> + >>>>>> + host_principal = 'host/%s@%s' % (hostname, cli_realm) >>>>>> + # Obtain the TGT. We do it with the temporary krb5.conf, >>>>>> so >>>>>> that >>>>>> + # only the KDC we're installing under is contacted. >>>>>> + # Other KDCs might not have replicated the principal yet. >>>>>> + # Once we have the TGT, it's usable on any server. >>>>> I don't think that temporary krb5.conf should be used here >>>>>> + try: >>>>>> + ipautil.kinit_keytab(host_principal, >>>>>> paths.KRB5_KEYTAB, >>>>>> + CCACHE_FILE, >>>>>> + # config=krb_name, >>>>>> + attempts=options.kinit_attempts) >>>>>> + env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = >>>>>> CCACHE_FILE >>>>>> + except Krb5Error as e: >>>>>> + print_port_conf_info() >>>>>> + root_logger.error("Failed to obtain host TGT: %s" % >>>>>> e) >>>>>> + # failure to get ticket makes it impossible to login >>>>>> and >>>>>> bind >>>>>> + # from sssd to LDAP, abort installation and rollback >>>>>> changes >>>>>> + return CLIENT_INSTALL_ERROR >>>>> This is not install error. >>>>> >>>>>> + >>>>>> + # passing server parameter seems unneccessary, thus >>>>>> passing >>>>>> only "" >>>>>> + update_ssh_keys("", hostname, >>>>>> services.knownservices.sshd.get_config_dir(), >>>>>> options.create_sshfp) >>>>>> + >>>>>> def configure_ipa_conf(fstore, cli_basedn, cli_realm, >>>>>> cli_domain, >>>>>> cli_server, hostname): >>>>>> ipaconf = ipaclient.ipachangeconf.IPAChangeConf("IPA >>>>>> Installer") >>>>>> ipaconf.setOptionAssignment(" =") @@ -2797,7 +2890,7 @@ >>>>>> def >>>>>> install(options, env, fstore, >>>>>> statestore): connected = True >>>>>> root_logger.debug("Try RPC connection") >>>>>> api.Backend.rpcclient.forward('ping') >>>>>> - except errors.KerberosError, e: >>>>>> + except errors.KerberosError as e: >>>>> Please don't modify code that already exists and it is not >>>>> related >>>>> to >>>>> this change >>>>>> if connected: >>>>>> api.Backend.rpcclient.disconnect() >>>>>> root_logger.info( >>>>>> @@ -2820,13 +2913,13 @@ def install(options, env, fstore, >>>>>> statestore): >>>>>> root_logger.warning( >>>>>> "Some capabilities including the ipa >>>>>> command >>>>>> capability " >>>>>> "may not be available") >>>>>> - except errors.PublicError, e2: >>>>>> + except errors.PublicError as e2: >>>>> Remove this from patch too >>>>>> root_logger.warning( >>>>>> "Second connect with delegate=True also >>>>>> failed: >>>>>> %s", e2) >>>>>> root_logger.error( >>>>>> "Cannot connect to the IPA server RPC >>>>>> interface: >>>>>> %s", e2) >>>>>> return CLIENT_INSTALL_ERROR >>>>>> - except errors.PublicError, e: >>>>>> + except errors.PublicError as e: >>>>> and this too >>>>>> root_logger.error( >>>>>> "Cannot connect to the server due to generic >>>>>> error: >>>>>> %s", e) >>>>>> return CLIENT_INSTALL_ERROR >>>>>> @@ -3088,6 +3181,9 @@ def main(): >>>>>> if options.uninstall: >>>>>> return uninstall(options, env) >>>>>> >>>>>> + if options.ssh_update: >>>>>> + return sshupdate(options, env) >>>>>> + >>>>>> if is_ipa_client_installed(on_master=options.on_master): >>>>>> root_logger.error("IPA client is already configured >>>>>> on >>>>>> this >>>>>> system.") >>>>>> root_logger.info( >>>>>> -- >>>>>> 1.8.3.1 >>>>>> >>>>>> >>>>> Martin^2 >>>>> >>>>> >>>> Honza >> >> Thanks, >> >> I have a few comments >> >> 1) >> Please use new license format in header of the new files >> >> # >> # Copyright (C) 2016 FreeIPA Contributors see COPYING for license >> # > OK >> >> 2) >> This is very bad, I sent patch to fix it in client code >> + except ValueError as UnicodeDecodeError: >> + continue >> >> it should be except (ValueError, UnicodeDecodeError): >> and maybe debug log? > Something like? : > > + for line in f: > + line = line[:-1].lstrip() > + if not line or line.startswith('#'): > + continue > + try: > + pubkey = ssh.SSHPublicKey(line) > + self.log.info("Adding SSH public key from %s", > filename) > + pubkeys.append(pubkey) > + except (ValueError, UnicodeDecodeError) as e: > + self.log.debug( > + "Skipping SSH public key from %s due to error: > %s", > + filename, e > + ) > > I had to move it inside try-except clause since not assigning pubkey and > handling exception causes then "exception: UnboundLocalError: local > variable 'pubkey' referenced before assignment" :\ > Should it be debug or warning? >> >> 3) >> I see many errors, respectively not so nice code there, but I realized >> that everything is from ipa-client-install. I think it would be better >> to extract update_ssh_keys, and do_nsupdate to separate module and >> reuse it in both scripts. +1 >> >> I have to find out which (ipaclient, ipalib, ...) module are the best. ipaclient, obviously. >> >> Then fix issues with these functions. 4) I would prefer if the script was named "ipa-client-sshinstall", as that's consistent with "ipa-server-certinstall", which does a similar thing with certificates on server. -- Jan Cholasta From lslebodn at redhat.com Thu Mar 3 07:59:12 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 3 Mar 2016 08:59:12 +0100 Subject: [Freeipa-devel] [PATCH 0390] Fix build with GCC 4.9+ In-Reply-To: <56D59AA1.5070306@redhat.com> References: <56C710B0.3020005@redhat.com> <56CF166F.1010003@redhat.com> <20160301110658.GA31766@mail.corp.redhat.com> <56D59AA1.5070306@redhat.com> Message-ID: <20160303075911.GA3753@mail.corp.redhat.com> On (01/03/16 14:35), Petr Spacek wrote: >On 1.3.2016 12:06, Lukas Slebodnik wrote: >> On (25/02/16 15:57), Petr Spacek wrote: >>> On 19.2.2016 13:55, Petr Spacek wrote: >>>> Hello, >>>> >>>> Fix build with GCC 4.9+. >>>> >>>> GCC 4.9+ is too aggressive when optimizing functions with nonnull >>>> attributes. This removes most of asserts() in the plugin. >>>> GCC 6 adds warnings for these cases. >>>> >>>> We are disabling the unwanted condition pruning by adding >>>> -fno-delete-null-pointer-checks argument. >>>> BIND 9 did the same in its commit 603a78708343f063b44affb882ef93bb19a5142a. >>>> >>>> Additionally we silence warnings to prevent build failures when -Werror >>>> is used. >>>> >>>> https://bugzilla.redhat.com/show_bug.cgi?id=1307346 >>> >>> Updated version is attached. It contains less autotools magic because it >>> enables attribute nonnull only under Clang static analyzer and Coverity - as a >>> result we do not have to silence GCC warnings from -Wnonnull. >>> >>> Please review so I can fix build in Fedora 24. >>> >>> Thank you. >>> >>> -- >>> Petr^2 Spacek >> >>>From 4732fe9f4e525c44b46e7ed0734ccaec94fba49e Mon Sep 17 00:00:00 2001 >>> From: Petr Spacek >>> Date: Fri, 19 Feb 2016 13:39:27 +0100 >>> Subject: [PATCH] Fix build with GCC 4.9+. >>> >>> GCC 4.9+ is too aggressive when optimizing functions with nonnull >>> attributes. This removes most of asserts() in the plugin. >>> GCC 6 adds warnings for these cases. >>> >>> We are disabling the unwanted condition pruning by adding >>> -fno-delete-null-pointer-checks argument. >>> BIND 9 did the same in its commit 603a78708343f063b44affb882ef93bb19a5142a. >>> >>> Additionally we enable nonnull attribute only when the build is running under >>> Clang static analyzer or Coverity. >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1307346 >>> --- >>> configure.ac | 13 +++++++++++++ >>> src/util.h | 8 ++++++-- >>> 2 files changed, 19 insertions(+), 2 deletions(-) >>> >>> diff --git a/configure.ac b/configure.ac >>> index a06708b1a5ee64bb64c80272c10ed1a35670c8d0..a0123ac0a62b5acd5238f028d8c42e83af4060db 100644 >>> --- a/configure.ac >>> +++ b/configure.ac >>> @@ -39,6 +39,19 @@ AC_TRY_COMPILE([ >>> [CFLAGS="$SAVED_CFLAGS" >>> AC_MSG_RESULT([no])]) >>> >>> +# Check if build chain supports -fno-delete-null-pointer-checks >>> +# this flag avoids too agressive optimizations which would remove some asserts >>> +# BIND 9 did the same in its commit 603a78708343f063b44affb882ef93bb19a5142a >>> +AC_MSG_CHECKING([for -fno-delete-null-pointer-checks compiler flag]) >>> +SAVED_CFLAGS="$CFLAGS" >>> +CFLAGS="$CFLAGS -fno-delete-null-pointer-checks" >>> +AC_TRY_COMPILE([ >>> + extern int fdef(void); >>> +],[], >>> +[AC_MSG_RESULT([yes])], >>> +[CFLAGS="$SAVED_CFLAGS" >>> + AC_MSG_RESULT([no])]) >>> + >> NACK. >> >> It failes with clang. >> >> configure:12982: checking for -fno-delete-null-pointer-checks compiler flag >> configure:12999: clang -c -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -fvisibility=hidden -fno-delete-null-pointer-checks conftest.c >&5 >> clang-3.8: warning: optimization flag '-fno-delete-null-pointer-checks' is not supported >> clang-3.8: warning: argument unused during compilation: '-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1' >> configure:12999: $? = 0 >> configure:13000: result: yes >> >> Reproducer: >> autoreconf -if && CC=clang ./configure && make > >Thanks! I was testing this only with Clang static analyzer ... > >Here is updated patch. > >-- >Petr^2 Spacek >From 6b2ac51fe4ff75c9f59499cbaa4306f70db46425 Mon Sep 17 00:00:00 2001 >From: Petr Spacek >Date: Fri, 19 Feb 2016 13:39:27 +0100 >Subject: [PATCH] Fix build with GCC 4.9+. > >GCC 4.9+ is too aggressive when optimizing functions with nonnull >attributes. This removes most of asserts() in the plugin. >GCC 6 adds warnings for these cases. > >We are disabling the unwanted condition pruning by adding >-fno-delete-null-pointer-checks argument. >BIND 9 did the same in its commit 603a78708343f063b44affb882ef93bb19a5142a. > >Additionally we enable nonnull attribute only when the build is running under >Clang static analyzer or Coverity. > >https://bugzilla.redhat.com/show_bug.cgi?id=1307346 >--- > configure.ac | 14 ++++++++++++++ > src/util.h | 8 ++++++-- > 2 files changed, 20 insertions(+), 2 deletions(-) > >diff --git a/configure.ac b/configure.ac >index a06708b1a5ee64bb64c80272c10ed1a35670c8d0..48f5cb63c3bb5535fe1da56abe7583e15d4b5f92 100644 >--- a/configure.ac >+++ b/configure.ac >@@ -39,6 +39,20 @@ AC_TRY_COMPILE([ > [CFLAGS="$SAVED_CFLAGS" > AC_MSG_RESULT([no])]) > >+# Check if build chain supports -fno-delete-null-pointer-checks >+# this flag avoids too agressive optimizations which would remove some asserts >+# BIND 9 did the same in its commit 603a78708343f063b44affb882ef93bb19a5142a >+AC_MSG_CHECKING([for -fno-delete-null-pointer-checks compiler flag]) >+SAVED_CFLAGS="$CFLAGS" >+CFLAGS="-fno-delete-null-pointer-checks -Werror" >+AC_TRY_COMPILE([ >+ extern int fdef(void); >+],[], >+[AC_MSG_RESULT([yes]) >+ CFLAGS="$SAVED_CFLAGS -fno-delete-null-pointer-checks"], >+[CFLAGS="$SAVED_CFLAGS" >+ AC_MSG_RESULT([no])]) >+ > # Get CFLAGS from isc-config.sh > AC_ARG_VAR([BIND9_CFLAGS], > [C compiler flags for bind9, overriding isc-config.sh]) >diff --git a/src/util.h b/src/util.h >index 9849ff9b6c38ec1c6dd143440d5b5e584b2ecd51..402503c339a5ab6ca5273cae420e743b9fc252ab 100644 >--- a/src/util.h >+++ b/src/util.h >@@ -103,11 +103,15 @@ extern isc_boolean_t verbose_checks; /* from settings.c */ > /* If no argument index list is given to the nonnull attribute, > * all pointer arguments are marked as non-null. */ > #define ATTR_NONNULLS ATTR_NONNULL() >-#ifdef __GNUC__ >+#if defined(__COVERITY__) || defined(__clang_analyzer__) > #define ATTR_NONNULL(...) __attribute__((nonnull(__VA_ARGS__))) >-#define ATTR_CHECKRESULT __attribute__((warn_unused_result)) > #else > #define ATTR_NONNULL(...) >+#endif >+ >+#if defined(__GNUC__) >+#define ATTR_CHECKRESULT __attribute__((warn_unused_result)) >+#else > #define ATTR_CHECKRESULT > #endif ACK LS From lslebodn at redhat.com Thu Mar 3 08:01:58 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 3 Mar 2016 09:01:58 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap] [PATCH] SPEC: Add missing build dependency In-Reply-To: <56D59AA1.5070306@redhat.com> References: <56C710B0.3020005@redhat.com> <56CF166F.1010003@redhat.com> <20160301110658.GA31766@mail.corp.redhat.com> <56D59AA1.5070306@redhat.com> Message-ID: <20160303080157.GB3753@mail.corp.redhat.com> On (01/03/16 14:35), Petr Spacek wrote: >On 1.3.2016 12:06, Lukas Slebodnik wrote: >> On (25/02/16 15:57), Petr Spacek wrote: >>> On 19.2.2016 13:55, Petr Spacek wrote: >>>> Hello, >>>> >>>> Fix build with GCC 4.9+. >>>> >>>> GCC 4.9+ is too aggressive when optimizing functions with nonnull >>>> attributes. This removes most of asserts() in the plugin. >>>> GCC 6 adds warnings for these cases. >>>> >>>> We are disabling the unwanted condition pruning by adding >>>> -fno-delete-null-pointer-checks argument. >>>> BIND 9 did the same in its commit 603a78708343f063b44affb882ef93bb19a5142a. >>>> >>>> Additionally we silence warnings to prevent build failures when -Werror >>>> is used. >>>> >>>> https://bugzilla.redhat.com/show_bug.cgi?id=1307346 >>> >>> Updated version is attached. It contains less autotools magic because it >>> enables attribute nonnull only under Clang static analyzer and Coverity - as a >>> result we do not have to silence GCC warnings from -Wnonnull. >>> >>> Please review so I can fix build in Fedora 24. >>> Don't forget to fix rawhide and 24 they are already separate branches. BTW you have missing build dependency in upstream spec file and fedora spec files has unnecessary export of clags export CFLAGS="`isc-config.sh --cflags dns` $RPM_OPT_FLAGS" LS -------------- next part -------------- >From 3b7c0a4edfdb5f7020696c20229216203d78e3d1 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Thu, 3 Mar 2016 07:45:45 +0000 Subject: [PATCH 1/2] SPEC: Add missing build dependency --- contrib/bind-dyndb-ldap.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/contrib/bind-dyndb-ldap.spec b/contrib/bind-dyndb-ldap.spec index 97adc5e..92283f4 100644 --- a/contrib/bind-dyndb-ldap.spec +++ b/contrib/bind-dyndb-ldap.spec @@ -14,6 +14,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: bind-devel >= 32:9.9.0, bind-lite-devel >= 32:9.9.0 BuildRequires: krb5-devel BuildRequires: openldap-devel +BuildRequires: libuuid-devel BuildRequires: automake, autoconf, libtool Requires: bind >= 32:9.9.0 -- 2.7.2 From mbasti at redhat.com Thu Mar 3 09:06:48 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 3 Mar 2016 10:06:48 +0100 Subject: [Freeipa-devel] [PATCHES 548-549] ipalib: add convenient Command method for adding messages In-Reply-To: <56D6FA4E.6060905@redhat.com> References: <56D6FA4E.6060905@redhat.com> Message-ID: <56D7FEA8.3090207@redhat.com> On 02.03.2016 15:35, Jan Cholasta wrote: > Hi, > > these patches are for master only, see commit messages for details. > > Honza > I love these patches. ACK, it works! Pushed to master: 3c57c305add17b95d4fb962efd9e5dfc9bd35efe From jcholast at redhat.com Thu Mar 3 09:33:13 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 3 Mar 2016 10:33:13 +0100 Subject: [Freeipa-devel] [PATCHES] 0772-0774 Python3 fixes in for client installation In-Reply-To: <56D6F19D.4020605@redhat.com> References: <56CAF30F.7010306@redhat.com> <56D079F2.2020501@redhat.com> <56D3EF5C.1090008@redhat.com> <56D46E6A.2050600@redhat.com> <56D54B73.6000500@redhat.com> <56D6F19D.4020605@redhat.com> Message-ID: <56D804D9.2080106@redhat.com> On 2.3.2016 14:58, Petr Viktorin wrote: > On 03/01/2016 08:57 AM, Jan Cholasta wrote: >> On 29.2.2016 17:14, Petr Viktorin wrote: >>> On 02/29/2016 08:12 AM, Jan Cholasta wrote: >>>> Hi, >>>> >>>> On 26.2.2016 17:14, Petr Viktorin wrote: >>>>> On 02/22/2016 12:37 PM, Petr Viktorin wrote: >>>>>> Hello, >>>>>> These fixes are needed for the "happy path" of ipa-client-install >>>>>> --server on Python 3. >>>>> >>>>> Hello, >>>>> Could someone please look at these patches? >>>> >>>> Patch 0772: >> >> It seems this bit: >> >> + [cn] = lres.raw['cn'] >> + lrealms.append(cn.decode('utf-8')) >> >> breaks ipa-client-install: >> >> Traceback (most recent call last): >> File "/sbin/ipa-client-install", line 3099, in >> sys.exit(main()) >> File "/sbin/ipa-client-install", line 3080, in main >> rval = install(options, env, fstore, statestore) >> File "/sbin/ipa-client-install", line 2769, in install >> delete_persistent_client_session_data(host_principal) >> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 145, in >> delete_persistent_client_session_data >> kernel_keyring.del_key(keyname) >> File "/usr/lib/python2.7/site-packages/ipapython/kernel_keyring.py", >> line 130, in del_key >> assert isinstance(key, str) >> AssertionError >> >> because realm is returned as unicode from ipadiscovery. > > Ah, thhanks for the catch. This should fix it. > >> >>>> >>>> 1) Instead of decoding when the type is bytes in get_ipa_basedn(), read >>>> attribute values from 'entry.raw' rather than 'entry' and decode always. >>> >>> Done. >>> >>>> 2) get_ipa_basedn() is used only in ipadiscovery, perhaps we should move >>>> it there? >>> >>> I did that in an extra patch, mainly to make the diff more meaningful. >> >> OK. The patch needs a rebase for ipa-4-3, there is a stray >> get_ipa_basedn import in install/migration/migration.py. > > Attaching patch 0775 for that, please apply it before the others. > >>>> Patch 0773: ACK, but the patch does not apply on ipa-4-3. > > Could you try `git cherry-pick` from the master branch after applying to > master? > >>>> Patch 0774: ACK. Thanks, ACK. Pushed to: master: 34db5759fa8733d875377f4b487d1bcfbf768b0e ipa-4-3: 6b747431a8289d2fbe931eefbe0a56b36c595b7b -- Jan Cholasta From pvoborni at redhat.com Thu Mar 3 12:37:39 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 3 Mar 2016 13:37:39 +0100 Subject: [Freeipa-devel] [PATCH 149] IPA KDB: allow case in-sensitive realm in AS request In-Reply-To: <1439242637.20262.98.camel@willson.usersys.redhat.com> References: <20150721114114.GA7078@p.redhat.com> <721412384.2383594.1437572511320.JavaMail.zimbra@redhat.com> <20150728101515.GA7078@p.redhat.com> <1438081537.13513.17.camel@willson.usersys.redhat.com> <20150728112634.GP21928@redhat.com> <20150728114229.GC17746@p.redhat.com> <20150728130256.GA20980@p.redhat.com> <20150807205619.GA22106@redhat.com> <1439145950.20262.73.camel@willson.usersys.redhat.com> <20150810193942.GH22106@redhat.com> <20150810201550.GJ22106@redhat.com> <1439242637.20262.98.camel@willson.usersys.redhat.com> Message-ID: <56D83013.1000501@redhat.com> On 08/10/2015 11:37 PM, Simo Sorce wrote: > On Mon, 2015-08-10 at 23:15 +0300, Alexander Bokovoy wrote: >> On Mon, 10 Aug 2015, Alexander Bokovoy wrote: >>> On Sun, 09 Aug 2015, Simo Sorce wrote: >>>> On Fri, 2015-08-07 at 23:56 +0300, Alexander Bokovoy wrote: >>>>> On Tue, 28 Jul 2015, Sumit Bose wrote: >>>>>> On Tue, Jul 28, 2015 at 01:42:29PM +0200, Sumit Bose wrote: >>>>>>> On Tue, Jul 28, 2015 at 02:26:34PM +0300, Alexander Bokovoy wrote: >>>>>>>> On Tue, 28 Jul 2015, Simo Sorce wrote: >>>>>>>>> On Tue, 2015-07-28 at 12:15 +0200, Sumit Bose wrote: >>>>>>>>>> On Wed, Jul 22, 2015 at 09:41:51AM -0400, Simo Sorce wrote: >>>>>>>>>>> ----- Original Message ----- >>>>>>>>>>>> From: "Sumit Bose" >>>>>>>>>>>> To: "freeipa-devel" >>>>>>>>>>>> Sent: Tuesday, July 21, 2015 7:41:14 AM >>>>>>>>>>>> Subject: [Freeipa-devel] [PATCH 149] IPA KDB: allow case in-sensitive realm in AS request >>>>>>>>>>>> >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> this patch is my suggestion to solve >>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4844 . >>>>>>>>>>>> >>>>>>>>>>>> The original issue in the ticket has two part. One is a loop in libkrb5 >>>>>>>>>>>> which is already fixed. The other is to handle canonicalization better. >>>>>>>>>>> >>>>>>>>>>> Sorry Sumit, >>>>>>>>>>> I see several issues with this patck. >>>>>>>>>>> >>>>>>>>>>> first of all you should really not change ipadb_get_principal(), that's the >>>>>>>>>>> wrong place to apply your logic. >>>>>>>>>>> >>>>>>>>>>> To support searching for the realm name case-insensitively all we should do >>>>>>>>>>> is to always forcibly upper case the realm name at the same time we build the >>>>>>>>>>> filter (in ipadb_fetch_principals(), if canonicalization was requested. >>>>>>>>>>> Because we will never store (code to prevent that should probably be dded with >>>>>>>>>>> this patch) a realm name that is not all caps. >>>>>>>>>>> Then the post search matches should be done straight within ipadb_find_principal(). >>>>>>>>>>> >>>>>>>>>>>> The general way to allow canonicalization on a principal is to add the >>>>>>>>>>>> attributes 'krbcanonicalname'[1] and 'ipakrbprincipalalias' together >>>>>>>>>>>> with the objectclass 'ipaKrbPrincipal' to the user object. >>>>>>>>>>> >>>>>>>>>>> We have already a ticket open since long to remove krbprincipalalias, it was >>>>>>>>>>> a mistake to add it and any patch that depends on it will be nacked by me. >>>>>>>>>>> We need to use krbPrincipalName and krbCanonicalName. >>>>>>>>>>> >>>>>>>>>>>> Then the IPA >>>>>>>>>>>> KDB backend will use 'ipakrbprincipalalias' for case in-sensitive >>>>>>>>>>>> matches and the principal from 'krbcanonicalname' will be the canonical >>>>>>>>>>>> principal used further on. The 'krbPrincipalName' is not suitable for >>>>>>>>>>>> either because it has caseExact* matching rules and is a multivalue >>>>>>>>>>>> attribute [2]. >>>>>>>>>>> >>>>>>>>>>> Case-exact match is a problem only if we do not canonicalize names when storing >>>>>>>>>>> them, otherwise all you need to do is store a "search form" in krbPrincipalName >>>>>>>>>>> and always change searches to that form (forcibly upper case realm, forcibly >>>>>>>>>>> lowercase components) when canonicalization is requested. >>>>>>>>>>> >>>>>>>>>>> Additionally in the patch you are using stcasecmp(), that function is not >>>>>>>>>>> acceptable, look at ipadb_find_principal() and you'll see we use ulc_casecmp() >>>>>>>>>>> there. >>>>>>>>>>> Also modyfing the principal before searching is done wrong (you use strchr() >>>>>>>>>>> to find the @ sign, but you could find an @ in the components this way, you >>>>>>>>>>> should use strrchr() at the very least), and is dangerous if done outside of >>>>>>>>>>> the inner functions because then we never have a way to know the original >>>>>>>>>>> form should it be needed. In any case as said above realm should be forcibly >>>>>>>>>>> uppercase, given a flag in the escape function instead. >>>>>>>>>> >>>>>>>>>> Thank for for the review and the comments. >>>>>>>>>> >>>>>>>>>> I changed the patch as you suggested to upper-case the realm in the >>>>>>>>>> escape function if the flag is set. >>>>>>>>>> >>>>>>>>>> I didn't add any checks to make sure that the realm of newly added >>>>>>>>>> principal attributes is always upper case. Since the attributes can be >>>>>>>>>> added via various ways I think the check should happen on the DS level >>>>>>>>> >>>>>>>>> We should indeed intercept add/modify operations and see if they try to >>>>>>>>> set krbPrincipalName/krbCanonicalName and then validate the name. >>>>>>>>> Return unwilling to perform if the case of the realm is different (or >>>>>>>>> fix it on the fly, up for discussion) from the default case as >>>>>>>>> configured in the server. >>>>>>>> Will break trusts -- ipasam does add these principals for krbtgt/IPA at AD. >>>>>>>> >>>>>>>>>> but I see this more in the context of full canonicalization fix covered >>>>>>>>>> by https://fedorahosted.org/freeipa/ticket/3864 . If you think this is a >>>>>>>>>> requirement for the patch attached I would suggest to drop >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4844 and solve it together with >>>>>>>>>> #3864. >>>>>>>>> >>>>>>>>> We should clsoe 4844 as fixed upstream (there *was* a bug in libkrb5). >>>>>>>>> I commented on #3864 about what we can do, and we can also avoid >>>>>>>>> changing the schema. >>>>>>>> Yep. >>>>>>>> >>>>>>>>> So on the new patches, what does "unify" means ? I do not get what it >>>>>>>>> means (so probably it is a poor name), I guess you may want to call it >>>>>>>>> "canonicalization" ? (or even 'canon' to shorten it a bit). >>>>>>>> I have same question. I tried to understand why it is called unify and >>>>>>>> failed. >>>>>>> >>>>>>> I didn't want to use 'canonical' because the result will not be the >>>>>>> canonical name in the general case but only a name we use for searching. >>>>>>> I was thinking about 'normalized' bit this has a special meaning with >>>>>>> unicode. So I came up with 'unify'. But if you prefer 'canon' I can >>>>>>> change it. >>>>>>> >>>>>>>> >>>>>>>>> I think the worst case for a utf8 string is more then length*2, probably >>>>>>>>> more like length*6, unless there is some guarantee around case changes >>>>>>>>> that I am not aware of, that said we could probably just allocate on the >>>>>>>>> stack a fixed size string of a KiB or so, the longest DNS name is 256 >>>>>>>>> chars IIRC and a service name can't be that much longer, also usernames >>>>>>>>> can't be arbitrarily long. So 1/2 KiB should probably be fine for a full >>>>>>>>> principal name. (avoids a malloc too which is good). >>>>>>>> Yes, sounds good. A hostname label can be up to 63 characters and full >>>>>>>> domain name including dots would be 253 characters. At the same time, a >>>>>>>> a component of the principal may be of arbitrary length. From practical >>>>>>>> perspective it would probably be enough to go with a static buffer of >>>>>>>> 1/2 KiB for the quickest case and fall back to malloc() if the size is >>>>>>>> bigger than that one. >>>>>>> >>>>>>> ok, I will change this. >>>>>> >>>>>> new version with changed name and 1/2 KiB buffer attached. No changes to >>>>>> the 2nd patch. >>>>> Thanks. >>>>> >>>>> Patches look good to me. I, perhaps, would have added >>>>> char *canon_princ = NULL; >>>>> >>>>> in the definition of canon_princ but as you never access it in case >>>>> asprintf() failed, that's fine. >>>>> >>>>> Simo? >>>>> >>>> >>>> LGTM. >>> Hold on. I think I've found a bug -- when krbPrincipalName values match >>> insensitively but krbCanonicalName value is missing, we do not set >>> principal to the matched value. This breaks canonicalization for case >>> when there is only one krbPrincipalName as you don't need to have >>> krbCanonicalName in this case. >>> >>> I have a prototype which still misses checks. >> ... and I think we miss checks in few other places. I'm getting >> canonicalization working randomly -- sometimes one or two times in a row >> I get 'Client principal is not found' for canonicalization case: >> >> Aug 10 20:01:21 m1.example.com krb5kdc[18758](Error): searched for >> admin at example.com, found admin at EXAMPLE.COM, result is 1, index is 0, >> next val is (nil) >> >> Aug 10 20:01:21 m1.example.com krb5kdc[18758](Error): searched for >> krbtgt/example.com at example.com, found krbtgt/EXAMPLE.COM at EXAMPLE.COM, >> result is 1, index is 0, next val is (nil) >> >> Aug 10 20:01:21 m1.example.com krb5kdc[18758](info): AS_REQ (6 etypes >> {18 17 16 23 25 26}) 192.168.122.99: NEEDED_PREAUTH: admin at example.com >> for krbtgt/example.com at example.com, Additional pre-authentication >> required >> >> Aug 10 20:01:24 m1.example.com krb5kdc[18758](Error): searched for >> admin at example.com, found admin at EXAMPLE.COM, result is 1, index is 0, >> next val is (nil) >> >> Aug 10 20:01:24 m1.example.com krb5kdc[18758](Error): searched for >> krbtgt/example.com at example.com, found krbtgt/EXAMPLE.COM at EXAMPLE.COM, >> result is 1, index is 0, next val is (nil) >> >> Aug 10 20:01:24 m1.example.com krb5kdc[18758](info): AS_REQ (6 etypes >> {18 17 16 23 25 26}) 192.168.122.99: ISSUE: authtime 1439236884, etypes >> {rep=18 tkt=18 ses=18}, admin at example.com for >> krbtgt/example.com at example.com >> >> Aug 10 20:01:58 m1.example.com krb5kdc[18758](info): AS_REQ (6 etypes >> {18 17 16 23 25 26}) 192.168.122.99: CLIENT_NOT_FOUND: admin at example.com >> for krbtgt/example.com at example.com, Client not found in Kerberos >> database >> >> These are logs with debugging I've added. >> -- >> / Alexander Bokovoy >> > > After looking carefully at this with Alexander I think there are too > many things to fix and check, and given the looming deadline for Fedora > we should just postpone. These patches are not critical for us but it > would be bad if they'd go in and not work as expected. > > I can take a better look at them when back from flock. > > Simo. > Resurrecting this thread so the patches can get into FreeIPA 4.4. -- Petr Vobornik From mbasti at redhat.com Thu Mar 3 14:52:04 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 3 Mar 2016 15:52:04 +0100 Subject: [Freeipa-devel] host-del & client uninstall: additional discussion related to DNS needed Message-ID: <56D84F94.3000705@redhat.com> Hello all, related tickets: https://fedorahosted.org/freeipa/ticket/5676 https://fedorahosted.org/freeipa/ticket/5675 https://fedorahosted.org/freeipa/ticket/5715 I'm trying to implement both tickets, but I don't like the way we decided on devel meeting anymore. https://fedorahosted.org/freeipa/ticket/5676#comment:1 1) ipa host-del --updatedns I propose to only delete A, AAAA and related PTR records (SSHFP records explained later). The record are somehow managed by IPA I don't like the idea of having an extra option to specify record types that should be removed or a flag that will remove DNS entry completely. IMO that is duplication of dnsrecord-mod/del functionality, host-del should not be used for managing DNS. If somebody wants better granularity, the one should use 'dnsrecord-mod zone rec --type-rec=' or 'dnsrecord-del --del-all' Note: due backward compatibility --updatedns cannot be migrated to ENUM, new option needed 2) SSHFP records and host-del (https://fedorahosted.org/freeipa/ticket/5715) host-del removes SSH keys from LDAP, thus there is no reason to keep SSHFP record in DNS, thus SSHFP records should be removed always (even without --updatedns option) 3) ipa-client-install --uninstall SSHFP record are always added via nsupdate to DNS, IMO during client uninstall all SSHFP record related to client should be removed via nsupdate too. 4) https://fedorahosted.org/freeipa/ticket/5676 ipa-client-install --uninstall --delete-host #suggestions how to name option for removing host entry for ldap welcome Should this option call 'host-del' or 'host-del --updatedns'? I would like to avoid additional DNS related option to be added to ipa-client-install Also do we really want to implement this ticket? What is the gain there? Martin^2 From mbasti at redhat.com Thu Mar 3 15:13:58 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 3 Mar 2016 16:13:58 +0100 Subject: [Freeipa-devel] [PATCH 0403] adtrustinstance: Make sure smb.conf exists In-Reply-To: <56D05405.2020609@redhat.com> References: <56D05405.2020609@redhat.com> Message-ID: <56D854B6.80403@redhat.com> On 26.02.2016 14:32, Tomas Babej wrote: > Hi, > > The 'net' command fails unless smb.conf exists. Touch > the file prior to any 'net' call to make sure we do not crash > for this very reason. > > I couldn't find the aforementioned Samba bug either in the RH/Samba > bugzilla, despite spending non-trivial amount of time searching for it. > > Can somebody point me to it? I referenced the IPA ticket for now. > > https://fedorahosted.org/freeipa/ticket/5687 > > ACK Pushed to: master: 24a39dea441fb65b4ac523dbb9f21010f1c52c38 ipa-4-3: c1323f6b9d6a32f1cb51d42c1a502f9a32b3eb93 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Mar 3 15:14:52 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 3 Mar 2016 16:14:52 +0100 Subject: [Freeipa-devel] [PATCH 0400] l10n: Remove Transifex configuration In-Reply-To: <56CEDA0F.5010807@redhat.com> References: <56CEDA0F.5010807@redhat.com> Message-ID: <56D854EC.7020803@redhat.com> On 25.02.2016 11:40, Tomas Babej wrote: > Hi, > > We're not using Transifex to manage our translations anymore. > > Tomas > > ACK Pushed to master: 61e627b4b3b9a9547128f128410d24b3cbe81b13 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Mar 3 15:22:33 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 3 Mar 2016 16:22:33 +0100 Subject: [Freeipa-devel] [PATCH 0400] l10n: Remove Transifex configuration In-Reply-To: <56CEDA0F.5010807@redhat.com> References: <56CEDA0F.5010807@redhat.com> Message-ID: <56D856B9.6040009@redhat.com> On 25.02.2016 11:40, Tomas Babej wrote: > Hi, > > We're not using Transifex to manage our translations anymore. > > Tomas > > ACK Pushed to master: 61e627b4b3b9a9547128f128410d24b3cbe81b13 -------------- next part -------------- An HTML attachment was scrubbed... URL: From pviktori at redhat.com Thu Mar 3 15:34:23 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 3 Mar 2016 16:34:23 +0100 Subject: [Freeipa-devel] [python-pytest-multihost] Request to add support to specify username/password for each host In-Reply-To: <56D5C0C0.5010500@redhat.com> References: <20160226101434.GA18928@mniranja.pnq.redhat.com> <20160229112631.GA13353@mniranja.pnq.redhat.com> <20160229160744.GA18511@mniranja.pnq.redhat.com> <20160229165748.GA19752@mniranja.pnq.redhat.com> <56D5C0C0.5010500@redhat.com> Message-ID: <56D8597F.5030404@redhat.com> On 03/01/2016 05:18 PM, Petr Viktorin wrote: > On 02/29/2016 05:57 PM, Niranjan wrote: >> Greetings, >> >> Attached wrong patch in my last mail. Request to review the patch >> attached to this email >> > > Hello, > I've generalized the patch a bit to make it use existing host > attributes, and I added tests. > Could you check if it still works for you? I've tested a little bit more, and went ahead and released v1.0 with this patch. It should be available on PyPI and in Fedora Rawhide & 24. For Fedora 23, please test and give appropriate karma: https://bodhi.fedoraproject.org/updates/FEDORA-2016-95a1e1b53f -- Petr Viktorin From jcholast at redhat.com Thu Mar 3 15:37:47 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 3 Mar 2016 16:37:47 +0100 Subject: [Freeipa-devel] host-del & client uninstall: additional discussion related to DNS needed In-Reply-To: <56D84F94.3000705@redhat.com> References: <56D84F94.3000705@redhat.com> Message-ID: <56D85A4B.2060601@redhat.com> Hi, On 3.3.2016 15:52, Martin Basti wrote: > Hello all, > > related tickets: > https://fedorahosted.org/freeipa/ticket/5676 > https://fedorahosted.org/freeipa/ticket/5675 > https://fedorahosted.org/freeipa/ticket/5715 > > I'm trying to implement both tickets, but I don't like the way we > decided on devel meeting anymore. +1 > > https://fedorahosted.org/freeipa/ticket/5676#comment:1 > > 1) > ipa host-del --updatedns > > I propose to only delete A, AAAA and related PTR records (SSHFP records > explained later). The record are somehow managed by IPA I propose to deprecate the option and let users manage DNS by proper means. (I realize this probably won't be a very popular proposal :-).) > > I don't like the idea of having an extra option to specify record types > that should be removed or a flag that will remove DNS entry completely. > IMO that is duplication of dnsrecord-mod/del functionality, host-del > should not be used for managing DNS. If somebody wants better > granularity, the one should use 'dnsrecord-mod zone rec --type-rec=' or > 'dnsrecord-del --del-all' +1 > > Note: due backward compatibility --updatedns cannot be migrated to ENUM, > new option needed > > 2) > SSHFP records and host-del (https://fedorahosted.org/freeipa/ticket/5715) > > host-del removes SSH keys from LDAP, thus there is no reason to keep > SSHFP record in DNS, thus SSHFP records should be removed always (even > without --updatedns option) +1, also host-disable should probably do the same. > > 3) > ipa-client-install --uninstall > > SSHFP record are always added via nsupdate to DNS, IMO during client > uninstall all SSHFP record related to client should be removed via > nsupdate too. +1, IMHO it's important to keep symmetry here (or anywhere else for that matter), otherwise it is virtually impossible to keep track of what parts of code are related, and we could easily end up with *more* errors caused by one part being updated without the other. > > 4) > https://fedorahosted.org/freeipa/ticket/5676 > > ipa-client-install --uninstall --delete-host #suggestions how to name > option for removing host entry for ldap welcome > > Should this option call 'host-del' or 'host-del --updatedns'? On install, host-add does not create any DNS records, and neither should host-del delete any on uninstall. > > I would like to avoid additional DNS related option to be added to > ipa-client-install +1 > > Also do we really want to implement this ticket? What is the gain there? I would like to know the answer myself. Honza -- Jan Cholasta From pviktori at redhat.com Thu Mar 3 15:36:12 2016 From: pviktori at redhat.com (Petr Viktorin) Date: Thu, 3 Mar 2016 16:36:12 +0100 Subject: [Freeipa-devel] [pytest-multihost-devel][PATCH] Add reset_connection to BaseHost class In-Reply-To: <1986616790.25498810.1455308624207.JavaMail.zimbra@redhat.com> References: <1986616790.25498810.1455308624207.JavaMail.zimbra@redhat.com> Message-ID: <56D859EC.8080300@redhat.com> On 02/12/2016 09:23 PM, Scott Poore wrote: > Hi, > > Please review attached patch for pytest-multihost plugin. > > Fixes: https://fedorahosted.org/python-pytest-multihost/ticket/4 Hi, Sorry for the delay (and thanks for pinging me privately). I've released v1.0 with this patch. It should be available on PyPI and in Fedora Rawhide & 24. For Fedora 23, please test and give appropriate karma: https://bodhi.fedoraproject.org/updates/FEDORA-2016-95a1e1b53f -- Petr Viktorin From mkubik at redhat.com Thu Mar 3 16:26:20 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Thu, 3 Mar 2016 17:26:20 +0100 Subject: [Freeipa-devel] [PATCH 0422] CI: allow customized DS install test to run under different domain levels In-Reply-To: <56D70BD3.2060809@redhat.com> References: <56CDF007.5030200@redhat.com> <56D70BD3.2060809@redhat.com> Message-ID: <56D865AC.3020802@redhat.com> On 03/02/2016 04:50 PM, Martin Basti wrote: > > > On 24.02.2016 19:01, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5606 >> >> Patch attached. >> >> > Bump for review > > Works for me, ACK. -- Milan Kubik -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Mar 3 16:27:19 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 3 Mar 2016 17:27:19 +0100 Subject: [Freeipa-devel] [PATCH 0422] CI: allow customized DS install test to run under different domain levels In-Reply-To: <56D865AC.3020802@redhat.com> References: <56CDF007.5030200@redhat.com> <56D70BD3.2060809@redhat.com> <56D865AC.3020802@redhat.com> Message-ID: <56D865E7.10800@redhat.com> On 03.03.2016 17:26, Milan Kub?k wrote: > On 03/02/2016 04:50 PM, Martin Basti wrote: >> >> >> On 24.02.2016 19:01, Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/5606 >>> >>> Patch attached. >>> >>> >> Bump for review >> >> > Works for me, ACK. > > -- > Milan Kubik Pushed to: master: a63ce1fe22fe16f7cf6ec569498c5aea8aa239b1 ipa-4-3: b6bd8742ee036902546a495822c76e97831295e4 -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbabej at redhat.com Thu Mar 3 16:34:17 2016 From: tbabej at redhat.com (Tomas Babej) Date: Thu, 3 Mar 2016 17:34:17 +0100 Subject: [Freeipa-devel] [PATCH] 951 webui: fail nicely if cookies are disabled In-Reply-To: <56AA32DA.9000209@redhat.com> References: <56AA3080.4090600@redhat.com> <56AA3268.9050805@redhat.com> <56AA32DA.9000209@redhat.com> Message-ID: <56D86789.5090802@redhat.com> On 01/28/2016 04:25 PM, Petr Vobornik wrote: > On 01/28/2016 04:23 PM, Tomas Babej wrote: >> >> >> On 01/28/2016 04:15 PM, Petr Vobornik wrote: >>> Reworks also sessionStorage test because disablement of cookies might be >>> connected with sessionStorage and localStorage. E.g. Chrome raises >>> exception when *Storage is accessed with "Block sites from setting any >>> data" settings set in "Content Settings/Cookies" section. >>> >>> https://fedorahosted.org/freeipa/ticket/4338 >>> >>> >> >> Seems that two spaces inserted themselves to the error message for >> localStorage :) >> > > updated patch attached. > > ACK, works fine. Pushed to master: 3c519951c5a719421d5abfa864dfeb6fbce6869d From pvoborni at redhat.com Thu Mar 3 16:36:32 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 3 Mar 2016 17:36:32 +0100 Subject: [Freeipa-devel] host-del & client uninstall: additional discussion related to DNS needed In-Reply-To: <56D84F94.3000705@redhat.com> References: <56D84F94.3000705@redhat.com> Message-ID: <56D86810.1080600@redhat.com> On 03/03/2016 03:52 PM, Martin Basti wrote: > Hello all, > > related tickets: > https://fedorahosted.org/freeipa/ticket/5676 > https://fedorahosted.org/freeipa/ticket/5675 > https://fedorahosted.org/freeipa/ticket/5715 > > I'm trying to implement both tickets, but I don't like the way we > decided on devel meeting anymore. > > https://fedorahosted.org/freeipa/ticket/5676#comment:1 > > 1) > ipa host-del --updatedns > > I propose to only delete A, AAAA and related PTR records (SSHFP records > explained later). The record are somehow managed by IPA > > I don't like the idea of having an extra option to specify record types > that should be removed or a flag that will remove DNS entry completely. > IMO that is duplication of dnsrecord-mod/del functionality, host-del > should not be used for managing DNS. If somebody wants better > granularity, the one should use 'dnsrecord-mod zone rec --type-rec=' or > 'dnsrecord-del --del-all' AFAIK the proposal on devel meeting was: --update-dns will delete A, AAAA, SSHFP --update-dns=all will delete the whole DNS record LDAP entry there was also a proposal for granularity, e.g., --update-dns=a,aaaa. Then it was agreed that --update-dns won't search for SRV records (not mentioned here, so OK). PTR records weren't discussed or decision was not recorded. The proposal above keeps backwards compatibility though it may not be possible to do with current framework. Or do we have support for multivalued enum with default value(s) which acts as a flag? If the new option type is too complicated to introduce, then I would prefer to keep current option(flag) with behavior matching proposal for --update-dns or --update-dns=all. Definitely big +1 on not introducing a new option. No need to over-engineer it. Not sure about PTR records. > > Note: due backward compatibility --updatedns cannot be migrated to ENUM, > new option needed > > 2) > SSHFP records and host-del (https://fedorahosted.org/freeipa/ticket/5715) > > host-del removes SSH keys from LDAP, thus there is no reason to keep > SSHFP record in DNS, thus SSHFP records should be removed always (even > without --updatedns option) ACK > > 3) > ipa-client-install --uninstall > > SSHFP record are always added via nsupdate to DNS, IMO during client > uninstall all SSHFP record related to client should be removed via > nsupdate too. IMHO not necessary will be solved either by #5676 and/or #5715(currently uninstall indirectly calls ipa-host-disable) > > 4) > https://fedorahosted.org/freeipa/ticket/5676 > > ipa-client-install --uninstall --delete-host #suggestions how to name > option for removing host entry for ldap welcome > > Should this option call 'host-del' or 'host-del --updatedns'? > > I would like to avoid additional DNS related option to be added to > ipa-client-install > > Also do we really want to implement this ticket? What is the gain there? The devel discussions which is recorded in https://fedorahosted.org/freeipa/ticket/5676#comment:1 Suggests to change default behavior in ipa-client-install --uninstall so that it will call: `ipa host-del --update-dns` instead of `ipa-join --unenroll`. So it will also do #3. Further proposal in #5676 is to introduce a new option(--keephost ??) to keep the host records, i.e., the old behavior. But comment: """ simo: maybe keeping backward compatibility is more important, discuss later if --remove option would be better """ suggest that further discussion is needed > > Martin^2 > -- Petr Vobornik From mrniranjan at fedoraproject.org Thu Mar 3 16:36:38 2016 From: mrniranjan at fedoraproject.org (Niranjan) Date: Thu, 3 Mar 2016 22:06:38 +0530 Subject: [Freeipa-devel] [python-pytest-multihost] Request to add support to specify username/password for each host In-Reply-To: <56D8597F.5030404@redhat.com> References: <20160226101434.GA18928@mniranja.pnq.redhat.com> <20160229112631.GA13353@mniranja.pnq.redhat.com> <20160229160744.GA18511@mniranja.pnq.redhat.com> <20160229165748.GA19752@mniranja.pnq.redhat.com> <56D5C0C0.5010500@redhat.com> <56D8597F.5030404@redhat.com> Message-ID: <20160303163638.GA5277@mniranja.pnq.redhat.com> Petr Viktorin wrote: > On 03/01/2016 05:18 PM, Petr Viktorin wrote: > > On 02/29/2016 05:57 PM, Niranjan wrote: > >> Greetings, > >> > >> Attached wrong patch in my last mail. Request to review the patch > >> attached to this email > >> > > > > Hello, > > I've generalized the patch a bit to make it use existing host > > attributes, and I added tests. > > Could you check if it still works for you? > > I've tested a little bit more, and went ahead and released v1.0 with > this patch. > It should be available on PyPI and in Fedora Rawhide & 24. For Fedora > 23, please test and give appropriate karma: > https://bodhi.fedoraproject.org/updates/FEDORA-2016-95a1e1b53f I apologize for the delay, i found that it failed in my environment, I am still investigating, I got busy with some other things in my plate. I will get back with my observations by tomorrow. Regards Niranjan > > > -- > Petr Viktorin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 311 bytes Desc: not available URL: From mbasti at redhat.com Thu Mar 3 17:15:14 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 3 Mar 2016 18:15:14 +0100 Subject: [Freeipa-devel] host-del & client uninstall: additional discussion related to DNS needed In-Reply-To: <56D86810.1080600@redhat.com> References: <56D84F94.3000705@redhat.com> <56D86810.1080600@redhat.com> Message-ID: <56D87122.9000709@redhat.com> On 03.03.2016 17:36, Petr Vobornik wrote: > On 03/03/2016 03:52 PM, Martin Basti wrote: >> Hello all, >> >> related tickets: >> https://fedorahosted.org/freeipa/ticket/5676 >> https://fedorahosted.org/freeipa/ticket/5675 >> https://fedorahosted.org/freeipa/ticket/5715 >> >> I'm trying to implement both tickets, but I don't like the way we >> decided on devel meeting anymore. >> >> https://fedorahosted.org/freeipa/ticket/5676#comment:1 >> >> 1) >> ipa host-del --updatedns >> >> I propose to only delete A, AAAA and related PTR records (SSHFP records >> explained later). The record are somehow managed by IPA >> >> I don't like the idea of having an extra option to specify record types >> that should be removed or a flag that will remove DNS entry completely. >> IMO that is duplication of dnsrecord-mod/del functionality, host-del >> should not be used for managing DNS. If somebody wants better >> granularity, the one should use 'dnsrecord-mod zone rec --type-rec=' or >> 'dnsrecord-del --del-all' > > AFAIK the proposal on devel meeting was: > > --update-dns will delete A, AAAA, SSHFP > --update-dns=all will delete the whole DNS record LDAP entry > > there was also a proposal for granularity, e.g., --update-dns=a,aaaa. Yes this looks for me like doing an alias for dnsrecord-del command > > Then it was agreed that --update-dns won't search for SRV records (not > mentioned here, so OK). > > PTR records weren't discussed or decision was not recorded. When we remove A/AAAA, then we should remove PTR as well > > The proposal above keeps backwards compatibility though it may not be > possible to do with current framework. Or do we have support for > multivalued enum with default value(s) which acts as a flag? It needs big hacks in framework, to support is as Flag for old client and Enum for new clients > > If the new option type is too complicated to introduce, then I would > prefer to keep current option(flag) with behavior matching proposal > for --update-dns or --update-dns=all. To use "--update-dns will delete A, AAAA, SSHFP" only was proposed by me here. > > Definitely big +1 on not introducing a new option. > > No need to over-engineer it. > > Not sure about PTR records. > >> >> Note: due backward compatibility --updatedns cannot be migrated to ENUM, >> new option needed > >> >> 2) >> SSHFP records and host-del >> (https://fedorahosted.org/freeipa/ticket/5715) >> >> host-del removes SSH keys from LDAP, thus there is no reason to keep >> SSHFP record in DNS, thus SSHFP records should be removed always (even >> without --updatedns option) > > ACK > >> >> 3) >> ipa-client-install --uninstall >> >> SSHFP record are always added via nsupdate to DNS, IMO during client >> uninstall all SSHFP record related to client should be removed via >> nsupdate too. > > IMHO not necessary will be solved either by #5676 and/or > #5715(currently uninstall indirectly calls ipa-host-disable) However host-disable does not do nsupdate, so it will work only for IPA DNS. So if nsupdate set SSHPF on non-IPA server, we do not have reverse operation in uninstall for that. > >> >> 4) >> https://fedorahosted.org/freeipa/ticket/5676 >> >> ipa-client-install --uninstall --delete-host #suggestions how to name >> option for removing host entry for ldap welcome >> >> Should this option call 'host-del' or 'host-del --updatedns'? >> >> I would like to avoid additional DNS related option to be added to >> ipa-client-install >> >> Also do we really want to implement this ticket? What is the gain there? > > The devel discussions which is recorded in > https://fedorahosted.org/freeipa/ticket/5676#comment:1 > > Suggests to change default behavior in ipa-client-install --uninstall > so that it will call: > > `ipa host-del --update-dns` instead of `ipa-join --unenroll`. So it > will also do #3. > > Further proposal in #5676 is to introduce a new option(--keephost ??) > to keep the host records, i.e., the old behavior. > > But comment: > """ > simo: maybe keeping backward compatibility is more important, discuss > later if --remove option would be better > """ > suggest that further discussion is needed I agree with backward compatibility here. A current user may be very surprised that all DNS records of the host disappear. > >> >> Martin^2 >> From mbasti at redhat.com Thu Mar 3 17:19:18 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 3 Mar 2016 18:19:18 +0100 Subject: [Freeipa-devel] [patch 0033] spec file: update the python-polib dependency name to python2-polib In-Reply-To: <56CED260.4080703@redhat.com> References: <56C1F0C4.7060707@redhat.com> <56C1F622.3000602@redhat.com> <20160215163920.GM25417@mail.corp.redhat.com> <56CED17A.3050808@redhat.com> <56CED24E.9060207@redhat.com> <56CED260.4080703@redhat.com> Message-ID: <56D87216.30506@redhat.com> On 25.02.2016 11:07, Milan Kub?k wrote: > On 02/25/2016 11:07 AM, Jan Cholasta wrote: >> On 25.2.2016 11:03, Milan Kub?k wrote: >>> On 02/15/2016 05:39 PM, Lukas Slebodnik wrote: >>>> On (15/02/16 17:00), Petr Vobornik wrote: >>>>> On 02/15/2016 04:37 PM, Milan Kub?k wrote: >>>>>> Reflect the updated name of the package. >>>>>> >>>>> Seems to me as a packaging bug in python-polib. It should use >>>>> python_provide >>>>> macro to handle the transition. >>>> There is not a bug in python-polib >>>> >>>> sh# rpm -q python2-polib >>>> python2-polib-1.0.7-2.fc23.noarch >>>> >>>> sh# rpm -q --provides python2-polib >>>> python-polib = 1.0.7-2.fc23 >>>> python2-polib = 1.0.7-2.fc23 >>>> >>>> However it is a change in behaviour in dnf/yum. >>>> You can see more details in BZ1291850 or better BZ1096506. >>>> >>>> This a readon why "dnf builddep" will try to remove package. >>>> (it's not downgrade from dnf point of view) >>>> >>>> sh# dnf builddep freeipa.spec >>>> Last metadata expiration check performed 0:17:37 ago on Mon Feb 15 >>>> 16:19:14 >>>> 2016. >>>> Package python-setuptools-18.0.1-2.fc23.noarch is already installed, >>>> skipping. >>>> Package systemd-222-10.fc23.x86_64 is already installed, skipping. >>>> Package systemd-222-10.fc23.x86_64 is already installed, skipping. >>>> Error: installed package python2-polib-1.0.7-2.fc23.noarch obsoletes >>>> python-polib < 1.0.7-2.fc23 provided by >>>> python-polib-1.0.3-6.fc23.noarch >>>> (try to add '--allowerasing' to command line to replace conflicting >>>> packages) >>>> >>>> >>>> You might try to file a dnf BZ but mine 1291850 was two tiles closed >>>> as not a >>>> but and then closed as a duplicate of another bug. >>>> >>>> IMHO the simplest solution would to push the patch with better >>>> explanation >>>> in's a workaround. >>>> >>>> LSommit message becuase it's a workaround. >>>> >>>> LS >>> Updated patch with reworded commit message. >> >> Please also add "workaround for >> https://bugzilla.redhat.com/show_bug.cgi?id=1096506" comment above >> the changed requires. >> > Done. > > > ACK, but missing ticket -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Mar 3 17:31:43 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 3 Mar 2016 18:31:43 +0100 Subject: [Freeipa-devel] [PATCH 0426] spec: add missing requires to python*-ipalib package In-Reply-To: <56CFEFC1.4060301@redhat.com> References: <56CF3458.6030304@redhat.com> <56CFEFC1.4060301@redhat.com> Message-ID: <56D874FF.4010306@redhat.com> On 26.02.2016 07:25, Jan Cholasta wrote: > Hi, > > On 25.2.2016 18:05, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5680 >> >> Patch attached. > > NACK. > > For python 3, the ldap module is provided by python3-pyldap. > > Any reason for the random ordering? The requires are not > alphabetically ordered, so I would prefer if you just appended the new > ones. updated patch attached. > > There are missing as well as redundant requires in other packages, > shouldn't we fix these too? Please file ticket for it. > > Honza > Martin^2 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0426.2-spec-Add-missing-dependencies-to-python-ipalib-packa.patch Type: text/x-patch Size: 1302 bytes Desc: not available URL: From mbasti at redhat.com Thu Mar 3 17:38:33 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 3 Mar 2016 18:38:33 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <56D6E0E7.8020503@redhat.com> References: <5640A90B.6030906@redhat.com> <564CA530.3060006@redhat.com> <5655D741.4010402@redhat.com> <56560124.4060904@redhat.com> <5656CB3B.8010000@redhat.com> <5656D5EE.7010208@redhat.com> <565862E6.4020100@redhat.com> <56586807.9080805@redhat.com> <565870D6.40908@redhat.com> <56587616.5030609@redhat.com> <565DB7D3.5040500@redhat.com> <565F0BDD.8080206@redhat.com> <565F17EE.3020701@redhat.com> <5666DC18.2040906@redhat.com> <56675E31.3050203@redhat.com> <5667F49B.5020709@redhat.com> <5667FEFB.6090904@redhat.com> <56680C2E.7060805@redhat.com> <56680DDD.2000106@redhat.com> <566FDD80.7030805@redhat.com> <56717785.4020304@redhat.com> <567195B9.9070104@redhat.com> <56727AA7.2030809@redhat.com> <5675E08C.7030109@redhat.com> <56D43687.10502@redhat.com> <56D57DDE.3020306@redhat.com> <56D57F0C.1060103@redhat.com> <56D59F78.1000000@redhat.com> <56D5D9C3.8000102@redhat.com> <56D621DF.406@redhat.com> <56D6ACF5.4070402@redhat.com> <56D6E0E7.8020503@redhat.com> Message-ID: <56D87699.6030305@redhat.com> On 02.03.2016 13:47, Oleg Fayans wrote: > Hi Martin, > > I've made the requested changes. > > The full set of necessary patches is attached. > > > On 03/02/2016 10:05 AM, Martin Basti wrote: >> >> On 02.03.2016 00:12, Oleg Fayans wrote: >>> Hi Martin, >>> >>> On 03/01/2016 07:04 PM, Martin Basti wrote: >>>> On 01.03.2016 14:56, Martin Basti wrote: >>>>> >>>>> On 01.03.2016 12:37, Martin Basti wrote: >>>>>> On 01.03.2016 12:32, Martin Basti wrote: >>>>>>> On 29.02.2016 13:16, Oleg Fayans wrote: >>>>>>>> Hi all, >>>>>>>> >>>>>>>> Finally the tests pass. >>>>>>>> >>>>>>>> The patch 0024 applies on top of patch 0022 (please, consider >>>>>>>> reviewing >>>>>>>> it also). Besides, the whole functionality depends on Martin's >>>>>>>> patch N 0421 >>>>>>>> >>>>>>>> All patches pass pylint. >>>>>>> hello, >>>>>>> >>>>>>> I cannot apply patches on master branch >>>>>>> Martin^2 >>>>>> My bad I applied wrong patch >>>>>> >>>>>>>> On 12/19/2015 11:56 PM, Martin Basti wrote: >>>>>>>>> On 17.12.2015 10:04, Oleg Fayans wrote: >>>>>>>>>> Hi Martin, >>>>>>>>>> >>>>>>>>>> I am sorry, in my previous email I attached the old version of >>>>>>>>>> patch >>>>>>>>>> 0016. The correct on is attached. >>>>>>>>>> >>>>>>>>>> On 12/16/2015 05:47 PM, Martin Basti wrote: >>>>>>>>>>> On 16.12.2015 15:39, Martin Basti wrote: >>>>>>>>>>>> On 15.12.2015 10:29, Oleg Fayans wrote: >>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>> >>>>>>>>>>>>> The updated patches are attached. Patch 0017 includes all >>>>>>>>>>>>> changes from >>>>>>>>>>>>> patch 0018, so, if you approve this one, there would be no >>>>>>>>>>>>> need to >>>>>>>>>>>>> continue with the review of 0018. This one contains all changes >>>>>>>>>>>>> related >>>>>>>>>>>>> to you remarks from 0018 review. Please see my explanation >>>>>>>>>>>>> on the >>>>>>>>>>>>> stdout+stderr part in the thread from patch 0018. >>>>>>>>>>>>> With these two patches applied one of the tests fails due this >>>>>>>>>>>>> bug: >>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5550 >>>>>>>>>>>>> >>>>>>>>>>>>> On 12/09/2015 12:17 PM, Martin Basti wrote: >>>>>>>>>>>>>> On 09.12.2015 12:10, Martin Basti wrote: >>>>>>>>>>>>>>> On 09.12.2015 11:14, Oleg Fayans wrote: >>>>>>>>>>>>>>>> Hi Martin >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 12/09/2015 10:30 AM, Martin Basti wrote: >>>>>>>>>>>>>>>>> On 08.12.2015 23:48, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>> Substituted a hardcoded suffix name with a constant >>>>>>>>>>>>>>>>>> DOMAIN_SUFFIX_NAME >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 12/08/2015 02:33 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> The patches are rebased against the current master. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On 12/02/2015 05:10 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>> On 02.12.2015 16:18, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On 12/01/2015 04:08 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>> On 27.11.2015 16:26, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>> And patch N 16 passes lint too: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> On 11/27/2015 04:03 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> On 11/27/2015 03:26 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>> On 27.11.2015 15:04, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> All your suggestions were taken into account. Both >>>>>>>>>>>>>>>>>>>>>>>>>> patches are >>>>>>>>>>>>>>>>>>>>>>>>>> updated. Thank you for your help! >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> On 11/26/2015 10:50 AM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>> On 26.11.2015 10:04, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> I agree to all your points but one. please, >>>>>>>>>>>>>>>>>>>>>>>>>>>> see my >>>>>>>>>>>>>>>>>>>>>>>>>>>> comment >>>>>>>>>>>>>>>>>>>>>>>>>>>> below >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> On 11/25/2015 07:42 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> 0) Note >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please be aware of >>>>>>>>>>>>>>>>>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5469 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> during >>>>>>>>>>>>>>>>>>>>>>>>>>>>> KRA testing >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please do not use MIN and MAX_DOMAIN_LEVEL >>>>>>>>>>>>>>>>>>>>>>>>>>>>> constants, >>>>>>>>>>>>>>>>>>>>>>>>>>>>> this may >>>>>>>>>>>>>>>>>>>>>>>>>>>>> change >>>>>>>>>>>>>>>>>>>>>>>>>>>>> over time, use DOMAIN_LEVEL_0 and >>>>>>>>>>>>>>>>>>>>>>>>>>>>> DOMAIN_LEVEL_1 for >>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>> level 0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> and 1 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Why uninstall KRA then server, is not enough >>>>>>>>>>>>>>>>>>>>>>>>>>>>> just >>>>>>>>>>>>>>>>>>>>>>>>>>>>> uninstall >>>>>>>>>>>>>>>>>>>>>>>>>>>>> server >>>>>>>>>>>>>>>>>>>>>>>>>>>>> which >>>>>>>>>>>>>>>>>>>>>>>>>>>>> covers KRA uninstall? >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> + def teardown_method(self, method): >>>>>>>>>>>>>>>>>>>>>>>>>>>>> + for host in self.replicas: >>>>>>>>>>>>>>>>>>>>>>>>>>>>> + host.run_command(self.kra_uninstall, >>>>>>>>>>>>>>>>>>>>>>>>>>>>> raiseonerr=False) >>>>>>>>>>>>>>>>>>>>>>>>>>>>> + tasks.uninstall_master(host) >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Can be this function more generic? It should >>>>>>>>>>>>>>>>>>>>>>>>>>>>> allow >>>>>>>>>>>>>>>>>>>>>>>>>>>>> specify >>>>>>>>>>>>>>>>>>>>>>>>>>>>> host >>>>>>>>>>>>>>>>>>>>>>>>>>>>> where >>>>>>>>>>>>>>>>>>>>>>>>>>>>> KRA should be installed not just master >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> + def test_kra_install_master(self): >>>>>>>>>>>>>>>>>>>>>>>>>>>>> + self.master.run_command(self.kra_install) >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> TestLevel0(Dummy): >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Can be the test name more specific, something >>>>>>>>>>>>>>>>>>>>>>>>>>>>> like >>>>>>>>>>>>>>>>>>>>>>>>>>>>> TestReplicaPromotionLevel0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> 5) >>>>>>>>>>>>>>>>>>>>>>>>>>>>> please remove this, the patch is on review >>>>>>>>>>>>>>>>>>>>>>>>>>>>> and it >>>>>>>>>>>>>>>>>>>>>>>>>>>>> will be >>>>>>>>>>>>>>>>>>>>>>>>>>>>> pushed >>>>>>>>>>>>>>>>>>>>>>>>>>>>> sooner >>>>>>>>>>>>>>>>>>>>>>>>>>>>> than tests >>>>>>>>>>>>>>>>>>>>>>>>>>>>> + @pytest.mark.xfail # Ticket N 5455 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> and as I mentioned in ticket #5455, I cannot >>>>>>>>>>>>>>>>>>>>>>>>>>>>> reproduce >>>>>>>>>>>>>>>>>>>>>>>>>>>>> it with >>>>>>>>>>>>>>>>>>>>>>>>>>>>> ipa-kra-install, so please provide steps to >>>>>>>>>>>>>>>>>>>>>>>>>>>>> reproduce if >>>>>>>>>>>>>>>>>>>>>>>>>>>>> you >>>>>>>>>>>>>>>>>>>>>>>>>>>>> insist >>>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>>> this still does not work as expected with KRA. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> 6) This is completely wrong, it removes >>>>>>>>>>>>>>>>>>>>>>>>>>>>> everything >>>>>>>>>>>>>>>>>>>>>>>>>>>>> that we >>>>>>>>>>>>>>>>>>>>>>>>>>>>> tried to >>>>>>>>>>>>>>>>>>>>>>>>>>>>> achieve with previous patches with domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>> level in CI >>>>>>>>>>>>>>>>>>>>>>>>>>>> Actually, being able to configure domain >>>>>>>>>>>>>>>>>>>>>>>>>>>> level per >>>>>>>>>>>>>>>>>>>>>>>>>>>> class >>>>>>>>>>>>>>>>>>>>>>>>>>>> is WAY >>>>>>>>>>>>>>>>>>>>>>>>>>>> more >>>>>>>>>>>>>>>>>>>>>>>>>>>> convenient, than to always have to think which >>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>> level is >>>>>>>>>>>>>>>>>>>>>>>>>>>> appropriate for which particular test during >>>>>>>>>>>>>>>>>>>>>>>>>>>> jenkins >>>>>>>>>>>>>>>>>>>>>>>>>>>> job >>>>>>>>>>>>>>>>>>>>>>>>>>>> configuration. In fact, I should have thought >>>>>>>>>>>>>>>>>>>>>>>>>>>> about it >>>>>>>>>>>>>>>>>>>>>>>>>>>> from the >>>>>>>>>>>>>>>>>>>>>>>>>>>> very >>>>>>>>>>>>>>>>>>>>>>>>>>>> beginning. For example, in >>>>>>>>>>>>>>>>>>>>>>>>>>>> test_replica_promotion.py we >>>>>>>>>>>>>>>>>>>>>>>>>>>> have on >>>>>>>>>>>>>>>>>>>>>>>>>>>> class, >>>>>>>>>>>>>>>>>>>>>>>>>>>> which intiates with domain level = 1, while >>>>>>>>>>>>>>>>>>>>>>>>>>>> others - >>>>>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>>>>> 0. With config-based approach, we would have to >>>>>>>>>>>>>>>>>>>>>>>>>>>> implement a >>>>>>>>>>>>>>>>>>>>>>>>>>>> separate >>>>>>>>>>>>>>>>>>>>>>>>>>>> step that raises domain level. Overall, I am >>>>>>>>>>>>>>>>>>>>>>>>>>>> against >>>>>>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>>>>>> approach, >>>>>>>>>>>>>>>>>>>>>>>>>>>> when you have to remember to set certain domain >>>>>>>>>>>>>>>>>>>>>>>>>>>> level in >>>>>>>>>>>>>>>>>>>>>>>>>>>> config >>>>>>>>>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>>>>>>>>> any particular test. The tests themselves >>>>>>>>>>>>>>>>>>>>>>>>>>>> should be >>>>>>>>>>>>>>>>>>>>>>>>>>>> aware of >>>>>>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>>>>>> domain level they need. >>>>>>>>>>>>>>>>>>>>>>>>>>> I do not say that we should not have something >>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>> overrides >>>>>>>>>>>>>>>>>>>>>>>>>>> settings >>>>>>>>>>>>>>>>>>>>>>>>>>> in from config in a particular test case, I say >>>>>>>>>>>>>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>>>>>>>>>>>>> patch is >>>>>>>>>>>>>>>>>>>>>>>>>>> doing it >>>>>>>>>>>>>>>>>>>>>>>>>>> wrong. >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> I agree it is useful to have param >>>>>>>>>>>>>>>>>>>>>>>>>>> domain_level in >>>>>>>>>>>>>>>>>>>>>>>>>>> install_master, >>>>>>>>>>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>>>>>>>>>> intall_topo methods, but is cannot be >>>>>>>>>>>>>>>>>>>>>>>>>>> MAX_DOMAIN_LEVEL by >>>>>>>>>>>>>>>>>>>>>>>>>>> default, >>>>>>>>>>>>>>>>>>>>>>>>>>> because with your current patch the >>>>>>>>>>>>>>>>>>>>>>>>>>> domain_level in >>>>>>>>>>>>>>>>>>>>>>>>>>> config is >>>>>>>>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>>>>>>>> used >>>>>>>>>>>>>>>>>>>>>>>>>>> at all, it will be always MAX_DOMAIN_LEVEL >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> For example I want to achieve this goal: >>>>>>>>>>>>>>>>>>>>>>>>>>> test_vault.py, this test suite can run on domain >>>>>>>>>>>>>>>>>>>>>>>>>>> level1 >>>>>>>>>>>>>>>>>>>>>>>>>>> and on >>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>> level0, so with one test we can test 2 domain >>>>>>>>>>>>>>>>>>>>>>>>>>> levels >>>>>>>>>>>>>>>>>>>>>>>>>>> just >>>>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>>>> putting >>>>>>>>>>>>>>>>>>>>>>>>>>> domain level into config file. >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> I agree that with extraordinary test like replica >>>>>>>>>>>>>>>>>>>>>>>>>>> promotion test >>>>>>>>>>>>>>>>>>>>>>>>>>> is, we >>>>>>>>>>>>>>>>>>>>>>>>>>> need something that allows override the config >>>>>>>>>>>>>>>>>>>>>>>>>>> file. >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> As I said bellow, domain_level default value >>>>>>>>>>>>>>>>>>>>>>>>>>> should be >>>>>>>>>>>>>>>>>>>>>>>>>>> None in >>>>>>>>>>>>>>>>>>>>>>>>>>> install_master and install_topo plugin. If >>>>>>>>>>>>>>>>>>>>>>>>>>> domain level >>>>>>>>>>>>>>>>>>>>>>>>>>> was >>>>>>>>>>>>>>>>>>>>>>>>>>> specified >>>>>>>>>>>>>>>>>>>>>>>>>>> use the specified one, if not (value is None) >>>>>>>>>>>>>>>>>>>>>>>>>>> use the >>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>>>>>>>>>>> config file. >>>>>>>>>>>>>>>>>>>>>>>>>> Agreed :) >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> Martin >>>>>>>>>>>>>>>>>>>>>>>>>>>>> [PATCH] Enabled setting domain_level per class >>>>>>>>>>>>>>>>>>>>>>>>>>>>> derived from >>>>>>>>>>>>>>>>>>>>>>>>>>>>> TestIntegration >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> When I configure domain level 0 in yaml >>>>>>>>>>>>>>>>>>>>>>>>>>>>> config, how >>>>>>>>>>>>>>>>>>>>>>>>>>>>> is this >>>>>>>>>>>>>>>>>>>>>>>>>>>>> supposed to >>>>>>>>>>>>>>>>>>>>>>>>>>>>> get into install methods when you removed that >>>>>>>>>>>>>>>>>>>>>>>>>>>>> code? >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> - "--domain-level=%i" % >>>>>>>>>>>>>>>>>>>>>>>>>>>>> host.config.domain_level >>>>>>>>>>>>>>>>>>>>>>>>>>>>> + "--domain-level=%i" % domain_level >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> You always use MAX_DOMAIN_LEVEL in this case or >>>>>>>>>>>>>>>>>>>>>>>>>>>>> whatever is >>>>>>>>>>>>>>>>>>>>>>>>>>>>> specified in >>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain_level option. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> I suggest to use domain_level=None, and when >>>>>>>>>>>>>>>>>>>>>>>>>>>>> it is >>>>>>>>>>>>>>>>>>>>>>>>>>>>> None use >>>>>>>>>>>>>>>>>>>>>>>>>>>>> 'host.config.domain_level', if it is not None, >>>>>>>>>>>>>>>>>>>>>>>>>>>>> use >>>>>>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> With this we can specify domain level in config >>>>>>>>>>>>>>>>>>>>>>>>>>>>> file for >>>>>>>>>>>>>>>>>>>>>>>>>>>>> test >>>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>>> can >>>>>>>>>>>>>>>>>>>>>>>>>>>>> be used for both domain levels and you can >>>>>>>>>>>>>>>>>>>>>>>>>>>>> manually >>>>>>>>>>>>>>>>>>>>>>>>>>>>> specify >>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>>>>>> for test that requires specific domain level. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Also this should go away >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> @classmethod >>>>>>>>>>>>>>>>>>>>>>>>>>>>> def install(cls, mh): >>>>>>>>>>>>>>>>>>>>>>>>>>>>> + if hasattr(cls, "domain_level") and >>>>>>>>>>>>>>>>>>>>>>>>>>>>> cls.master: >>>>>>>>>>>>>>>>>>>>>>>>>>>>> + cls.master.config.domain_level = >>>>>>>>>>>>>>>>>>>>>>>>>>>>> cls.domain_level >>>>>>>>>>>>>>>>>>>>>>>>>>>>> if cls.topology is None: >>>>>>>>>>>>>>>>>>>>>>>>>>>>> return >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> I do not see reason why test should override >>>>>>>>>>>>>>>>>>>>>>>>>>>>> configuration in >>>>>>>>>>>>>>>>>>>>>>>>>>>>> config in >>>>>>>>>>>>>>>>>>>>>>>>>>>>> this case. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Martin >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 25.11.2015 16:44, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Here is the updated version of the patch (more >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tests + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> fixed the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> issues of the first one) + patch 0017, that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> implements the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> necessary >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> changes in the background code, i. e. patch 16 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> does not >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> without >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> patch 17 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 11/18/2015 05:20 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 09.11.2015 15:09, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi guys, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Here are first two automated testcases from >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> this >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> (so far >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> incomplete) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> testplan: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Testplan review is highly appreciated >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> PATCH 16: NACK >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> What is the reason to add an unused >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> parameter to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> install_topo()? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Also it is good practise to add new option >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> as the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> last >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> parameter. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cab you in both tests specify a domain level >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> constant >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> instead of >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> number literal? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> both test call install_topo with custom >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> but it >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cannot >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> because 1) (did you run the test?) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> How the test "TestLevel1" is supposed to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> work? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Respectively why there is call of >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> install_topo() >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> installs >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> replica. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> As this test just tests that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ipa-replica-prepare is >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> working >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> anymore, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> is it worth to spend 20 minutes with >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> installing >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> replica and >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> then >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> just no >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tot use it? IMO to install master in install >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> step is >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> enough. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> ./make-lint >>>>>>>>>>>>>>>>>>>>>>>>> ************* Module ipatests.test_integration.base >>>>>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/base.py:66: >>>>>>>>>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>>>>>>>>> IntegrationTest.install] Class 'IntegrationTest' >>>>>>>>>>>>>>>>>>>>>>>>> has no >>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>>>>>> ************* Module >>>>>>>>>>>>>>>>>>>>>>>>> ipatests.test_integration.test_replica_promotion >>>>>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:16: >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> [E1101(no-member), Dummy.install] Class 'Dummy' >>>>>>>>>>>>>>>>>>>>>>>>> has no >>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:117: >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>>>>>>>>> TestCAInstall.test_ca_install_without_replica_file] >>>>>>>>>>>>>>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no >>>>>>>>>>>>>>>>>>>>>>>>> 'setup_replica' >>>>>>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Is it so hard to run pylint before patch is posted >>>>>>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>>>>>> review? >>>>>>>>>>>>>>>>>>>>>>>> Sorry, my bad. Fixed. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>> Why is this change in the patch? >>>>>>>>>>>>>>>>>>>>>> - # Clean up the test directory >>>>>>>>>>>>>>>>>>>>>> - host.run_command(['rm', '-rvf', >>>>>>>>>>>>>>>>>>>>>> host.config.test_dir]) >>>>>>>>>>>>>>>>>>>>> Otherwise 2 out of 8 tests fail with IOError at line >>>>>>>>>>>>>>>>>>>>> 78 of >>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/tasks.py >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> I do not understand yet how does this happen, but if >>>>>>>>>>>>>>>>>>>>> you >>>>>>>>>>>>>>>>>>>>> remove >>>>>>>>>>>>>>>>>>>>> ipatests folder once, it then fails to be created >>>>>>>>>>>>>>>>>>>>> again. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> So this should be in separated patch and investigated >>>>>>>>>>>>>>>>>>>> properly. >>>>>>>>>>>>>>>>>>> Agree. Removed >>>>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>> is enough to have this check only in install_master, >>>>>>>>>>>>>>>>>>>>>> install_topo can >>>>>>>>>>>>>>>>>>>>>> pass None to install_master >>>>>>>>>>>>>>>>>>>>>> + if domain_level is None: >>>>>>>>>>>>>>>>>>>>>> + domain_level = master.config.domain_level >>>>>>>>>>>>>>>>>>>>> Done >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>> IMO replica-manage del should cleanup hosts entry, so >>>>>>>>>>>>>>>>>>>>>> following >>>>>>>>>>>>>>>>>>>>>> code >>>>>>>>>>>>>>>>>>>>>> should not be needed. >>>>>>>>>>>>>>>>>>>>>> + if cleanhost: >>>>>>>>>>>>>>>>>>>>>> + kinit_admin(master) >>>>>>>>>>>>>>>>>>>>>> + master.run_command(["ipa", "host-del", >>>>>>>>>>>>>>>>>>>>>> "--updatedns", >>>>>>>>>>>>>>>>>>>>>> replica.hostname], >>>>>>>>>>>>>>>>>>>>>> + raiseonerr=False) >>>>>>>>>>>>>>>>>>>>> Well, in fact it does not. At least the >>>>>>>>>>>>>>>>>>>>> corresponding dns >>>>>>>>>>>>>>>>>>>>> record >>>>>>>>>>>>>>>>>>>>> stays >>>>>>>>>>>>>>>>>>>>> and causes the subsequent ipa-client-install to fail. >>>>>>>>>>>>>>>>>>>>> Probably >>>>>>>>>>>>>>>>>>>>> it's a >>>>>>>>>>>>>>>>>>>>> bug. On the other hand, if I promote an existing >>>>>>>>>>>>>>>>>>>>> client to >>>>>>>>>>>>>>>>>>>>> replica and >>>>>>>>>>>>>>>>>>>>> then delete this replica, then, I probably want the >>>>>>>>>>>>>>>>>>>>> host >>>>>>>>>>>>>>>>>>>>> record >>>>>>>>>>>>>>>>>>>>> (that >>>>>>>>>>>>>>>>>>>>> was created during client-install) to stay in the >>>>>>>>>>>>>>>>>>>>> system. So, >>>>>>>>>>>>>>>>>>>>> does not >>>>>>>>>>>>>>>>>>>>> look like a bug to me. >>>>>>>>>>>>>>>>>>>> No you don't, because replica uninstallation also >>>>>>>>>>>>>>>>>>>> removes the >>>>>>>>>>>>>>>>>>>> client. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I tried it with ipa42, ipa-replica-manage del removes >>>>>>>>>>>>>>>>>>>> host >>>>>>>>>>>>>>>>>>>> entry, >>>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>>> DNS A records, only SSHFP records stay there (I'm not >>>>>>>>>>>>>>>>>>>> sure >>>>>>>>>>>>>>>>>>>> if it >>>>>>>>>>>>>>>>>>>> is bug >>>>>>>>>>>>>>>>>>>> or feature) >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Also I received this message >>>>>>>>>>>>>>>>>>>> """ >>>>>>>>>>>>>>>>>>>> Failed to cleanup replica1.ipa.test DNS entries: no >>>>>>>>>>>>>>>>>>>> matching >>>>>>>>>>>>>>>>>>>> entry >>>>>>>>>>>>>>>>>>>> found >>>>>>>>>>>>>>>>>>>> You may need to manually remove them from the tree >>>>>>>>>>>>>>>>>>>> """ >>>>>>>>>>>>>>>>>>>> But, A record has been removed, so this is probably >>>>>>>>>>>>>>>>>>>> false >>>>>>>>>>>>>>>>>>>> positive and >>>>>>>>>>>>>>>>>>>> it needs to have a ticket. >>>>>>>>>>>>>>>>>>> Agree, that was an issue with my setup. >>>>>>>>>>>>>>>>>>> Removed >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>> This variable is not used >>>>>>>>>>>>>>>>>>>>>> + kra_uninstall = ["ipa-kra-install", >>>>>>>>>>>>>>>>>>>>>> "--uninstall", "-U"] >>>>>>>>>>>>>>>>>>>>> Removed >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> 5) >>>>>>>>>>>>>>>>>>>>>> Why do you need this >>>>>>>>>>>>>>>>>>>>>> + kra_install = ["ipa-kra-install", "-U", "-p", >>>>>>>>>>>>>>>>>>>>>> config.dirman_password] >>>>>>>>>>>>>>>>>>>>>> when you implemented tasks.install_kra that returns >>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>> exactly >>>>>>>>>>>>>>>>>>>>>> the same >>>>>>>>>>>>>>>>>>>>>> result? >>>>>>>>>>>>>>>>>>>>> Right. Removed >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> 6) >>>>>>>>>>>>>>>>>>>>>> PEP8 >>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:928:1: E302 >>>>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:934:1: E302 >>>>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:939:1: E302 >>>>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:943:1: E302 >>>>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:950:80: E501 >>>>>>>>>>>>>>>>>>>>>> line too >>>>>>>>>>>>>>>>>>>>>> long >>>>>>>>>>>>>>>>>>>>>> (80 > 79 >>>>>>>>>>>>>>>>>>>>>> characters) >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:29:80: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>> too long (85 > 79 characters) >>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:64:80: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>> too long (85 > 79 characters) >>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:67:80: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>> too long (88 > 79 characters) >>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:93:80: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:94:80: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>> too long (83 > 79 characters) >>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:118:80: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>> too long (81 > 79 characters) >>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:128:80: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:129:80: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>> too long (82 > 79 characters) >>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:181:80: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>>>>> Most of these complaints are unrelated to the current >>>>>>>>>>>>>>>>>>>>> patches. >>>>>>>>>>>>>>>>>>>>> It's better to create a separate patch addressing PEP8 >>>>>>>>>>>>>>>>>>>>> errors. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I beg for your pardon, those PEP8 errors have been >>>>>>>>>>>>>>>>>>>> introduced by >>>>>>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>>>>>> patches. >>>>>>>>>>>>>>>>>>> Fixed >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> 7) >>>>>>>>>>>>>>>>>>>>>> Why this must be stored in instance? IMO to have it >>>>>>>>>>>>>>>>>>>>>> stored as >>>>>>>>>>>>>>>>>>>>>> local >>>>>>>>>>>>>>>>>>>>>> variable is perfect >>>>>>>>>>>>>>>>>>>>>> TestKRAInstall, TestCAInstall >>>>>>>>>>>>>>>>>>>>>> self.replica1_filename = >>>>>>>>>>>>>>>>>>>>>> tasks.get_replica_filename(replica1) >>>>>>>>>>>>>>>>>>>>>> self.replica2_filename = >>>>>>>>>>>>>>>>>>>>>> tasks.get_replica_filename(replica2) >>>>>>>>>>>>>>>>>>>>> Agree. Fixed >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> This patch is missing something. >>>>>>>>>>>>>>>> I am sorry, I forgot to revert my previous change. The >>>>>>>>>>>>>>>> correct >>>>>>>>>>>>>>>> patch is >>>>>>>>>>>>>>>> attached >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ************* Module >>>>>>>>>>>>>>> ipatests.test_integration.test_replica_promotion >>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:15: >>>>>>>>>>>>>>> [E1123(unexpected-keyword-arg), Dummy.install] Unexpected >>>>>>>>>>>>>>> keyword >>>>>>>>>>>>>>> argument 'domain_level' in function call) >>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:15: >>>>>>>>>>>>>>> [E1101(no-member), Dummy.install] Class 'Dummy' has no >>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:19: >>>>>>>>>>>>>>> [E1101(no-member), Dummy.teardown_method] Module >>>>>>>>>>>>>>> 'ipatests.test_integration.tasks' has no 'uninstall_replica' >>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:67: >>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>> TestReplicaPromotionLevel0.test_backup_restore] >>>>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no 'ipa_backup' >>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:72: >>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>> TestReplicaPromotionLevel0.test_backup_restore] >>>>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no 'ipa_restore' >>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:120: >>>>>>>>>>>>>>> [E1123(unexpected-keyword-arg), TestCAInstall.install] >>>>>>>>>>>>>>> Unexpected >>>>>>>>>>>>>>> keyword argument 'domain_level' in function call) >>>>>>>>>>>>>>> >>>>>>>>>>>>>> Sorry I forgot to apply patch 17, my bad, I'm continuing with >>>>>>>>>>>>>> review >>>>>>>>>>>> LGTM, I haven't had time to test it, but if you are sure that >>>>>>>>>>>> test is >>>>>>>>>>>> working, we may push this. >>>>>>>>>>>> >>>>>>>>>>> Is this expected due the bug you mentioned? >>>>>>>>>>> _____ >>>>>>>>>>> __________________________________________________________________________ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> TestReplicaPromotionLevel0.test_kra_install_master >>>>>>>>>>> ________________________________________________________________________________ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> self = >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> object at 0x7f5071a59e50> >>>>>>>>>>> >>>>>>>>>>> def test_kra_install_master(self): >>>>>>>>>>> result1 = tasks.install_kra(self.master, >>>>>>>>>>> raiseonerr=False) >>>>>>>>>>>> assert result1.returncode == 0, result1.stderr_text >>>>>>>>>>> E AssertionError: Usage: ipa-kra-install [options] >>>>>>>>>>> [replica_file] >>>>>>>>>>> E >>>>>>>>>>> E ipa-kra-install: error: Replica file >>>>>>>>>>> /root/ipatests/replica-info.gpg does not exist >>>>>>>>>>> E The ipa-kra-install command failed. See >>>>>>>>>>> /var/log/ipaserver-kra-install.log for more information >>>>>>>>>>> E >>>>>>>>>>> E assert 2 == 0 >>>>>>>>>>> E + where 2 = >>>>>>>>>> object at >>>>>>>>>>> 0x7f5071adbd50>.returncode >>>>>>>>>>> >>>>>>>>> IMO the test needs fix, KRA on replica file needs KRA related >>>>>>>>> certificates in replica file >>>>>>>>> >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>>>>> >>>>>>>>> RUN >>>>>>>>> ['ipa-kra-install', '-U', '-p', 'Secret123', >>>>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] RUN >>>>>>>>> ['ipa-kra-install', '-U', '-p', 'Secret123', >>>>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] Missing >>>>>>>>> KRA >>>>>>>>> certificates, please create a new replica file. >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] The >>>>>>>>> ipa-kra-install command failed. See >>>>>>>>> /var/log/ipaserver-kra-install.log >>>>>>>>> for more information >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] Exit >>>>>>>>> code: 1 >>>>>>>>> FAILED >>>>>>>>> traceback >>>>>>>>> >>>>>>>>> self = >>>>>>>>> >>>>>>>> object at 0x7f660bc1a590> >>>>>>>>> >>>>> I just read the code. >>>>> >>>>> PATCH 16: >>>>> 0) >>>>> PEP8 >>>>> ./ipatests/test_integration/test_replica_promotion.py:24:14: E111 >>>>> indentation is not a multiple of four >>>>> ./ipatests/test_integration/test_replica_promotion.py:24:14: E113 >>>>> unexpected indentation >>>>> ./ipatests/test_integration/test_replica_promotion.py:148:80: E501 >>>>> line too long (80 > 79 characters) >>>>> ./ipatests/test_integration/test_replica_promotion.py:150:80: E501 >>>>> line too long (81 > 79 characters) >>>>> >>>>> 1) >>>>> workaround is not workaround, because the host entry is removed >>>>> anyway, the error is raised from POST callback, please remove it >>>>> + # Workaround for 5627 >>>>> + if "host not found" in result.stderr_text: >>>>> + self.master.run_command(["ipa", >>>>> + "host-del", >>>>> + host.hostname], >>>>> raiseonerr=False) >>>> sorry, I was wrong with this, check is in pre_callback, but please >>>> remove it anyway, I will send patch to fix it ASAP >>> Done >> I realized that the fix I'm working on is for 4.4 only, so for 4.3 add >> this as separated patch. > Done, patch 0027 > >>>>> 2) >>>>> Please name it better, for example "replica" instead of "i" >>>>> + for i in self.replicas: >>>>> + tasks.install_replica(master, i, setup_ca=False, >>>>> + setup_dns=True) >>> Done >>> >>>>> 3) >>>>> Please use constant for domain level (multiple times) >>>>> + result1 = tasks.install_ca(replica1, domain_level=1, >>>>> raiseonerr=False) >>>>> >>>>> + tasks.install_ca(replica1, domain_level=0) >>>>> + result2 = tasks.install_ca(replica2, domain_level=0, >>>>> raiseonerr=False) >>>>> ... more times >>> Done >>> >>>>> 4) >>>>> This link does not exists, only connect is deprecated not >>>>> ipa-replica-manage at all >>>>> + def test_replica_manage_commands(self): >>>>> + """ >>>>> + TestCase: >>>>> http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan >>>>> + #Test_case:_ipa-replica-manage_is_deprecated_in_domain_level_1 >>>>> + """ >>> Fixed >>> >>>>> 5) >>>>> Missing testcases: >>>>> >>>>> Test case: Unprivileged users are not allowed to enroll and promote >>>>> clients >>>>> Test case: Replica created using old workflow is functional after >>>>> domain upgrade >>>>> Test case: ipa-csreplica-manage connect is deprecated in domain level 1 >>>>> Test case: Replica can be installed using one command >>>>> Test case: Prohibit ipa server uninstallation from disconnecting >>>>> topology segment >>>>> >>> They are on the way, not fully ready yet >>> >>>>> PATCH 24: >>>>> >>>>> 1) >>>>> why there is this change, how it is related to this patch?: >>>>> def apply_common_fixes(host): >>>>> + prepare_host(host) >>>>> fix_etc_hosts(host) >>>>> fix_hostname(host) >>>>> - prepare_host(host) >>> Good catch! That was one of my attempts to address the issue that was >>> successfully resolved in patch 0025. Will remove it once we agree on the >>> rest of the changes > Removed > >>>>> 2) >>>>> Why is there this change, how it is related to this patch?: >>>>> def replica_prepare(master, replica): >>>>> - apply_common_fixes(replica) >>>>> fix_apache_semaphores(replica) >>>>> ... >>>>> def install_replica(master, replica, setup_ca=True, setup_dns=False, >>>>> ... >>>>> + apply_common_fixes(replica) >>> Just to make this call independent from domain level (at domain_level 1 >>> replica_prepare never gets called) >> It should be in separate commit, because it is not related to adding >> domain_level in class functionality > Done. Patch 0026 > >>> >>>>> 3) >>>>> why is there this change, how it is related to this patch?: >>>>> - >>>>> + args.extend(['-n', replica.domain.name, >>>>> + '-r', replica.domain.realm]) >>> At least -r is a required parameter. -n was added for further >>> robustness. Can be safely removed, though >> It should be in separate commit, as this is not related to domain levels > Done. Patch 0026 > >>>>> 4) >>>>> why there force, how is this change related to this patch (domain >>>>> levels)? >>>>> '-w', client.config.admin_password, >>>>> - '--server', master.hostname] >>>>> + '--server', master.hostname, >>>>> + '--force'] >>>>> + list(extra_args)) >>> client refuses to install unless everything is super clear in the dns >>> setup (including reverse zone). Otherwise the installer fails and >>> informs you that you may use '--force' at your own risk. I can rerun the >>> tests without this option to provide you with the exact output, if you >>> like. >> It should be in separated commit, because it is not related to domain >> levels > I've run the tests without this option again at it passed. Must have > been some temporary issue. Removed this change. > >>>>> Otherwise domain level related changes LGTM >>>>> >>>>> PATCH 25 >>>>> >>>>> LGTM >>>>> >>>>> Martin^2 >>>>> 1) this method is unused please remove it def test_kra_install_master(self): 2) Why are these there? I do not see any usage from env_config import get_global_config config = get_global_config() 3) nitpick + num_clients = 0 this is set by default otherwise LGTM Results of testing tomorrow. Martin^2 From mbasti at redhat.com Fri Mar 4 07:37:12 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 4 Mar 2016 08:37:12 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <56D87699.6030305@redhat.com> References: <5640A90B.6030906@redhat.com> <564CA530.3060006@redhat.com> <5655D741.4010402@redhat.com> <56560124.4060904@redhat.com> <5656CB3B.8010000@redhat.com> <5656D5EE.7010208@redhat.com> <565862E6.4020100@redhat.com> <56586807.9080805@redhat.com> <565870D6.40908@redhat.com> <56587616.5030609@redhat.com> <565DB7D3.5040500@redhat.com> <565F0BDD.8080206@redhat.com> <565F17EE.3020701@redhat.com> <5666DC18.2040906@redhat.com> <56675E31.3050203@redhat.com> <5667F49B.5020709@redhat.com> <5667FEFB.6090904@redhat.com> <56680C2E.7060805@redhat.com> <56680DDD.2000106@redhat.com> <566FDD80.7030805@redhat.com> <56717785.4020304@redhat.com> <567195B9.9070104@redhat.com> <56727AA7.2030809@redhat.com> <5675E08C.7030109@redhat.com> <56D43687.10502@redhat.com> <56D57DDE.3020306@redhat.com> <56D57F0C.1060103@redhat.com> <56D59F78.1000000@redhat.com> <56D5D9C3.8000102@redhat.com> <56D621DF.406@redhat.com> <56D6ACF5.4070402@redhat.com> <56D6E0E7.8020503@redhat.com> <56D87699.6030305@redhat.com> Message-ID: <56D93B28.2020302@redhat.com> On 03.03.2016 18:38, Martin Basti wrote: > > > On 02.03.2016 13:47, Oleg Fayans wrote: >> Hi Martin, >> >> I've made the requested changes. >> >> The full set of necessary patches is attached. >> >> >> On 03/02/2016 10:05 AM, Martin Basti wrote: >>> >>> On 02.03.2016 00:12, Oleg Fayans wrote: >>>> Hi Martin, >>>> >>>> On 03/01/2016 07:04 PM, Martin Basti wrote: >>>>> On 01.03.2016 14:56, Martin Basti wrote: >>>>>> >>>>>> On 01.03.2016 12:37, Martin Basti wrote: >>>>>>> On 01.03.2016 12:32, Martin Basti wrote: >>>>>>>> On 29.02.2016 13:16, Oleg Fayans wrote: >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> Finally the tests pass. >>>>>>>>> >>>>>>>>> The patch 0024 applies on top of patch 0022 (please, consider >>>>>>>>> reviewing >>>>>>>>> it also). Besides, the whole functionality depends on Martin's >>>>>>>>> patch N 0421 >>>>>>>>> >>>>>>>>> All patches pass pylint. >>>>>>>> hello, >>>>>>>> >>>>>>>> I cannot apply patches on master branch >>>>>>>> Martin^2 >>>>>>> My bad I applied wrong patch >>>>>>> >>>>>>>>> On 12/19/2015 11:56 PM, Martin Basti wrote: >>>>>>>>>> On 17.12.2015 10:04, Oleg Fayans wrote: >>>>>>>>>>> Hi Martin, >>>>>>>>>>> >>>>>>>>>>> I am sorry, in my previous email I attached the old version of >>>>>>>>>>> patch >>>>>>>>>>> 0016. The correct on is attached. >>>>>>>>>>> >>>>>>>>>>> On 12/16/2015 05:47 PM, Martin Basti wrote: >>>>>>>>>>>> On 16.12.2015 15:39, Martin Basti wrote: >>>>>>>>>>>>> On 15.12.2015 10:29, Oleg Fayans wrote: >>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>> >>>>>>>>>>>>>> The updated patches are attached. Patch 0017 includes all >>>>>>>>>>>>>> changes from >>>>>>>>>>>>>> patch 0018, so, if you approve this one, there would be no >>>>>>>>>>>>>> need to >>>>>>>>>>>>>> continue with the review of 0018. This one contains all >>>>>>>>>>>>>> changes >>>>>>>>>>>>>> related >>>>>>>>>>>>>> to you remarks from 0018 review. Please see my explanation >>>>>>>>>>>>>> on the >>>>>>>>>>>>>> stdout+stderr part in the thread from patch 0018. >>>>>>>>>>>>>> With these two patches applied one of the tests fails due >>>>>>>>>>>>>> this >>>>>>>>>>>>>> bug: >>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5550 >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 12/09/2015 12:17 PM, Martin Basti wrote: >>>>>>>>>>>>>>> On 09.12.2015 12:10, Martin Basti wrote: >>>>>>>>>>>>>>>> On 09.12.2015 11:14, Oleg Fayans wrote: >>>>>>>>>>>>>>>>> Hi Martin >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 12/09/2015 10:30 AM, Martin Basti wrote: >>>>>>>>>>>>>>>>>> On 08.12.2015 23:48, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>> Substituted a hardcoded suffix name with a constant >>>>>>>>>>>>>>>>>>> DOMAIN_SUFFIX_NAME >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On 12/08/2015 02:33 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> The patches are rebased against the current master. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On 12/02/2015 05:10 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>> On 02.12.2015 16:18, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> On 12/01/2015 04:08 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>> On 27.11.2015 16:26, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>> And patch N 16 passes lint too: >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> On 11/27/2015 04:03 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> On 11/27/2015 03:26 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>>> On 27.11.2015 15:04, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> All your suggestions were taken into >>>>>>>>>>>>>>>>>>>>>>>>>>> account. Both >>>>>>>>>>>>>>>>>>>>>>>>>>> patches are >>>>>>>>>>>>>>>>>>>>>>>>>>> updated. Thank you for your help! >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> On 11/26/2015 10:50 AM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>> On 26.11.2015 10:04, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> I agree to all your points but one. please, >>>>>>>>>>>>>>>>>>>>>>>>>>>>> see my >>>>>>>>>>>>>>>>>>>>>>>>>>>>> comment >>>>>>>>>>>>>>>>>>>>>>>>>>>>> below >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 11/25/2015 07:42 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 0) Note >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please be aware of >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5469 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> during >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> KRA testing >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please do not use MIN and MAX_DOMAIN_LEVEL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> constants, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> this may >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> change >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> over time, use DOMAIN_LEVEL_0 and >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> DOMAIN_LEVEL_1 for >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level 0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and 1 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Why uninstall KRA then server, is not enough >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> just >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> uninstall >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> server >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> which >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> covers KRA uninstall? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + def teardown_method(self, method): >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + for host in self.replicas: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + host.run_command(self.kra_uninstall, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> raiseonerr=False) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + tasks.uninstall_master(host) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Can be this function more generic? It should >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> allow >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> specify >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> host >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> where >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> KRA should be installed not just master >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + def test_kra_install_master(self): >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + self.master.run_command(self.kra_install) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> TestLevel0(Dummy): >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Can be the test name more specific, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> something >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> like >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> TestReplicaPromotionLevel0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 5) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> please remove this, the patch is on review >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and it >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> will be >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> pushed >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> sooner >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> than tests >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + @pytest.mark.xfail # Ticket N 5455 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and as I mentioned in ticket #5455, I cannot >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> reproduce >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> it with >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ipa-kra-install, so please provide steps to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> reproduce if >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> you >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> insist >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> this still does not work as expected with >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> KRA. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 6) This is completely wrong, it removes >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> everything >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> that we >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tried to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> achieve with previous patches with domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level in CI >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Actually, being able to configure domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>> level per >>>>>>>>>>>>>>>>>>>>>>>>>>>>> class >>>>>>>>>>>>>>>>>>>>>>>>>>>>> is WAY >>>>>>>>>>>>>>>>>>>>>>>>>>>>> more >>>>>>>>>>>>>>>>>>>>>>>>>>>>> convenient, than to always have to think >>>>>>>>>>>>>>>>>>>>>>>>>>>>> which >>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>> level is >>>>>>>>>>>>>>>>>>>>>>>>>>>>> appropriate for which particular test during >>>>>>>>>>>>>>>>>>>>>>>>>>>>> jenkins >>>>>>>>>>>>>>>>>>>>>>>>>>>>> job >>>>>>>>>>>>>>>>>>>>>>>>>>>>> configuration. In fact, I should have thought >>>>>>>>>>>>>>>>>>>>>>>>>>>>> about it >>>>>>>>>>>>>>>>>>>>>>>>>>>>> from the >>>>>>>>>>>>>>>>>>>>>>>>>>>>> very >>>>>>>>>>>>>>>>>>>>>>>>>>>>> beginning. For example, in >>>>>>>>>>>>>>>>>>>>>>>>>>>>> test_replica_promotion.py we >>>>>>>>>>>>>>>>>>>>>>>>>>>>> have on >>>>>>>>>>>>>>>>>>>>>>>>>>>>> class, >>>>>>>>>>>>>>>>>>>>>>>>>>>>> which intiates with domain level = 1, while >>>>>>>>>>>>>>>>>>>>>>>>>>>>> others - >>>>>>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>>>>>> 0. With config-based approach, we would >>>>>>>>>>>>>>>>>>>>>>>>>>>>> have to >>>>>>>>>>>>>>>>>>>>>>>>>>>>> implement a >>>>>>>>>>>>>>>>>>>>>>>>>>>>> separate >>>>>>>>>>>>>>>>>>>>>>>>>>>>> step that raises domain level. Overall, I am >>>>>>>>>>>>>>>>>>>>>>>>>>>>> against >>>>>>>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>>>>>>> approach, >>>>>>>>>>>>>>>>>>>>>>>>>>>>> when you have to remember to set certain >>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>> level in >>>>>>>>>>>>>>>>>>>>>>>>>>>>> config >>>>>>>>>>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>>>>>>>>>> any particular test. The tests themselves >>>>>>>>>>>>>>>>>>>>>>>>>>>>> should be >>>>>>>>>>>>>>>>>>>>>>>>>>>>> aware of >>>>>>>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain level they need. >>>>>>>>>>>>>>>>>>>>>>>>>>>> I do not say that we should not have something >>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>> overrides >>>>>>>>>>>>>>>>>>>>>>>>>>>> settings >>>>>>>>>>>>>>>>>>>>>>>>>>>> in from config in a particular test case, I >>>>>>>>>>>>>>>>>>>>>>>>>>>> say >>>>>>>>>>>>>>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>>>>>>>>>>>>>> patch is >>>>>>>>>>>>>>>>>>>>>>>>>>>> doing it >>>>>>>>>>>>>>>>>>>>>>>>>>>> wrong. >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> I agree it is useful to have param >>>>>>>>>>>>>>>>>>>>>>>>>>>> domain_level in >>>>>>>>>>>>>>>>>>>>>>>>>>>> install_master, >>>>>>>>>>>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>>>>>>>>>>> intall_topo methods, but is cannot be >>>>>>>>>>>>>>>>>>>>>>>>>>>> MAX_DOMAIN_LEVEL by >>>>>>>>>>>>>>>>>>>>>>>>>>>> default, >>>>>>>>>>>>>>>>>>>>>>>>>>>> because with your current patch the >>>>>>>>>>>>>>>>>>>>>>>>>>>> domain_level in >>>>>>>>>>>>>>>>>>>>>>>>>>>> config is >>>>>>>>>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>>>>>>>>> used >>>>>>>>>>>>>>>>>>>>>>>>>>>> at all, it will be always MAX_DOMAIN_LEVEL >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> For example I want to achieve this goal: >>>>>>>>>>>>>>>>>>>>>>>>>>>> test_vault.py, this test suite can run on >>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>> level1 >>>>>>>>>>>>>>>>>>>>>>>>>>>> and on >>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>> level0, so with one test we can test 2 domain >>>>>>>>>>>>>>>>>>>>>>>>>>>> levels >>>>>>>>>>>>>>>>>>>>>>>>>>>> just >>>>>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>>>>> putting >>>>>>>>>>>>>>>>>>>>>>>>>>>> domain level into config file. >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> I agree that with extraordinary test like >>>>>>>>>>>>>>>>>>>>>>>>>>>> replica >>>>>>>>>>>>>>>>>>>>>>>>>>>> promotion test >>>>>>>>>>>>>>>>>>>>>>>>>>>> is, we >>>>>>>>>>>>>>>>>>>>>>>>>>>> need something that allows override the config >>>>>>>>>>>>>>>>>>>>>>>>>>>> file. >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> As I said bellow, domain_level default value >>>>>>>>>>>>>>>>>>>>>>>>>>>> should be >>>>>>>>>>>>>>>>>>>>>>>>>>>> None in >>>>>>>>>>>>>>>>>>>>>>>>>>>> install_master and install_topo plugin. If >>>>>>>>>>>>>>>>>>>>>>>>>>>> domain level >>>>>>>>>>>>>>>>>>>>>>>>>>>> was >>>>>>>>>>>>>>>>>>>>>>>>>>>> specified >>>>>>>>>>>>>>>>>>>>>>>>>>>> use the specified one, if not (value is None) >>>>>>>>>>>>>>>>>>>>>>>>>>>> use the >>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>>>>>>>>>>>> config file. >>>>>>>>>>>>>>>>>>>>>>>>>>> Agreed :) >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> Martin >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [PATCH] Enabled setting domain_level per >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> class >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> derived from >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> TestIntegration >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> When I configure domain level 0 in yaml >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config, how >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> is this >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> supposed to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> get into install methods when you removed >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> code? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - "--domain-level=%i" % >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> host.config.domain_level >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + "--domain-level=%i" % domain_level >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> You always use MAX_DOMAIN_LEVEL in this >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> case or >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> whatever is >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> specified in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain_level option. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I suggest to use domain_level=None, and when >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> it is >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> None use >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 'host.config.domain_level', if it is not >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> None, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> use >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> With this we can specify domain level in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> file for >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> test >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> can >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> be used for both domain levels and you can >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> manually >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> specify >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> for test that requires specific domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Also this should go away >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @classmethod >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> def install(cls, mh): >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + if hasattr(cls, "domain_level") and >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cls.master: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + cls.master.config.domain_level = >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cls.domain_level >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> if cls.topology is None: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> return >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I do not see reason why test should override >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> configuration in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> this case. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Martin >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 25.11.2015 16:44, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Here is the updated version of the patch >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> (more >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tests + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> fixed the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> issues of the first one) + patch 0017, that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> implements the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> necessary >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> changes in the background code, i. e. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> patch 16 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> does not >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> without >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> patch 17 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 11/18/2015 05:20 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 09.11.2015 15:09, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi guys, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Here are first two automated testcases >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> this >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> (so far >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> incomplete) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> testplan: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Testplan review is highly appreciated >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> PATCH 16: NACK >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> What is the reason to add an unused >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> parameter to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> install_topo()? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Also it is good practise to add new option >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> as the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> last >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> parameter. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cab you in both tests specify a domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> constant >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> instead of >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> number literal? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> both test call install_topo with custom >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> but it >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cannot >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> because 1) (did you run the test?) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> How the test "TestLevel1" is supposed to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> work? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Respectively why there is call of >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> install_topo() >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> installs >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> replica. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> As this test just tests that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ipa-replica-prepare is >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> working >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> anymore, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> is it worth to spend 20 minutes with >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> installing >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> replica and >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> then >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> just no >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tot use it? IMO to install master in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> install >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> step is >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> enough. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> ./make-lint >>>>>>>>>>>>>>>>>>>>>>>>>> ************* Module >>>>>>>>>>>>>>>>>>>>>>>>>> ipatests.test_integration.base >>>>>>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/base.py:66: >>>>>>>>>>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>>>>>>>>>> IntegrationTest.install] Class 'IntegrationTest' >>>>>>>>>>>>>>>>>>>>>>>>>> has no >>>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>>>>>>> ************* Module >>>>>>>>>>>>>>>>>>>>>>>>>> ipatests.test_integration.test_replica_promotion >>>>>>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:16: >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> [E1101(no-member), Dummy.install] Class 'Dummy' >>>>>>>>>>>>>>>>>>>>>>>>>> has no >>>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:117: >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>>>>>>>>>> TestCAInstall.test_ca_install_without_replica_file] >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no >>>>>>>>>>>>>>>>>>>>>>>>>> 'setup_replica' >>>>>>>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> Is it so hard to run pylint before patch is >>>>>>>>>>>>>>>>>>>>>>>>>> posted >>>>>>>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>>>>>>> review? >>>>>>>>>>>>>>>>>>>>>>>>> Sorry, my bad. Fixed. >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>> Why is this change in the patch? >>>>>>>>>>>>>>>>>>>>>>> - # Clean up the test directory >>>>>>>>>>>>>>>>>>>>>>> - host.run_command(['rm', '-rvf', >>>>>>>>>>>>>>>>>>>>>>> host.config.test_dir]) >>>>>>>>>>>>>>>>>>>>>> Otherwise 2 out of 8 tests fail with IOError at line >>>>>>>>>>>>>>>>>>>>>> 78 of >>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/tasks.py >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> I do not understand yet how does this happen, but if >>>>>>>>>>>>>>>>>>>>>> you >>>>>>>>>>>>>>>>>>>>>> remove >>>>>>>>>>>>>>>>>>>>>> ipatests folder once, it then fails to be created >>>>>>>>>>>>>>>>>>>>>> again. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> So this should be in separated patch and investigated >>>>>>>>>>>>>>>>>>>>> properly. >>>>>>>>>>>>>>>>>>>> Agree. Removed >>>>>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>> is enough to have this check only in >>>>>>>>>>>>>>>>>>>>>>> install_master, >>>>>>>>>>>>>>>>>>>>>>> install_topo can >>>>>>>>>>>>>>>>>>>>>>> pass None to install_master >>>>>>>>>>>>>>>>>>>>>>> + if domain_level is None: >>>>>>>>>>>>>>>>>>>>>>> + domain_level = master.config.domain_level >>>>>>>>>>>>>>>>>>>>>> Done >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>> IMO replica-manage del should cleanup hosts >>>>>>>>>>>>>>>>>>>>>>> entry, so >>>>>>>>>>>>>>>>>>>>>>> following >>>>>>>>>>>>>>>>>>>>>>> code >>>>>>>>>>>>>>>>>>>>>>> should not be needed. >>>>>>>>>>>>>>>>>>>>>>> + if cleanhost: >>>>>>>>>>>>>>>>>>>>>>> + kinit_admin(master) >>>>>>>>>>>>>>>>>>>>>>> + master.run_command(["ipa", "host-del", >>>>>>>>>>>>>>>>>>>>>>> "--updatedns", >>>>>>>>>>>>>>>>>>>>>>> replica.hostname], >>>>>>>>>>>>>>>>>>>>>>> + raiseonerr=False) >>>>>>>>>>>>>>>>>>>>>> Well, in fact it does not. At least the >>>>>>>>>>>>>>>>>>>>>> corresponding dns >>>>>>>>>>>>>>>>>>>>>> record >>>>>>>>>>>>>>>>>>>>>> stays >>>>>>>>>>>>>>>>>>>>>> and causes the subsequent ipa-client-install to >>>>>>>>>>>>>>>>>>>>>> fail. >>>>>>>>>>>>>>>>>>>>>> Probably >>>>>>>>>>>>>>>>>>>>>> it's a >>>>>>>>>>>>>>>>>>>>>> bug. On the other hand, if I promote an existing >>>>>>>>>>>>>>>>>>>>>> client to >>>>>>>>>>>>>>>>>>>>>> replica and >>>>>>>>>>>>>>>>>>>>>> then delete this replica, then, I probably want the >>>>>>>>>>>>>>>>>>>>>> host >>>>>>>>>>>>>>>>>>>>>> record >>>>>>>>>>>>>>>>>>>>>> (that >>>>>>>>>>>>>>>>>>>>>> was created during client-install) to stay in the >>>>>>>>>>>>>>>>>>>>>> system. So, >>>>>>>>>>>>>>>>>>>>>> does not >>>>>>>>>>>>>>>>>>>>>> look like a bug to me. >>>>>>>>>>>>>>>>>>>>> No you don't, because replica uninstallation also >>>>>>>>>>>>>>>>>>>>> removes the >>>>>>>>>>>>>>>>>>>>> client. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> I tried it with ipa42, ipa-replica-manage del removes >>>>>>>>>>>>>>>>>>>>> host >>>>>>>>>>>>>>>>>>>>> entry, >>>>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>>>> DNS A records, only SSHFP records stay there (I'm not >>>>>>>>>>>>>>>>>>>>> sure >>>>>>>>>>>>>>>>>>>>> if it >>>>>>>>>>>>>>>>>>>>> is bug >>>>>>>>>>>>>>>>>>>>> or feature) >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Also I received this message >>>>>>>>>>>>>>>>>>>>> """ >>>>>>>>>>>>>>>>>>>>> Failed to cleanup replica1.ipa.test DNS entries: no >>>>>>>>>>>>>>>>>>>>> matching >>>>>>>>>>>>>>>>>>>>> entry >>>>>>>>>>>>>>>>>>>>> found >>>>>>>>>>>>>>>>>>>>> You may need to manually remove them from the tree >>>>>>>>>>>>>>>>>>>>> """ >>>>>>>>>>>>>>>>>>>>> But, A record has been removed, so this is probably >>>>>>>>>>>>>>>>>>>>> false >>>>>>>>>>>>>>>>>>>>> positive and >>>>>>>>>>>>>>>>>>>>> it needs to have a ticket. >>>>>>>>>>>>>>>>>>>> Agree, that was an issue with my setup. >>>>>>>>>>>>>>>>>>>> Removed >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>> This variable is not used >>>>>>>>>>>>>>>>>>>>>>> + kra_uninstall = ["ipa-kra-install", >>>>>>>>>>>>>>>>>>>>>>> "--uninstall", "-U"] >>>>>>>>>>>>>>>>>>>>>> Removed >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> 5) >>>>>>>>>>>>>>>>>>>>>>> Why do you need this >>>>>>>>>>>>>>>>>>>>>>> + kra_install = ["ipa-kra-install", "-U", "-p", >>>>>>>>>>>>>>>>>>>>>>> config.dirman_password] >>>>>>>>>>>>>>>>>>>>>>> when you implemented tasks.install_kra that returns >>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>> exactly >>>>>>>>>>>>>>>>>>>>>>> the same >>>>>>>>>>>>>>>>>>>>>>> result? >>>>>>>>>>>>>>>>>>>>>> Right. Removed >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> 6) >>>>>>>>>>>>>>>>>>>>>>> PEP8 >>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:928:1: E302 >>>>>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:934:1: E302 >>>>>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:939:1: E302 >>>>>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:943:1: E302 >>>>>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:950:80: E501 >>>>>>>>>>>>>>>>>>>>>>> line too >>>>>>>>>>>>>>>>>>>>>>> long >>>>>>>>>>>>>>>>>>>>>>> (80 > 79 >>>>>>>>>>>>>>>>>>>>>>> characters) >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:29:80: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>> too long (85 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:64:80: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>> too long (85 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:67:80: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>> too long (88 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:93:80: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:94:80: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>> too long (83 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:118:80: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>> too long (81 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:128:80: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:129:80: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>> too long (82 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:181:80: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>>>>>> Most of these complaints are unrelated to the >>>>>>>>>>>>>>>>>>>>>> current >>>>>>>>>>>>>>>>>>>>>> patches. >>>>>>>>>>>>>>>>>>>>>> It's better to create a separate patch addressing >>>>>>>>>>>>>>>>>>>>>> PEP8 >>>>>>>>>>>>>>>>>>>>>> errors. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> I beg for your pardon, those PEP8 errors have been >>>>>>>>>>>>>>>>>>>>> introduced by >>>>>>>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>>>>>>> patches. >>>>>>>>>>>>>>>>>>>> Fixed >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> 7) >>>>>>>>>>>>>>>>>>>>>>> Why this must be stored in instance? IMO to have it >>>>>>>>>>>>>>>>>>>>>>> stored as >>>>>>>>>>>>>>>>>>>>>>> local >>>>>>>>>>>>>>>>>>>>>>> variable is perfect >>>>>>>>>>>>>>>>>>>>>>> TestKRAInstall, TestCAInstall >>>>>>>>>>>>>>>>>>>>>>> self.replica1_filename = >>>>>>>>>>>>>>>>>>>>>>> tasks.get_replica_filename(replica1) >>>>>>>>>>>>>>>>>>>>>>> self.replica2_filename = >>>>>>>>>>>>>>>>>>>>>>> tasks.get_replica_filename(replica2) >>>>>>>>>>>>>>>>>>>>>> Agree. Fixed >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> This patch is missing something. >>>>>>>>>>>>>>>>> I am sorry, I forgot to revert my previous change. The >>>>>>>>>>>>>>>>> correct >>>>>>>>>>>>>>>>> patch is >>>>>>>>>>>>>>>>> attached >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ************* Module >>>>>>>>>>>>>>>> ipatests.test_integration.test_replica_promotion >>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:15: >>>>>>>>>>>>>>>> [E1123(unexpected-keyword-arg), Dummy.install] Unexpected >>>>>>>>>>>>>>>> keyword >>>>>>>>>>>>>>>> argument 'domain_level' in function call) >>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:15: >>>>>>>>>>>>>>>> [E1101(no-member), Dummy.install] Class 'Dummy' has no >>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:19: >>>>>>>>>>>>>>>> [E1101(no-member), Dummy.teardown_method] Module >>>>>>>>>>>>>>>> 'ipatests.test_integration.tasks' has no >>>>>>>>>>>>>>>> 'uninstall_replica' >>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:67: >>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>> TestReplicaPromotionLevel0.test_backup_restore] >>>>>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no >>>>>>>>>>>>>>>> 'ipa_backup' >>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:72: >>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>> TestReplicaPromotionLevel0.test_backup_restore] >>>>>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no >>>>>>>>>>>>>>>> 'ipa_restore' >>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:120: >>>>>>>>>>>>>>>> [E1123(unexpected-keyword-arg), TestCAInstall.install] >>>>>>>>>>>>>>>> Unexpected >>>>>>>>>>>>>>>> keyword argument 'domain_level' in function call) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Sorry I forgot to apply patch 17, my bad, I'm continuing >>>>>>>>>>>>>>> with >>>>>>>>>>>>>>> review >>>>>>>>>>>>> LGTM, I haven't had time to test it, but if you are sure that >>>>>>>>>>>>> test is >>>>>>>>>>>>> working, we may push this. >>>>>>>>>>>>> >>>>>>>>>>>> Is this expected due the bug you mentioned? >>>>>>>>>>>> _____ >>>>>>>>>>>> __________________________________________________________________________ >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> TestReplicaPromotionLevel0.test_kra_install_master >>>>>>>>>>>> ________________________________________________________________________________ >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> self = >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> object at 0x7f5071a59e50> >>>>>>>>>>>> >>>>>>>>>>>> def test_kra_install_master(self): >>>>>>>>>>>> result1 = tasks.install_kra(self.master, >>>>>>>>>>>> raiseonerr=False) >>>>>>>>>>>>> assert result1.returncode == 0, result1.stderr_text >>>>>>>>>>>> E AssertionError: Usage: ipa-kra-install [options] >>>>>>>>>>>> [replica_file] >>>>>>>>>>>> E >>>>>>>>>>>> E ipa-kra-install: error: Replica file >>>>>>>>>>>> /root/ipatests/replica-info.gpg does not exist >>>>>>>>>>>> E The ipa-kra-install command failed. See >>>>>>>>>>>> /var/log/ipaserver-kra-install.log for more information >>>>>>>>>>>> E >>>>>>>>>>>> E assert 2 == 0 >>>>>>>>>>>> E + where 2 = >>>>>>>>>>> object at >>>>>>>>>>>> 0x7f5071adbd50>.returncode >>>>>>>>>>>> >>>>>>>>>> IMO the test needs fix, KRA on replica file needs KRA related >>>>>>>>>> certificates in replica file >>>>>>>>>> >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> RUN >>>>>>>>>> ['ipa-kra-install', '-U', '-p', 'Secret123', >>>>>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] RUN >>>>>>>>>> ['ipa-kra-install', '-U', '-p', 'Secret123', >>>>>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] Missing >>>>>>>>>> KRA >>>>>>>>>> certificates, please create a new replica file. >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] The >>>>>>>>>> ipa-kra-install command failed. See >>>>>>>>>> /var/log/ipaserver-kra-install.log >>>>>>>>>> for more information >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] Exit >>>>>>>>>> code: 1 >>>>>>>>>> FAILED >>>>>>>>>> traceback >>>>>>>>>> >>>>>>>>>> self = >>>>>>>>>> >>>>>>>>> object at 0x7f660bc1a590> >>>>>>>>>> >>>>>> I just read the code. >>>>>> >>>>>> PATCH 16: >>>>>> 0) >>>>>> PEP8 >>>>>> ./ipatests/test_integration/test_replica_promotion.py:24:14: E111 >>>>>> indentation is not a multiple of four >>>>>> ./ipatests/test_integration/test_replica_promotion.py:24:14: E113 >>>>>> unexpected indentation >>>>>> ./ipatests/test_integration/test_replica_promotion.py:148:80: E501 >>>>>> line too long (80 > 79 characters) >>>>>> ./ipatests/test_integration/test_replica_promotion.py:150:80: E501 >>>>>> line too long (81 > 79 characters) >>>>>> >>>>>> 1) >>>>>> workaround is not workaround, because the host entry is removed >>>>>> anyway, the error is raised from POST callback, please remove it >>>>>> + # Workaround for 5627 >>>>>> + if "host not found" in result.stderr_text: >>>>>> + self.master.run_command(["ipa", >>>>>> + "host-del", >>>>>> + host.hostname], >>>>>> raiseonerr=False) >>>>> sorry, I was wrong with this, check is in pre_callback, but please >>>>> remove it anyway, I will send patch to fix it ASAP >>>> Done >>> I realized that the fix I'm working on is for 4.4 only, so for 4.3 add >>> this as separated patch. >> Done, patch 0027 >> >>>>>> 2) >>>>>> Please name it better, for example "replica" instead of "i" >>>>>> + for i in self.replicas: >>>>>> + tasks.install_replica(master, i, setup_ca=False, >>>>>> + setup_dns=True) >>>> Done >>>> >>>>>> 3) >>>>>> Please use constant for domain level (multiple times) >>>>>> + result1 = tasks.install_ca(replica1, domain_level=1, >>>>>> raiseonerr=False) >>>>>> >>>>>> + tasks.install_ca(replica1, domain_level=0) >>>>>> + result2 = tasks.install_ca(replica2, domain_level=0, >>>>>> raiseonerr=False) >>>>>> ... more times >>>> Done >>>> >>>>>> 4) >>>>>> This link does not exists, only connect is deprecated not >>>>>> ipa-replica-manage at all >>>>>> + def test_replica_manage_commands(self): >>>>>> + """ >>>>>> + TestCase: >>>>>> http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan >>>>>> + #Test_case:_ipa-replica-manage_is_deprecated_in_domain_level_1 >>>>>> + """ >>>> Fixed >>>> >>>>>> 5) >>>>>> Missing testcases: >>>>>> >>>>>> Test case: Unprivileged users are not allowed to enroll and promote >>>>>> clients >>>>>> Test case: Replica created using old workflow is functional after >>>>>> domain upgrade >>>>>> Test case: ipa-csreplica-manage connect is deprecated in domain >>>>>> level 1 >>>>>> Test case: Replica can be installed using one command >>>>>> Test case: Prohibit ipa server uninstallation from disconnecting >>>>>> topology segment >>>>>> >>>> They are on the way, not fully ready yet >>>> >>>>>> PATCH 24: >>>>>> >>>>>> 1) >>>>>> why there is this change, how it is related to this patch?: >>>>>> def apply_common_fixes(host): >>>>>> + prepare_host(host) >>>>>> fix_etc_hosts(host) >>>>>> fix_hostname(host) >>>>>> - prepare_host(host) >>>> Good catch! That was one of my attempts to address the issue that was >>>> successfully resolved in patch 0025. Will remove it once we agree >>>> on the >>>> rest of the changes >> Removed >> >>>>>> 2) >>>>>> Why is there this change, how it is related to this patch?: >>>>>> def replica_prepare(master, replica): >>>>>> - apply_common_fixes(replica) >>>>>> fix_apache_semaphores(replica) >>>>>> ... >>>>>> def install_replica(master, replica, setup_ca=True, >>>>>> setup_dns=False, >>>>>> ... >>>>>> + apply_common_fixes(replica) >>>> Just to make this call independent from domain level (at >>>> domain_level 1 >>>> replica_prepare never gets called) >>> It should be in separate commit, because it is not related to adding >>> domain_level in class functionality >> Done. Patch 0026 >> >>>> >>>>>> 3) >>>>>> why is there this change, how it is related to this patch?: >>>>>> - >>>>>> + args.extend(['-n', replica.domain.name, >>>>>> + '-r', replica.domain.realm]) >>>> At least -r is a required parameter. -n was added for further >>>> robustness. Can be safely removed, though >>> It should be in separate commit, as this is not related to domain >>> levels >> Done. Patch 0026 >> >>>>>> 4) >>>>>> why there force, how is this change related to this patch (domain >>>>>> levels)? >>>>>> '-w', client.config.admin_password, >>>>>> - '--server', master.hostname] >>>>>> + '--server', master.hostname, >>>>>> + '--force'] >>>>>> + list(extra_args)) >>>> client refuses to install unless everything is super clear in the dns >>>> setup (including reverse zone). Otherwise the installer fails and >>>> informs you that you may use '--force' at your own risk. I can >>>> rerun the >>>> tests without this option to provide you with the exact output, if you >>>> like. >>> It should be in separated commit, because it is not related to domain >>> levels >> I've run the tests without this option again at it passed. Must have >> been some temporary issue. Removed this change. >> >>>>>> Otherwise domain level related changes LGTM >>>>>> >>>>>> PATCH 25 >>>>>> >>>>>> LGTM >>>>>> >>>>>> Martin^2 >>>>>> > > 1) > this method is unused please remove it > > def test_kra_install_master(self): > > 2) > Why are these there? I do not see any usage > > from env_config import get_global_config > config = get_global_config() > > 3) nitpick > + num_clients = 0 > this is set by default > > otherwise LGTM > > Results of testing tomorrow. > > Martin^2 > I applied all patches including workarounds, but test failed. ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 [ipa.ipatests.test_integration.host.Host.replica1.cmd51] RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', '--setup-ca', '--ip-address', '192.168.144.102', '/root/ipatests/replica-info.gpg'] [ipa.ipatests.test_integration.host.Host.replica1.cmd51] The host replica1.ipa.test already exists on the master server. [ipa.ipatests.test_integration.host.Host.replica1.cmd51] You should remove it before proceeding: [ipa.ipatests.test_integration.host.Host.replica1.cmd51] % ipa host-del replica1.ipa.test [ipa.ipatests.test_integration.host.Host.replica1.cmd51] ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information [ipa.ipatests.test_integration.host.Host.replica1.cmd51] Exit code: 3 FAILED From mbasti at redhat.com Fri Mar 4 07:39:04 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 4 Mar 2016 08:39:04 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <56D93B28.2020302@redhat.com> References: <5640A90B.6030906@redhat.com> <5655D741.4010402@redhat.com> <56560124.4060904@redhat.com> <5656CB3B.8010000@redhat.com> <5656D5EE.7010208@redhat.com> <565862E6.4020100@redhat.com> <56586807.9080805@redhat.com> <565870D6.40908@redhat.com> <56587616.5030609@redhat.com> <565DB7D3.5040500@redhat.com> <565F0BDD.8080206@redhat.com> <565F17EE.3020701@redhat.com> <5666DC18.2040906@redhat.com> <56675E31.3050203@redhat.com> <5667F49B.5020709@redhat.com> <5667FEFB.6090904@redhat.com> <56680C2E.7060805@redhat.com> <56680DDD.2000106@redhat.com> <566FDD80.7030805@redhat.com> <56717785.4020304@redhat.com> <567195B9.9070104@redhat.com> <56727AA7.2030809@redhat.com> <5675E08C.7030109@redhat.com> <56D43687.10502@redhat.com> <56D57DDE.3020306@redhat.com> <56D57F0C.1060103@redhat.com> <56D59F78.1000000@redhat.com> <56D5D9C3.8000102@redhat.com> <56D621DF.406@redhat.com> <56D6ACF5.4070402@redhat.com> <56D6E0E7.8020503@redhat.com> <56D87699.6030305@redhat.com> <56D93B28.2020302@redhat.com> Message-ID: <56D93B98.4090307@redhat.com> On 04.03.2016 08:37, Martin Basti wrote: > > > On 03.03.2016 18:38, Martin Basti wrote: >> >> >> On 02.03.2016 13:47, Oleg Fayans wrote: >>> Hi Martin, >>> >>> I've made the requested changes. >>> >>> The full set of necessary patches is attached. >>> >>> >>> On 03/02/2016 10:05 AM, Martin Basti wrote: >>>> >>>> On 02.03.2016 00:12, Oleg Fayans wrote: >>>>> Hi Martin, >>>>> >>>>> On 03/01/2016 07:04 PM, Martin Basti wrote: >>>>>> On 01.03.2016 14:56, Martin Basti wrote: >>>>>>> >>>>>>> On 01.03.2016 12:37, Martin Basti wrote: >>>>>>>> On 01.03.2016 12:32, Martin Basti wrote: >>>>>>>>> On 29.02.2016 13:16, Oleg Fayans wrote: >>>>>>>>>> Hi all, >>>>>>>>>> >>>>>>>>>> Finally the tests pass. >>>>>>>>>> >>>>>>>>>> The patch 0024 applies on top of patch 0022 (please, consider >>>>>>>>>> reviewing >>>>>>>>>> it also). Besides, the whole functionality depends on Martin's >>>>>>>>>> patch N 0421 >>>>>>>>>> >>>>>>>>>> All patches pass pylint. >>>>>>>>> hello, >>>>>>>>> >>>>>>>>> I cannot apply patches on master branch >>>>>>>>> Martin^2 >>>>>>>> My bad I applied wrong patch >>>>>>>> >>>>>>>>>> On 12/19/2015 11:56 PM, Martin Basti wrote: >>>>>>>>>>> On 17.12.2015 10:04, Oleg Fayans wrote: >>>>>>>>>>>> Hi Martin, >>>>>>>>>>>> >>>>>>>>>>>> I am sorry, in my previous email I attached the old version of >>>>>>>>>>>> patch >>>>>>>>>>>> 0016. The correct on is attached. >>>>>>>>>>>> >>>>>>>>>>>> On 12/16/2015 05:47 PM, Martin Basti wrote: >>>>>>>>>>>>> On 16.12.2015 15:39, Martin Basti wrote: >>>>>>>>>>>>>> On 15.12.2015 10:29, Oleg Fayans wrote: >>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> The updated patches are attached. Patch 0017 includes all >>>>>>>>>>>>>>> changes from >>>>>>>>>>>>>>> patch 0018, so, if you approve this one, there would be no >>>>>>>>>>>>>>> need to >>>>>>>>>>>>>>> continue with the review of 0018. This one contains all >>>>>>>>>>>>>>> changes >>>>>>>>>>>>>>> related >>>>>>>>>>>>>>> to you remarks from 0018 review. Please see my explanation >>>>>>>>>>>>>>> on the >>>>>>>>>>>>>>> stdout+stderr part in the thread from patch 0018. >>>>>>>>>>>>>>> With these two patches applied one of the tests fails >>>>>>>>>>>>>>> due this >>>>>>>>>>>>>>> bug: >>>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5550 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 12/09/2015 12:17 PM, Martin Basti wrote: >>>>>>>>>>>>>>>> On 09.12.2015 12:10, Martin Basti wrote: >>>>>>>>>>>>>>>>> On 09.12.2015 11:14, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>> Hi Martin >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 12/09/2015 10:30 AM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>> On 08.12.2015 23:48, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>> Substituted a hardcoded suffix name with a constant >>>>>>>>>>>>>>>>>>>> DOMAIN_SUFFIX_NAME >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On 12/08/2015 02:33 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> The patches are rebased against the current master. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On 12/02/2015 05:10 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>> On 02.12.2015 16:18, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> On 12/01/2015 04:08 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>> On 27.11.2015 16:26, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>> And patch N 16 passes lint too: >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> On 11/27/2015 04:03 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> On 11/27/2015 03:26 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>> On 27.11.2015 15:04, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> All your suggestions were taken into >>>>>>>>>>>>>>>>>>>>>>>>>>>> account. Both >>>>>>>>>>>>>>>>>>>>>>>>>>>> patches are >>>>>>>>>>>>>>>>>>>>>>>>>>>> updated. Thank you for your help! >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> On 11/26/2015 10:50 AM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 26.11.2015 10:04, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I agree to all your points but one. please, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> see my >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> comment >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> below >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 11/25/2015 07:42 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 0) Note >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please be aware of >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5469 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> during >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> KRA testing >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please do not use MIN and MAX_DOMAIN_LEVEL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> constants, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> this may >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> change >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> over time, use DOMAIN_LEVEL_0 and >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> DOMAIN_LEVEL_1 for >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level 0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and 1 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Why uninstall KRA then server, is not >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> enough >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> just >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> uninstall >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> server >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> which >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> covers KRA uninstall? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + def teardown_method(self, method): >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + for host in self.replicas: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + host.run_command(self.kra_uninstall, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> raiseonerr=False) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + tasks.uninstall_master(host) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Can be this function more generic? It >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> should >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> allow >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> specify >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> host >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> where >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> KRA should be installed not just master >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + def test_kra_install_master(self): >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + self.master.run_command(self.kra_install) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> TestLevel0(Dummy): >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Can be the test name more specific, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> something >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> like >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> TestReplicaPromotionLevel0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 5) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> please remove this, the patch is on review >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and it >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> will be >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> pushed >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> sooner >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> than tests >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + @pytest.mark.xfail # Ticket N 5455 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and as I mentioned in ticket #5455, I >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cannot >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> reproduce >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> it with >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ipa-kra-install, so please provide steps to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> reproduce if >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> you >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> insist >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> this still does not work as expected >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> with KRA. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 6) This is completely wrong, it removes >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> everything >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> that we >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tried to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> achieve with previous patches with domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level in CI >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Actually, being able to configure domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level per >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> class >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> is WAY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> more >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> convenient, than to always have to think >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> which >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level is >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> appropriate for which particular test during >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> jenkins >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> job >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> configuration. In fact, I should have >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> thought >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> about it >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> from the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> very >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> beginning. For example, in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> test_replica_promotion.py we >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> have on >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> class, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> which intiates with domain level = 1, while >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> others - >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 0. With config-based approach, we would >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> have to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> implement a >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> separate >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> step that raises domain level. Overall, I am >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> against >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> approach, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> when you have to remember to set certain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> any particular test. The tests themselves >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> should be >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> aware of >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain level they need. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> I do not say that we should not have >>>>>>>>>>>>>>>>>>>>>>>>>>>>> something >>>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>>> overrides >>>>>>>>>>>>>>>>>>>>>>>>>>>>> settings >>>>>>>>>>>>>>>>>>>>>>>>>>>>> in from config in a particular test case, >>>>>>>>>>>>>>>>>>>>>>>>>>>>> I say >>>>>>>>>>>>>>>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>>>>>>>>>>>>>>> patch is >>>>>>>>>>>>>>>>>>>>>>>>>>>>> doing it >>>>>>>>>>>>>>>>>>>>>>>>>>>>> wrong. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> I agree it is useful to have param >>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain_level in >>>>>>>>>>>>>>>>>>>>>>>>>>>>> install_master, >>>>>>>>>>>>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>>>>>>>>>>>> intall_topo methods, but is cannot be >>>>>>>>>>>>>>>>>>>>>>>>>>>>> MAX_DOMAIN_LEVEL by >>>>>>>>>>>>>>>>>>>>>>>>>>>>> default, >>>>>>>>>>>>>>>>>>>>>>>>>>>>> because with your current patch the >>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain_level in >>>>>>>>>>>>>>>>>>>>>>>>>>>>> config is >>>>>>>>>>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>>>>>>>>>> used >>>>>>>>>>>>>>>>>>>>>>>>>>>>> at all, it will be always MAX_DOMAIN_LEVEL >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> For example I want to achieve this goal: >>>>>>>>>>>>>>>>>>>>>>>>>>>>> test_vault.py, this test suite can run on >>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>> level1 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> and on >>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>> level0, so with one test we can test 2 domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>> levels >>>>>>>>>>>>>>>>>>>>>>>>>>>>> just >>>>>>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>>>>>> putting >>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain level into config file. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> I agree that with extraordinary test like >>>>>>>>>>>>>>>>>>>>>>>>>>>>> replica >>>>>>>>>>>>>>>>>>>>>>>>>>>>> promotion test >>>>>>>>>>>>>>>>>>>>>>>>>>>>> is, we >>>>>>>>>>>>>>>>>>>>>>>>>>>>> need something that allows override the >>>>>>>>>>>>>>>>>>>>>>>>>>>>> config >>>>>>>>>>>>>>>>>>>>>>>>>>>>> file. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> As I said bellow, domain_level default value >>>>>>>>>>>>>>>>>>>>>>>>>>>>> should be >>>>>>>>>>>>>>>>>>>>>>>>>>>>> None in >>>>>>>>>>>>>>>>>>>>>>>>>>>>> install_master and install_topo plugin. If >>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain level >>>>>>>>>>>>>>>>>>>>>>>>>>>>> was >>>>>>>>>>>>>>>>>>>>>>>>>>>>> specified >>>>>>>>>>>>>>>>>>>>>>>>>>>>> use the specified one, if not (value is None) >>>>>>>>>>>>>>>>>>>>>>>>>>>>> use the >>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>>>>>>>>>>>>> config file. >>>>>>>>>>>>>>>>>>>>>>>>>>>> Agreed :) >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Martin >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [PATCH] Enabled setting domain_level per >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> class >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> derived from >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> TestIntegration >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> When I configure domain level 0 in yaml >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config, how >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> is this >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> supposed to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> get into install methods when you >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> removed that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> code? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - "--domain-level=%i" % >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> host.config.domain_level >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + "--domain-level=%i" % domain_level >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> You always use MAX_DOMAIN_LEVEL in this >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> case or >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> whatever is >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> specified in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain_level option. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I suggest to use domain_level=None, and >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> when >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> it is >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> None use >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 'host.config.domain_level', if it is not >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> None, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> use >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> With this we can specify domain level in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> file for >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> test >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> can >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> be used for both domain levels and you can >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> manually >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> specify >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> for test that requires specific domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Also this should go away >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @classmethod >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> def install(cls, mh): >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + if hasattr(cls, "domain_level") >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cls.master: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + cls.master.config.domain_level = >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cls.domain_level >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> if cls.topology is None: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> return >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I do not see reason why test should >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> override >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> configuration in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> this case. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Martin >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 25.11.2015 16:44, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Here is the updated version of the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> patch (more >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tests + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> fixed the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> issues of the first one) + patch 0017, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> implements the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> necessary >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> changes in the background code, i. e. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> patch 16 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> does not >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> without >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> patch 17 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 11/18/2015 05:20 PM, Martin Basti >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 09.11.2015 15:09, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi guys, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Here are first two automated >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> testcases from >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> this >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> (so far >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> incomplete) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> testplan: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Testplan review is highly appreciated >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> PATCH 16: NACK >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> What is the reason to add an unused >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> parameter to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> install_topo()? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Also it is good practise to add new >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> option >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> as the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> last >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> parameter. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cab you in both tests specify a domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> constant >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> instead of >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> number literal? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> both test call install_topo with custom >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> but it >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cannot >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> because 1) (did you run the test?) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> How the test "TestLevel1" is supposed to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> work? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Respectively why there is call of >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> install_topo() >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> installs >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> replica. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> As this test just tests that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ipa-replica-prepare is >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> working >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> anymore, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> is it worth to spend 20 minutes with >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> installing >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> replica and >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> then >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> just no >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tot use it? IMO to install master in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> install >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> step is >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> enough. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> ./make-lint >>>>>>>>>>>>>>>>>>>>>>>>>>> ************* Module >>>>>>>>>>>>>>>>>>>>>>>>>>> ipatests.test_integration.base >>>>>>>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/base.py:66: >>>>>>>>>>>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>>>>>>>>>>> IntegrationTest.install] Class >>>>>>>>>>>>>>>>>>>>>>>>>>> 'IntegrationTest' >>>>>>>>>>>>>>>>>>>>>>>>>>> has no >>>>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>>>>>>>> ************* Module >>>>>>>>>>>>>>>>>>>>>>>>>>> ipatests.test_integration.test_replica_promotion >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:16: >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> [E1101(no-member), Dummy.install] Class 'Dummy' >>>>>>>>>>>>>>>>>>>>>>>>>>> has no >>>>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:117: >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>>>>>>>>>>> TestCAInstall.test_ca_install_without_replica_file] >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no >>>>>>>>>>>>>>>>>>>>>>>>>>> 'setup_replica' >>>>>>>>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> Is it so hard to run pylint before patch is >>>>>>>>>>>>>>>>>>>>>>>>>>> posted >>>>>>>>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>>>>>>>> review? >>>>>>>>>>>>>>>>>>>>>>>>>> Sorry, my bad. Fixed. >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>>> Why is this change in the patch? >>>>>>>>>>>>>>>>>>>>>>>> - # Clean up the test directory >>>>>>>>>>>>>>>>>>>>>>>> - host.run_command(['rm', '-rvf', >>>>>>>>>>>>>>>>>>>>>>>> host.config.test_dir]) >>>>>>>>>>>>>>>>>>>>>>> Otherwise 2 out of 8 tests fail with IOError at >>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>> 78 of >>>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/tasks.py >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> I do not understand yet how does this happen, >>>>>>>>>>>>>>>>>>>>>>> but if >>>>>>>>>>>>>>>>>>>>>>> you >>>>>>>>>>>>>>>>>>>>>>> remove >>>>>>>>>>>>>>>>>>>>>>> ipatests folder once, it then fails to be created >>>>>>>>>>>>>>>>>>>>>>> again. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> So this should be in separated patch and >>>>>>>>>>>>>>>>>>>>>> investigated >>>>>>>>>>>>>>>>>>>>>> properly. >>>>>>>>>>>>>>>>>>>>> Agree. Removed >>>>>>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>>> is enough to have this check only in >>>>>>>>>>>>>>>>>>>>>>>> install_master, >>>>>>>>>>>>>>>>>>>>>>>> install_topo can >>>>>>>>>>>>>>>>>>>>>>>> pass None to install_master >>>>>>>>>>>>>>>>>>>>>>>> + if domain_level is None: >>>>>>>>>>>>>>>>>>>>>>>> + domain_level = master.config.domain_level >>>>>>>>>>>>>>>>>>>>>>> Done >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>>> IMO replica-manage del should cleanup hosts >>>>>>>>>>>>>>>>>>>>>>>> entry, so >>>>>>>>>>>>>>>>>>>>>>>> following >>>>>>>>>>>>>>>>>>>>>>>> code >>>>>>>>>>>>>>>>>>>>>>>> should not be needed. >>>>>>>>>>>>>>>>>>>>>>>> + if cleanhost: >>>>>>>>>>>>>>>>>>>>>>>> + kinit_admin(master) >>>>>>>>>>>>>>>>>>>>>>>> + master.run_command(["ipa", "host-del", >>>>>>>>>>>>>>>>>>>>>>>> "--updatedns", >>>>>>>>>>>>>>>>>>>>>>>> replica.hostname], >>>>>>>>>>>>>>>>>>>>>>>> + raiseonerr=False) >>>>>>>>>>>>>>>>>>>>>>> Well, in fact it does not. At least the >>>>>>>>>>>>>>>>>>>>>>> corresponding dns >>>>>>>>>>>>>>>>>>>>>>> record >>>>>>>>>>>>>>>>>>>>>>> stays >>>>>>>>>>>>>>>>>>>>>>> and causes the subsequent ipa-client-install to >>>>>>>>>>>>>>>>>>>>>>> fail. >>>>>>>>>>>>>>>>>>>>>>> Probably >>>>>>>>>>>>>>>>>>>>>>> it's a >>>>>>>>>>>>>>>>>>>>>>> bug. On the other hand, if I promote an existing >>>>>>>>>>>>>>>>>>>>>>> client to >>>>>>>>>>>>>>>>>>>>>>> replica and >>>>>>>>>>>>>>>>>>>>>>> then delete this replica, then, I probably want the >>>>>>>>>>>>>>>>>>>>>>> host >>>>>>>>>>>>>>>>>>>>>>> record >>>>>>>>>>>>>>>>>>>>>>> (that >>>>>>>>>>>>>>>>>>>>>>> was created during client-install) to stay in the >>>>>>>>>>>>>>>>>>>>>>> system. So, >>>>>>>>>>>>>>>>>>>>>>> does not >>>>>>>>>>>>>>>>>>>>>>> look like a bug to me. >>>>>>>>>>>>>>>>>>>>>> No you don't, because replica uninstallation also >>>>>>>>>>>>>>>>>>>>>> removes the >>>>>>>>>>>>>>>>>>>>>> client. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> I tried it with ipa42, ipa-replica-manage del >>>>>>>>>>>>>>>>>>>>>> removes >>>>>>>>>>>>>>>>>>>>>> host >>>>>>>>>>>>>>>>>>>>>> entry, >>>>>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>>>>> DNS A records, only SSHFP records stay there (I'm >>>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>>> sure >>>>>>>>>>>>>>>>>>>>>> if it >>>>>>>>>>>>>>>>>>>>>> is bug >>>>>>>>>>>>>>>>>>>>>> or feature) >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Also I received this message >>>>>>>>>>>>>>>>>>>>>> """ >>>>>>>>>>>>>>>>>>>>>> Failed to cleanup replica1.ipa.test DNS entries: no >>>>>>>>>>>>>>>>>>>>>> matching >>>>>>>>>>>>>>>>>>>>>> entry >>>>>>>>>>>>>>>>>>>>>> found >>>>>>>>>>>>>>>>>>>>>> You may need to manually remove them from the tree >>>>>>>>>>>>>>>>>>>>>> """ >>>>>>>>>>>>>>>>>>>>>> But, A record has been removed, so this is probably >>>>>>>>>>>>>>>>>>>>>> false >>>>>>>>>>>>>>>>>>>>>> positive and >>>>>>>>>>>>>>>>>>>>>> it needs to have a ticket. >>>>>>>>>>>>>>>>>>>>> Agree, that was an issue with my setup. >>>>>>>>>>>>>>>>>>>>> Removed >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>>> This variable is not used >>>>>>>>>>>>>>>>>>>>>>>> + kra_uninstall = ["ipa-kra-install", >>>>>>>>>>>>>>>>>>>>>>>> "--uninstall", "-U"] >>>>>>>>>>>>>>>>>>>>>>> Removed >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> 5) >>>>>>>>>>>>>>>>>>>>>>>> Why do you need this >>>>>>>>>>>>>>>>>>>>>>>> + kra_install = ["ipa-kra-install", "-U", "-p", >>>>>>>>>>>>>>>>>>>>>>>> config.dirman_password] >>>>>>>>>>>>>>>>>>>>>>>> when you implemented tasks.install_kra that >>>>>>>>>>>>>>>>>>>>>>>> returns >>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>> exactly >>>>>>>>>>>>>>>>>>>>>>>> the same >>>>>>>>>>>>>>>>>>>>>>>> result? >>>>>>>>>>>>>>>>>>>>>>> Right. Removed >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> 6) >>>>>>>>>>>>>>>>>>>>>>>> PEP8 >>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:928:1: E302 >>>>>>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:934:1: E302 >>>>>>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:939:1: E302 >>>>>>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:943:1: E302 >>>>>>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:950:80: E501 >>>>>>>>>>>>>>>>>>>>>>>> line too >>>>>>>>>>>>>>>>>>>>>>>> long >>>>>>>>>>>>>>>>>>>>>>>> (80 > 79 >>>>>>>>>>>>>>>>>>>>>>>> characters) >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:29:80: >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>>> too long (85 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:64:80: >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>>> too long (85 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:67:80: >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>>> too long (88 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:93:80: >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:94:80: >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>>> too long (83 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:118:80: >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>>> too long (81 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:128:80: >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:129:80: >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>>> too long (82 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:181:80: >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>> Most of these complaints are unrelated to the >>>>>>>>>>>>>>>>>>>>>>> current >>>>>>>>>>>>>>>>>>>>>>> patches. >>>>>>>>>>>>>>>>>>>>>>> It's better to create a separate patch >>>>>>>>>>>>>>>>>>>>>>> addressing PEP8 >>>>>>>>>>>>>>>>>>>>>>> errors. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> I beg for your pardon, those PEP8 errors have been >>>>>>>>>>>>>>>>>>>>>> introduced by >>>>>>>>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>>>>>>>> patches. >>>>>>>>>>>>>>>>>>>>> Fixed >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> 7) >>>>>>>>>>>>>>>>>>>>>>>> Why this must be stored in instance? IMO to >>>>>>>>>>>>>>>>>>>>>>>> have it >>>>>>>>>>>>>>>>>>>>>>>> stored as >>>>>>>>>>>>>>>>>>>>>>>> local >>>>>>>>>>>>>>>>>>>>>>>> variable is perfect >>>>>>>>>>>>>>>>>>>>>>>> TestKRAInstall, TestCAInstall >>>>>>>>>>>>>>>>>>>>>>>> self.replica1_filename = >>>>>>>>>>>>>>>>>>>>>>>> tasks.get_replica_filename(replica1) >>>>>>>>>>>>>>>>>>>>>>>> self.replica2_filename = >>>>>>>>>>>>>>>>>>>>>>>> tasks.get_replica_filename(replica2) >>>>>>>>>>>>>>>>>>>>>>> Agree. Fixed >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> This patch is missing something. >>>>>>>>>>>>>>>>>> I am sorry, I forgot to revert my previous change. The >>>>>>>>>>>>>>>>>> correct >>>>>>>>>>>>>>>>>> patch is >>>>>>>>>>>>>>>>>> attached >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> ************* Module >>>>>>>>>>>>>>>>> ipatests.test_integration.test_replica_promotion >>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:15: >>>>>>>>>>>>>>>>> [E1123(unexpected-keyword-arg), Dummy.install] Unexpected >>>>>>>>>>>>>>>>> keyword >>>>>>>>>>>>>>>>> argument 'domain_level' in function call) >>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:15: >>>>>>>>>>>>>>>>> [E1101(no-member), Dummy.install] Class 'Dummy' has no >>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:19: >>>>>>>>>>>>>>>>> [E1101(no-member), Dummy.teardown_method] Module >>>>>>>>>>>>>>>>> 'ipatests.test_integration.tasks' has no >>>>>>>>>>>>>>>>> 'uninstall_replica' >>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:67: >>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>> TestReplicaPromotionLevel0.test_backup_restore] >>>>>>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no >>>>>>>>>>>>>>>>> 'ipa_backup' >>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:72: >>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>> TestReplicaPromotionLevel0.test_backup_restore] >>>>>>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no >>>>>>>>>>>>>>>>> 'ipa_restore' >>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:120: >>>>>>>>>>>>>>>>> [E1123(unexpected-keyword-arg), TestCAInstall.install] >>>>>>>>>>>>>>>>> Unexpected >>>>>>>>>>>>>>>>> keyword argument 'domain_level' in function call) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Sorry I forgot to apply patch 17, my bad, I'm >>>>>>>>>>>>>>>> continuing with >>>>>>>>>>>>>>>> review >>>>>>>>>>>>>> LGTM, I haven't had time to test it, but if you are sure >>>>>>>>>>>>>> that >>>>>>>>>>>>>> test is >>>>>>>>>>>>>> working, we may push this. >>>>>>>>>>>>>> >>>>>>>>>>>>> Is this expected due the bug you mentioned? >>>>>>>>>>>>> _____ >>>>>>>>>>>>> __________________________________________________________________________ >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> TestReplicaPromotionLevel0.test_kra_install_master >>>>>>>>>>>>> ________________________________________________________________________________ >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> self = >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> object at 0x7f5071a59e50> >>>>>>>>>>>>> >>>>>>>>>>>>> def test_kra_install_master(self): >>>>>>>>>>>>> result1 = tasks.install_kra(self.master, >>>>>>>>>>>>> raiseonerr=False) >>>>>>>>>>>>>> assert result1.returncode == 0, >>>>>>>>>>>>>> result1.stderr_text >>>>>>>>>>>>> E AssertionError: Usage: ipa-kra-install [options] >>>>>>>>>>>>> [replica_file] >>>>>>>>>>>>> E >>>>>>>>>>>>> E ipa-kra-install: error: Replica file >>>>>>>>>>>>> /root/ipatests/replica-info.gpg does not exist >>>>>>>>>>>>> E The ipa-kra-install command failed. See >>>>>>>>>>>>> /var/log/ipaserver-kra-install.log for more information >>>>>>>>>>>>> E >>>>>>>>>>>>> E assert 2 == 0 >>>>>>>>>>>>> E + where 2 = >>>>>>>>>>>> object at >>>>>>>>>>>>> 0x7f5071adbd50>.returncode >>>>>>>>>>>>> >>>>>>>>>>> IMO the test needs fix, KRA on replica file needs KRA related >>>>>>>>>>> certificates in replica file >>>>>>>>>>> >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> RUN >>>>>>>>>>> ['ipa-kra-install', '-U', '-p', 'Secret123', >>>>>>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] RUN >>>>>>>>>>> ['ipa-kra-install', '-U', '-p', 'Secret123', >>>>>>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] >>>>>>>>>>> Missing >>>>>>>>>>> KRA >>>>>>>>>>> certificates, please create a new replica file. >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] The >>>>>>>>>>> ipa-kra-install command failed. See >>>>>>>>>>> /var/log/ipaserver-kra-install.log >>>>>>>>>>> for more information >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] Exit >>>>>>>>>>> code: 1 >>>>>>>>>>> FAILED >>>>>>>>>>> traceback >>>>>>>>>>> >>>>>>>>>>> self = >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> object at 0x7f660bc1a590> >>>>>>>>>>> >>>>>>> I just read the code. >>>>>>> >>>>>>> PATCH 16: >>>>>>> 0) >>>>>>> PEP8 >>>>>>> ./ipatests/test_integration/test_replica_promotion.py:24:14: E111 >>>>>>> indentation is not a multiple of four >>>>>>> ./ipatests/test_integration/test_replica_promotion.py:24:14: E113 >>>>>>> unexpected indentation >>>>>>> ./ipatests/test_integration/test_replica_promotion.py:148:80: E501 >>>>>>> line too long (80 > 79 characters) >>>>>>> ./ipatests/test_integration/test_replica_promotion.py:150:80: E501 >>>>>>> line too long (81 > 79 characters) >>>>>>> >>>>>>> 1) >>>>>>> workaround is not workaround, because the host entry is removed >>>>>>> anyway, the error is raised from POST callback, please remove it >>>>>>> + # Workaround for 5627 >>>>>>> + if "host not found" in result.stderr_text: >>>>>>> + self.master.run_command(["ipa", >>>>>>> + "host-del", >>>>>>> + host.hostname], >>>>>>> raiseonerr=False) >>>>>> sorry, I was wrong with this, check is in pre_callback, but please >>>>>> remove it anyway, I will send patch to fix it ASAP >>>>> Done >>>> I realized that the fix I'm working on is for 4.4 only, so for 4.3 add >>>> this as separated patch. >>> Done, patch 0027 >>> >>>>>>> 2) >>>>>>> Please name it better, for example "replica" instead of "i" >>>>>>> + for i in self.replicas: >>>>>>> + tasks.install_replica(master, i, setup_ca=False, >>>>>>> + setup_dns=True) >>>>> Done >>>>> >>>>>>> 3) >>>>>>> Please use constant for domain level (multiple times) >>>>>>> + result1 = tasks.install_ca(replica1, domain_level=1, >>>>>>> raiseonerr=False) >>>>>>> >>>>>>> + tasks.install_ca(replica1, domain_level=0) >>>>>>> + result2 = tasks.install_ca(replica2, domain_level=0, >>>>>>> raiseonerr=False) >>>>>>> ... more times >>>>> Done >>>>> >>>>>>> 4) >>>>>>> This link does not exists, only connect is deprecated not >>>>>>> ipa-replica-manage at all >>>>>>> + def test_replica_manage_commands(self): >>>>>>> + """ >>>>>>> + TestCase: >>>>>>> http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan >>>>>>> + #Test_case:_ipa-replica-manage_is_deprecated_in_domain_level_1 >>>>>>> + """ >>>>> Fixed >>>>> >>>>>>> 5) >>>>>>> Missing testcases: >>>>>>> >>>>>>> Test case: Unprivileged users are not allowed to enroll and promote >>>>>>> clients >>>>>>> Test case: Replica created using old workflow is functional after >>>>>>> domain upgrade >>>>>>> Test case: ipa-csreplica-manage connect is deprecated in domain >>>>>>> level 1 >>>>>>> Test case: Replica can be installed using one command >>>>>>> Test case: Prohibit ipa server uninstallation from disconnecting >>>>>>> topology segment >>>>>>> >>>>> They are on the way, not fully ready yet >>>>> >>>>>>> PATCH 24: >>>>>>> >>>>>>> 1) >>>>>>> why there is this change, how it is related to this patch?: >>>>>>> def apply_common_fixes(host): >>>>>>> + prepare_host(host) >>>>>>> fix_etc_hosts(host) >>>>>>> fix_hostname(host) >>>>>>> - prepare_host(host) >>>>> Good catch! That was one of my attempts to address the issue that was >>>>> successfully resolved in patch 0025. Will remove it once we agree >>>>> on the >>>>> rest of the changes >>> Removed >>> >>>>>>> 2) >>>>>>> Why is there this change, how it is related to this patch?: >>>>>>> def replica_prepare(master, replica): >>>>>>> - apply_common_fixes(replica) >>>>>>> fix_apache_semaphores(replica) >>>>>>> ... >>>>>>> def install_replica(master, replica, setup_ca=True, >>>>>>> setup_dns=False, >>>>>>> ... >>>>>>> + apply_common_fixes(replica) >>>>> Just to make this call independent from domain level (at >>>>> domain_level 1 >>>>> replica_prepare never gets called) >>>> It should be in separate commit, because it is not related to adding >>>> domain_level in class functionality >>> Done. Patch 0026 >>> >>>>> >>>>>>> 3) >>>>>>> why is there this change, how it is related to this patch?: >>>>>>> - >>>>>>> + args.extend(['-n', replica.domain.name, >>>>>>> + '-r', replica.domain.realm]) >>>>> At least -r is a required parameter. -n was added for further >>>>> robustness. Can be safely removed, though >>>> It should be in separate commit, as this is not related to domain >>>> levels >>> Done. Patch 0026 >>> >>>>>>> 4) >>>>>>> why there force, how is this change related to this patch (domain >>>>>>> levels)? >>>>>>> '-w', client.config.admin_password, >>>>>>> - '--server', master.hostname] >>>>>>> + '--server', master.hostname, >>>>>>> + '--force'] >>>>>>> + list(extra_args)) >>>>> client refuses to install unless everything is super clear in the dns >>>>> setup (including reverse zone). Otherwise the installer fails and >>>>> informs you that you may use '--force' at your own risk. I can >>>>> rerun the >>>>> tests without this option to provide you with the exact output, if >>>>> you >>>>> like. >>>> It should be in separated commit, because it is not related to domain >>>> levels >>> I've run the tests without this option again at it passed. Must have >>> been some temporary issue. Removed this change. >>> >>>>>>> Otherwise domain level related changes LGTM >>>>>>> >>>>>>> PATCH 25 >>>>>>> >>>>>>> LGTM >>>>>>> >>>>>>> Martin^2 >>>>>>> >> >> 1) >> this method is unused please remove it >> >> def test_kra_install_master(self): >> >> 2) >> Why are these there? I do not see any usage >> >> from env_config import get_global_config >> config = get_global_config() >> >> 3) nitpick >> + num_clients = 0 >> this is set by default >> >> otherwise LGTM >> >> Results of testing tomorrow. >> >> Martin^2 >> > > I applied all patches including workarounds, but test failed. > > ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 > > > [ipa.ipatests.test_integration.host.Host.replica1.cmd51] RUN > ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', > '--setup-ca', '--ip-address', '192.168.144.102', > '/root/ipatests/replica-info.gpg'] > [ipa.ipatests.test_integration.host.Host.replica1.cmd51] The host > replica1.ipa.test already exists on the master server. > [ipa.ipatests.test_integration.host.Host.replica1.cmd51] You should > remove it before proceeding: > [ipa.ipatests.test_integration.host.Host.replica1.cmd51] % ipa > host-del replica1.ipa.test > [ipa.ipatests.test_integration.host.Host.replica1.cmd51] > ipa.ipapython.install.cli.install_tool(Replica): ERROR The > ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information > [ipa.ipatests.test_integration.host.Host.replica1.cmd51] Exit code: 3 > FAILED > And it needs ticket, otherwise it will not be in 4-3 branch. From pspacek at redhat.com Fri Mar 4 08:17:10 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 4 Mar 2016 09:17:10 +0100 Subject: [Freeipa-devel] host-del & client uninstall: additional discussion related to DNS needed In-Reply-To: <56D87122.9000709@redhat.com> References: <56D84F94.3000705@redhat.com> <56D86810.1080600@redhat.com> <56D87122.9000709@redhat.com> Message-ID: <56D94486.6040703@redhat.com> On 3.3.2016 18:15, Martin Basti wrote: > > > On 03.03.2016 17:36, Petr Vobornik wrote: >> On 03/03/2016 03:52 PM, Martin Basti wrote: >>> Hello all, >>> >>> related tickets: >>> https://fedorahosted.org/freeipa/ticket/5676 >>> https://fedorahosted.org/freeipa/ticket/5675 >>> https://fedorahosted.org/freeipa/ticket/5715 >>> >>> I'm trying to implement both tickets, but I don't like the way we >>> decided on devel meeting anymore. >>> >>> https://fedorahosted.org/freeipa/ticket/5676#comment:1 >>> >>> 1) >>> ipa host-del --updatedns >>> >>> I propose to only delete A, AAAA and related PTR records (SSHFP records >>> explained later). The record are somehow managed by IPA >>> >>> I don't like the idea of having an extra option to specify record types >>> that should be removed or a flag that will remove DNS entry completely. >>> IMO that is duplication of dnsrecord-mod/del functionality, host-del >>> should not be used for managing DNS. If somebody wants better >>> granularity, the one should use 'dnsrecord-mod zone rec --type-rec=' or >>> 'dnsrecord-del --del-all' >> >> AFAIK the proposal on devel meeting was: >> >> --update-dns will delete A, AAAA, SSHFP >> --update-dns=all will delete the whole DNS record LDAP entry >> >> there was also a proposal for granularity, e.g., --update-dns=a,aaaa. > Yes this looks for me like doing an alias for dnsrecord-del command > >> >> Then it was agreed that --update-dns won't search for SRV records (not >> mentioned here, so OK). >> >> PTR records weren't discussed or decision was not recorded. > When we remove A/AAAA, then we should remove PTR as well >> >> The proposal above keeps backwards compatibility though it may not be >> possible to do with current framework. Or do we have support for multivalued >> enum with default value(s) which acts as a flag? > It needs big hacks in framework, to support is as Flag for old client and Enum > for new clients >> >> If the new option type is too complicated to introduce, then I would prefer >> to keep current option(flag) with behavior matching proposal for >> --update-dns or --update-dns=all. > To use "--update-dns will delete A, AAAA, SSHFP" only was proposed by me here. > >> >> Definitely big +1 on not introducing a new option. >> >> No need to over-engineer it. >> >> Not sure about PTR records. >> >>> >>> Note: due backward compatibility --updatedns cannot be migrated to ENUM, >>> new option needed >> >>> >>> 2) >>> SSHFP records and host-del (https://fedorahosted.org/freeipa/ticket/5715) >>> >>> host-del removes SSH keys from LDAP, thus there is no reason to keep >>> SSHFP record in DNS, thus SSHFP records should be removed always (even >>> without --updatedns option) >> >> ACK >> >>> >>> 3) >>> ipa-client-install --uninstall >>> >>> SSHFP record are always added via nsupdate to DNS, IMO during client >>> uninstall all SSHFP record related to client should be removed via >>> nsupdate too. >> >> IMHO not necessary will be solved either by #5676 and/or #5715(currently >> uninstall indirectly calls ipa-host-disable) > However host-disable does not do nsupdate, so it will work only for IPA DNS. > So if nsupdate set SSHPF on non-IPA server, we do not have reverse operation > in uninstall for that. > >> >>> >>> 4) >>> https://fedorahosted.org/freeipa/ticket/5676 >>> >>> ipa-client-install --uninstall --delete-host #suggestions how to name >>> option for removing host entry for ldap welcome >>> >>> Should this option call 'host-del' or 'host-del --updatedns'? >>> >>> I would like to avoid additional DNS related option to be added to >>> ipa-client-install >>> >>> Also do we really want to implement this ticket? What is the gain there? >> >> The devel discussions which is recorded in >> https://fedorahosted.org/freeipa/ticket/5676#comment:1 >> >> Suggests to change default behavior in ipa-client-install --uninstall so >> that it will call: >> >> `ipa host-del --update-dns` instead of `ipa-join --unenroll`. So it will >> also do #3. >> >> Further proposal in #5676 is to introduce a new option(--keephost ??) to >> keep the host records, i.e., the old behavior. >> >> But comment: >> """ >> simo: maybe keeping backward compatibility is more important, discuss later >> if --remove option would be better >> """ >> suggest that further discussion is needed > > I agree with backward compatibility here. A current user may be very surprised > that all DNS records of the host disappear. The general problem is that installation process (aka ipa-client-install) is a mess without documented design (at least when it comes to DNS parts) so it is quite hard to do the reverse on --uninstall. Given that were planning to implement integration with external DNS in future we might want to postpone ipa-client-install changes related to DNS and do overhaul at once. For example host plugin will need changes as many assumptions about DNS usage are oversimplified or simply wrong so delaying changes might save some headache caused by two behavior changes in two subsequent releases. -- Petr^2 Spacek From mkosek at redhat.com Fri Mar 4 08:43:44 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 4 Mar 2016 09:43:44 +0100 Subject: [Freeipa-devel] Disabling Schema Compatibility rule Message-ID: <56D94AC0.1040802@redhat.com> Hi Alexander and others, As you know, SSSD 1.13.4 added support of reading the native SUDO tree [1]. This means that FreeIPA deployments with all clients being SSSD 1.13.4 or older will be able to disable the sudoers schema compatiblity tree (cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config). Right now, I am only aware of an attribute tu disable the whole Schema Compat plugin (exposed via ipa-compat-manage tool), but this would not fly for people with legacy clients reading from Compat tree. I am thinking, is there an easy way we can recommend to admins on how to do disable just certain Schema Compatibility rules? Ideally having a config options something like: schema-compat-enabled: on|off That could be changed via ldapmodify. [1] https://fedorahosted.org/sssd/ticket/1108 -- Martin Kosek Manager, Software Engineering - Identity Management Team Red Hat, Inc. From dkupka at redhat.com Fri Mar 4 08:48:15 2016 From: dkupka at redhat.com (David Kupka) Date: Fri, 4 Mar 2016 03:48:15 -0500 (EST) Subject: [Freeipa-devel] [PATCH 0430] remove unused argument from function update_ssh_keys In-Reply-To: <56D715CE.3040003@redhat.com> References: <56D715CE.3040003@redhat.com> Message-ID: <420914238.41602750.1457081295829.JavaMail.zimbra@redhat.com> This patch is going to master branch only. Works for me, ACK. ----- Original Message ----- From: "Martin Basti" To: "freeipa-devel" Sent: Wednesday, March 2, 2016 5:33:18 PM Subject: [Freeipa-devel] [PATCH 0430] remove unused argument from function update_ssh_keys Patch attached, see commit message for details -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From abokovoy at redhat.com Fri Mar 4 09:10:47 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 4 Mar 2016 11:10:47 +0200 Subject: [Freeipa-devel] Disabling Schema Compatibility rule In-Reply-To: <56D94AC0.1040802@redhat.com> References: <56D94AC0.1040802@redhat.com> Message-ID: <20160304091047.GW4492@redhat.com> On Fri, 04 Mar 2016, Martin Kosek wrote: >Hi Alexander and others, > >As you know, SSSD 1.13.4 added support of reading the native SUDO tree [1]. >This means that FreeIPA deployments with all clients being SSSD 1.13.4 or older >will be able to disable the sudoers schema compatiblity tree >(cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config). > >Right now, I am only aware of an attribute tu disable the whole Schema Compat >plugin (exposed via ipa-compat-manage tool), but this would not fly for people >with legacy clients reading from Compat tree. > >I am thinking, is there an easy way we can recommend to admins on how to do >disable just certain Schema Compatibility rules? Ideally having a config >options something like: > >schema-compat-enabled: on|off > >That could be changed via ldapmodify. > >[1] https://fedorahosted.org/sssd/ticket/1108 There is nothing like that in slapi-nis. If you want to remove container configuration, you just remove it. So, doing as DM 'ldapdelete "cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config"' is our simplest way. One can create an update file for ipa-ldap-updater, for example: --8<--8<--8<--8<--8<--8<--8<-- dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config deleteentry: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config -->8-->8-->8-->8-->8-->8-->8-- and then run it as ipa-ldap-updater ./89-remove-sudo-compat-tree.update I'm not sure if running server upgrade would not restore the configuration, though. On the other hand, if no users are going to use the configuration, it should not hurt anymore to have it enabled. With current slapi-nis state there should be no problems anymore. -- / Alexander Bokovoy From jhrozek at redhat.com Fri Mar 4 10:14:38 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 4 Mar 2016 11:14:38 +0100 Subject: [Freeipa-devel] Disabling Schema Compatibility rule In-Reply-To: <20160304091047.GW4492@redhat.com> References: <56D94AC0.1040802@redhat.com> <20160304091047.GW4492@redhat.com> Message-ID: <20160304101438.GP2812@hendrix> On Fri, Mar 04, 2016 at 11:10:47AM +0200, Alexander Bokovoy wrote: > On the other hand, if no users are going to use the configuration, it > should not hurt anymore to have it enabled. With current slapi-nis state > there should be no problems anymore. I admit I haven't been following the slapi-nis patches closely. Are you saying that if no sssd clients are using the slapi-nis tree (remember we used the tree mostly for sudo rules lately) the users wouldn't see issues that they were seeing previously (IIRC it had to do with locking because every auth, so also every bind was a write operation) ? Or were these issues fixed in slapi-nis so even using the compat tree for sudo rules would not be problematic anymore? From abokovoy at redhat.com Fri Mar 4 10:25:32 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 4 Mar 2016 12:25:32 +0200 Subject: [Freeipa-devel] Disabling Schema Compatibility rule In-Reply-To: <20160304101438.GP2812@hendrix> References: <56D94AC0.1040802@redhat.com> <20160304091047.GW4492@redhat.com> <20160304101438.GP2812@hendrix> Message-ID: <20160304102532.GX4492@redhat.com> On Fri, 04 Mar 2016, Jakub Hrozek wrote: >On Fri, Mar 04, 2016 at 11:10:47AM +0200, Alexander Bokovoy wrote: >> On the other hand, if no users are going to use the configuration, it >> should not hurt anymore to have it enabled. With current slapi-nis state >> there should be no problems anymore. > >I admit I haven't been following the slapi-nis patches closely. Are you >saying that if no sssd clients are using the slapi-nis tree (remember we >used the tree mostly for sudo rules lately) the users wouldn't see >issues that they were seeing previously (IIRC it had to do with locking >because every auth, so also every bind was a write operation) ? > >Or were these issues fixed in slapi-nis so even using the compat tree >for sudo rules would not be problematic anymore? These issues were because slapi-nis has a single lock that was taken for long time when processing reads due to clients not reading out the data and thus mingling with write operations. The change we did in slapi-nis 0.55 is by allowing reads to operate on a private copy of that data, thus dropping locks way before results are sent out -- now if a client refuses to read the data, nothing holds the lock to internal slapi-nis structure anymore. -- / Alexander Bokovoy From tbabej at redhat.com Fri Mar 4 11:49:46 2016 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 4 Mar 2016 12:49:46 +0100 Subject: [Freeipa-devel] [PATCH 0404] ipalib: Fix user certificate docstrings Message-ID: <56D9765A.4040602@redhat.com> Hi, this fixes incorrect usercertificate attribute docstrings in several IPA objects. Tomas -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbabej-0404-ipalib-Fix-user-certificate-docstrings.patch Type: text/x-patch Size: 2116 bytes Desc: not available URL: From mkosek at redhat.com Fri Mar 4 11:56:41 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 4 Mar 2016 12:56:41 +0100 Subject: [Freeipa-devel] Disabling Schema Compatibility rule In-Reply-To: <20160304091047.GW4492@redhat.com> References: <56D94AC0.1040802@redhat.com> <20160304091047.GW4492@redhat.com> Message-ID: <56D977F9.9030002@redhat.com> On 03/04/2016 10:10 AM, Alexander Bokovoy wrote: > On Fri, 04 Mar 2016, Martin Kosek wrote: >> Hi Alexander and others, >> >> As you know, SSSD 1.13.4 added support of reading the native SUDO tree [1]. >> This means that FreeIPA deployments with all clients being SSSD 1.13.4 or older >> will be able to disable the sudoers schema compatiblity tree >> (cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config). >> >> Right now, I am only aware of an attribute tu disable the whole Schema Compat >> plugin (exposed via ipa-compat-manage tool), but this would not fly for people >> with legacy clients reading from Compat tree. >> >> I am thinking, is there an easy way we can recommend to admins on how to do >> disable just certain Schema Compatibility rules? Ideally having a config >> options something like: >> >> schema-compat-enabled: on|off >> >> That could be changed via ldapmodify. >> >> [1] https://fedorahosted.org/sssd/ticket/1108 > There is nothing like that in slapi-nis. If you want to remove container > configuration, you just remove it. > > So, doing as DM 'ldapdelete "cn=sudoers,cn=Schema > Compatibility,cn=plugins,cn=config"' > is our simplest way. > > One can create an update file for ipa-ldap-updater, for example: > --8<--8<--8<--8<--8<--8<--8<-- > dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config > deleteentry: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config > -->8-->8-->8-->8-->8-->8-->8-- > > and then run it as ipa-ldap-updater ./89-remove-sudo-compat-tree.update This is what I was afraid of... > I'm not sure if running server upgrade would not restore the > configuration, though. I think it would. > On the other hand, if no users are going to use the configuration, it > should not hurt anymore to have it enabled. With current slapi-nis state > there should be no problems anymore. Well, slapi-nis will still maintain the memory cache, AFAIK. How difficult would it be to implement schema-compat-enabled: on|off ? It seems to me as the best way forward. From abokovoy at redhat.com Fri Mar 4 11:59:36 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 4 Mar 2016 13:59:36 +0200 Subject: [Freeipa-devel] Disabling Schema Compatibility rule In-Reply-To: <56D977F9.9030002@redhat.com> References: <56D94AC0.1040802@redhat.com> <20160304091047.GW4492@redhat.com> <56D977F9.9030002@redhat.com> Message-ID: <20160304115936.GZ4492@redhat.com> On Fri, 04 Mar 2016, Martin Kosek wrote: >On 03/04/2016 10:10 AM, Alexander Bokovoy wrote: >> On Fri, 04 Mar 2016, Martin Kosek wrote: >>> Hi Alexander and others, >>> >>> As you know, SSSD 1.13.4 added support of reading the native SUDO tree [1]. >>> This means that FreeIPA deployments with all clients being SSSD 1.13.4 or older >>> will be able to disable the sudoers schema compatiblity tree >>> (cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config). >>> >>> Right now, I am only aware of an attribute tu disable the whole Schema Compat >>> plugin (exposed via ipa-compat-manage tool), but this would not fly for people >>> with legacy clients reading from Compat tree. >>> >>> I am thinking, is there an easy way we can recommend to admins on how to do >>> disable just certain Schema Compatibility rules? Ideally having a config >>> options something like: >>> >>> schema-compat-enabled: on|off >>> >>> That could be changed via ldapmodify. >>> >>> [1] https://fedorahosted.org/sssd/ticket/1108 >> There is nothing like that in slapi-nis. If you want to remove container >> configuration, you just remove it. >> >> So, doing as DM 'ldapdelete "cn=sudoers,cn=Schema >> Compatibility,cn=plugins,cn=config"' >> is our simplest way. >> >> One can create an update file for ipa-ldap-updater, for example: >> --8<--8<--8<--8<--8<--8<--8<-- >> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >> deleteentry: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >> -->8-->8-->8-->8-->8-->8-->8-- >> >> and then run it as ipa-ldap-updater ./89-remove-sudo-compat-tree.update > >This is what I was afraid of... > >> I'm not sure if running server upgrade would not restore the >> configuration, though. > >I think it would. > >> On the other hand, if no users are going to use the configuration, it >> should not hurt anymore to have it enabled. With current slapi-nis state >> there should be no problems anymore. > >Well, slapi-nis will still maintain the memory cache, AFAIK. > >How difficult would it be to implement > >schema-compat-enabled: on|off > >? It seems to me as the best way forward. The attribute itself is not hard to implement. It is much more complex to ensure the map is ignored if disabled. -- / Alexander Bokovoy From mkosek at redhat.com Fri Mar 4 12:06:36 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 4 Mar 2016 13:06:36 +0100 Subject: [Freeipa-devel] Disabling Schema Compatibility rule In-Reply-To: <20160304115936.GZ4492@redhat.com> References: <56D94AC0.1040802@redhat.com> <20160304091047.GW4492@redhat.com> <56D977F9.9030002@redhat.com> <20160304115936.GZ4492@redhat.com> Message-ID: <56D97A4C.4000705@redhat.com> On 03/04/2016 12:59 PM, Alexander Bokovoy wrote: > On Fri, 04 Mar 2016, Martin Kosek wrote: >> On 03/04/2016 10:10 AM, Alexander Bokovoy wrote: >>> On Fri, 04 Mar 2016, Martin Kosek wrote: >>>> Hi Alexander and others, >>>> >>>> As you know, SSSD 1.13.4 added support of reading the native SUDO tree [1]. >>>> This means that FreeIPA deployments with all clients being SSSD 1.13.4 or >>>> older >>>> will be able to disable the sudoers schema compatiblity tree >>>> (cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config). >>>> >>>> Right now, I am only aware of an attribute tu disable the whole Schema Compat >>>> plugin (exposed via ipa-compat-manage tool), but this would not fly for people >>>> with legacy clients reading from Compat tree. >>>> >>>> I am thinking, is there an easy way we can recommend to admins on how to do >>>> disable just certain Schema Compatibility rules? Ideally having a config >>>> options something like: >>>> >>>> schema-compat-enabled: on|off >>>> >>>> That could be changed via ldapmodify. >>>> >>>> [1] https://fedorahosted.org/sssd/ticket/1108 >>> There is nothing like that in slapi-nis. If you want to remove container >>> configuration, you just remove it. >>> >>> So, doing as DM 'ldapdelete "cn=sudoers,cn=Schema >>> Compatibility,cn=plugins,cn=config"' >>> is our simplest way. >>> >>> One can create an update file for ipa-ldap-updater, for example: >>> --8<--8<--8<--8<--8<--8<--8<-- >>> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >>> deleteentry: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >>> -->8-->8-->8-->8-->8-->8-->8-- >>> >>> and then run it as ipa-ldap-updater ./89-remove-sudo-compat-tree.update >> >> This is what I was afraid of... >> >>> I'm not sure if running server upgrade would not restore the >>> configuration, though. >> >> I think it would. >> >>> On the other hand, if no users are going to use the configuration, it >>> should not hurt anymore to have it enabled. With current slapi-nis state >>> there should be no problems anymore. >> >> Well, slapi-nis will still maintain the memory cache, AFAIK. >> >> How difficult would it be to implement >> >> schema-compat-enabled: on|off >> >> ? It seems to me as the best way forward. > The attribute itself is not hard to implement. It is much more complex > to ensure the map is ignored if disabled. Even if we require 389-ds-base restart after this configuration? I would guess that it should be then easy to simply ignore the disabled rule and do not load it. From abokovoy at redhat.com Fri Mar 4 12:09:43 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 4 Mar 2016 14:09:43 +0200 Subject: [Freeipa-devel] Disabling Schema Compatibility rule In-Reply-To: <56D97A4C.4000705@redhat.com> References: <56D94AC0.1040802@redhat.com> <20160304091047.GW4492@redhat.com> <56D977F9.9030002@redhat.com> <20160304115936.GZ4492@redhat.com> <56D97A4C.4000705@redhat.com> Message-ID: <20160304120943.GA4492@redhat.com> On Fri, 04 Mar 2016, Martin Kosek wrote: >On 03/04/2016 12:59 PM, Alexander Bokovoy wrote: >> On Fri, 04 Mar 2016, Martin Kosek wrote: >>> On 03/04/2016 10:10 AM, Alexander Bokovoy wrote: >>>> On Fri, 04 Mar 2016, Martin Kosek wrote: >>>>> Hi Alexander and others, >>>>> >>>>> As you know, SSSD 1.13.4 added support of reading the native SUDO tree [1]. >>>>> This means that FreeIPA deployments with all clients being SSSD 1.13.4 or >>>>> older >>>>> will be able to disable the sudoers schema compatiblity tree >>>>> (cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config). >>>>> >>>>> Right now, I am only aware of an attribute tu disable the whole Schema Compat >>>>> plugin (exposed via ipa-compat-manage tool), but this would not fly for people >>>>> with legacy clients reading from Compat tree. >>>>> >>>>> I am thinking, is there an easy way we can recommend to admins on how to do >>>>> disable just certain Schema Compatibility rules? Ideally having a config >>>>> options something like: >>>>> >>>>> schema-compat-enabled: on|off >>>>> >>>>> That could be changed via ldapmodify. >>>>> >>>>> [1] https://fedorahosted.org/sssd/ticket/1108 >>>> There is nothing like that in slapi-nis. If you want to remove container >>>> configuration, you just remove it. >>>> >>>> So, doing as DM 'ldapdelete "cn=sudoers,cn=Schema >>>> Compatibility,cn=plugins,cn=config"' >>>> is our simplest way. >>>> >>>> One can create an update file for ipa-ldap-updater, for example: >>>> --8<--8<--8<--8<--8<--8<--8<-- >>>> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >>>> deleteentry: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >>>> -->8-->8-->8-->8-->8-->8-->8-- >>>> >>>> and then run it as ipa-ldap-updater ./89-remove-sudo-compat-tree.update >>> >>> This is what I was afraid of... >>> >>>> I'm not sure if running server upgrade would not restore the >>>> configuration, though. >>> >>> I think it would. >>> >>>> On the other hand, if no users are going to use the configuration, it >>>> should not hurt anymore to have it enabled. With current slapi-nis state >>>> there should be no problems anymore. >>> >>> Well, slapi-nis will still maintain the memory cache, AFAIK. >>> >>> How difficult would it be to implement >>> >>> schema-compat-enabled: on|off >>> >>> ? It seems to me as the best way forward. >> The attribute itself is not hard to implement. It is much more complex >> to ensure the map is ignored if disabled. > >Even if we require 389-ds-base restart after this configuration? I would guess >that it should be then easy to simply ignore the disabled rule and do not load it. It is not about restart. slapi-nis has long supported changing configuration on flight. You don't need to restart 389-ds on removal of the configuration. Removing this feature is certainly not welcomed. My observation about the complexity is basically questioning the need to do such switch at all -- by working on the switch we are delaying work on slapi-nis successor. -- / Alexander Bokovoy From tbabej at redhat.com Fri Mar 4 12:11:05 2016 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 4 Mar 2016 13:11:05 +0100 Subject: [Freeipa-devel] [PATCH 0429] fix suspicious except statement In-Reply-To: <56D72184.4040906@redhat.com> References: <56D7121C.90800@redhat.com> <56D72184.4040906@redhat.com> Message-ID: <56D97B59.5000104@redhat.com> On 03/02/2016 06:23 PM, Martin Basti wrote: > > > On 02.03.2016 17:17, Martin Basti wrote: >> Patch attached, read commit message for more info. >> >> > https://fedorahosted.org/freeipa/ticket/5718 > > Updated patch attached. > > Good catch, ACK. Issue is present both in master and ipa-4-3. Pushed to: master: 2c8e100c73ee1f0c9b57a0aabfc8ab8820e80687 ipa-4-3: 367a1cbd1e01cf758414f97606028571768fb459 From mbasti at redhat.com Fri Mar 4 12:21:33 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 4 Mar 2016 13:21:33 +0100 Subject: [Freeipa-devel] [PATCH 0430] remove unused argument from function update_ssh_keys In-Reply-To: <420914238.41602750.1457081295829.JavaMail.zimbra@redhat.com> References: <56D715CE.3040003@redhat.com> <420914238.41602750.1457081295829.JavaMail.zimbra@redhat.com> Message-ID: <56D97DCD.6030607@redhat.com> On 04.03.2016 09:48, David Kupka wrote: > This patch is going to master branch only. Works for me, ACK. > > ----- Original Message ----- > From: "Martin Basti" > To: "freeipa-devel" > Sent: Wednesday, March 2, 2016 5:33:18 PM > Subject: [Freeipa-devel] [PATCH 0430] remove unused argument from function update_ssh_keys > > Patch attached, see commit message for details > Pushed to master: 2211e9a6fafb4ea86053ad1cd1951c1c2d45f430 From mkosek at redhat.com Fri Mar 4 12:21:48 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 4 Mar 2016 13:21:48 +0100 Subject: [Freeipa-devel] Disabling Schema Compatibility rule In-Reply-To: <20160304120943.GA4492@redhat.com> References: <56D94AC0.1040802@redhat.com> <20160304091047.GW4492@redhat.com> <56D977F9.9030002@redhat.com> <20160304115936.GZ4492@redhat.com> <56D97A4C.4000705@redhat.com> <20160304120943.GA4492@redhat.com> Message-ID: <56D97DDC.9030404@redhat.com> On 03/04/2016 01:09 PM, Alexander Bokovoy wrote: > On Fri, 04 Mar 2016, Martin Kosek wrote: >> On 03/04/2016 12:59 PM, Alexander Bokovoy wrote: >>> On Fri, 04 Mar 2016, Martin Kosek wrote: >>>> On 03/04/2016 10:10 AM, Alexander Bokovoy wrote: >>>>> On Fri, 04 Mar 2016, Martin Kosek wrote: >>>>>> Hi Alexander and others, >>>>>> >>>>>> As you know, SSSD 1.13.4 added support of reading the native SUDO tree [1]. >>>>>> This means that FreeIPA deployments with all clients being SSSD 1.13.4 or >>>>>> older >>>>>> will be able to disable the sudoers schema compatiblity tree >>>>>> (cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config). >>>>>> >>>>>> Right now, I am only aware of an attribute tu disable the whole Schema >>>>>> Compat >>>>>> plugin (exposed via ipa-compat-manage tool), but this would not fly for >>>>>> people >>>>>> with legacy clients reading from Compat tree. >>>>>> >>>>>> I am thinking, is there an easy way we can recommend to admins on how to do >>>>>> disable just certain Schema Compatibility rules? Ideally having a config >>>>>> options something like: >>>>>> >>>>>> schema-compat-enabled: on|off >>>>>> >>>>>> That could be changed via ldapmodify. >>>>>> >>>>>> [1] https://fedorahosted.org/sssd/ticket/1108 >>>>> There is nothing like that in slapi-nis. If you want to remove container >>>>> configuration, you just remove it. >>>>> >>>>> So, doing as DM 'ldapdelete "cn=sudoers,cn=Schema >>>>> Compatibility,cn=plugins,cn=config"' >>>>> is our simplest way. >>>>> >>>>> One can create an update file for ipa-ldap-updater, for example: >>>>> --8<--8<--8<--8<--8<--8<--8<-- >>>>> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >>>>> deleteentry: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >>>>> -->8-->8-->8-->8-->8-->8-->8-- >>>>> >>>>> and then run it as ipa-ldap-updater ./89-remove-sudo-compat-tree.update >>>> >>>> This is what I was afraid of... >>>> >>>>> I'm not sure if running server upgrade would not restore the >>>>> configuration, though. >>>> >>>> I think it would. >>>> >>>>> On the other hand, if no users are going to use the configuration, it >>>>> should not hurt anymore to have it enabled. With current slapi-nis state >>>>> there should be no problems anymore. >>>> >>>> Well, slapi-nis will still maintain the memory cache, AFAIK. >>>> >>>> How difficult would it be to implement >>>> >>>> schema-compat-enabled: on|off >>>> >>>> ? It seems to me as the best way forward. >>> The attribute itself is not hard to implement. It is much more complex >>> to ensure the map is ignored if disabled. >> >> Even if we require 389-ds-base restart after this configuration? I would guess >> that it should be then easy to simply ignore the disabled rule and do not >> load it. > It is not about restart. slapi-nis has long supported changing > configuration on flight. You don't need to restart 389-ds on removal of > the configuration. > > Removing this feature is certainly not welcomed. > > My observation about the complexity is basically questioning the need to > do such switch at all -- by working on the switch we are delaying work > on slapi-nis successor. My point is that if we do not have a nice and easy way of disabling the Schema Compat rules, the whole value of not using Schema Compat trees by SSSD is lower, as we cannot save the memory and CPU for 389-ds-base in maintaining this extra trees - right? As you talk about the slapi-nis successor, is there any technical way of a short-term approach that would let us do the proposed, before we get the successor? From mrniranjan at fedoraproject.org Fri Mar 4 13:11:04 2016 From: mrniranjan at fedoraproject.org (Niranjan) Date: Fri, 4 Mar 2016 18:41:04 +0530 Subject: [Freeipa-devel] [python-pytest-multihost] Request to add support to specify username/password for each host In-Reply-To: <20160303163638.GA5277@mniranja.pnq.redhat.com> References: <20160226101434.GA18928@mniranja.pnq.redhat.com> <20160229112631.GA13353@mniranja.pnq.redhat.com> <20160229160744.GA18511@mniranja.pnq.redhat.com> <20160229165748.GA19752@mniranja.pnq.redhat.com> <56D5C0C0.5010500@redhat.com> <56D8597F.5030404@redhat.com> <20160303163638.GA5277@mniranja.pnq.redhat.com> Message-ID: <20160304131104.GA12998@mniranja.pnq.redhat.com> Niranjan wrote: > Petr Viktorin wrote: > > On 03/01/2016 05:18 PM, Petr Viktorin wrote: > > > On 02/29/2016 05:57 PM, Niranjan wrote: > > >> Greetings, > > >> > > >> Attached wrong patch in my last mail. Request to review the patch > > >> attached to this email > > >> > > > > > > Hello, > > > I've generalized the patch a bit to make it use existing host > > > attributes, and I added tests. > > > Could you check if it still works for you? > > > > I've tested a little bit more, and went ahead and released v1.0 with > > this patch. > > It should be available on PyPI and in Fedora Rawhide & 24. For Fedora > > 23, please test and give appropriate karma: > > https://bodhi.fedoraproject.org/updates/FEDORA-2016-95a1e1b53f > I apologize for the delay, i found that it failed in my environment, I am still > investigating, I got busy with some other things in my plate. I will get back > with my observations by tomorrow. The changes made are working now in my environment, Thanks a lot for your inputs for this feature. > > > Regards > Niranjan > > > > > > -- > > Petr Viktorin > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 311 bytes Desc: not available URL: From tbabej at redhat.com Fri Mar 4 13:13:08 2016 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 4 Mar 2016 14:13:08 +0100 Subject: [Freeipa-devel] [PATCH 0087] Pylint: enable parallelism In-Reply-To: <56D5AB3F.6080702@redhat.com> References: <56D5AB3F.6080702@redhat.com> Message-ID: <56D989E4.908@redhat.com> On 03/01/2016 03:46 PM, Petr Spacek wrote: > Hello, > > Pylint: enable parallelism > > The config file specifies 8 cores but Pylint very quickly > ends up with 3 cores so do not worry about overwhelming your system. I like the idea of the patch, however, on my single-CPU VM this causes additional overhead and lint ends up taking more time (+15%). >From the pylint docs [1]: If the provided number is 0 then the number of CPUs will be used. I'd suggest we use this value instead, to get the best of both worlds :) Tomas [1] https://docs.pylint.org/run.html From abokovoy at redhat.com Fri Mar 4 13:30:05 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 4 Mar 2016 15:30:05 +0200 Subject: [Freeipa-devel] Disabling Schema Compatibility rule In-Reply-To: <56D97DDC.9030404@redhat.com> References: <56D94AC0.1040802@redhat.com> <20160304091047.GW4492@redhat.com> <56D977F9.9030002@redhat.com> <20160304115936.GZ4492@redhat.com> <56D97A4C.4000705@redhat.com> <20160304120943.GA4492@redhat.com> <56D97DDC.9030404@redhat.com> Message-ID: <20160304133005.GC4492@redhat.com> On Fri, 04 Mar 2016, Martin Kosek wrote: >On 03/04/2016 01:09 PM, Alexander Bokovoy wrote: >> On Fri, 04 Mar 2016, Martin Kosek wrote: >>> On 03/04/2016 12:59 PM, Alexander Bokovoy wrote: >>>> On Fri, 04 Mar 2016, Martin Kosek wrote: >>>>> On 03/04/2016 10:10 AM, Alexander Bokovoy wrote: >>>>>> On Fri, 04 Mar 2016, Martin Kosek wrote: >>>>>>> Hi Alexander and others, >>>>>>> >>>>>>> As you know, SSSD 1.13.4 added support of reading the native SUDO tree [1]. >>>>>>> This means that FreeIPA deployments with all clients being SSSD 1.13.4 or >>>>>>> older >>>>>>> will be able to disable the sudoers schema compatiblity tree >>>>>>> (cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config). >>>>>>> >>>>>>> Right now, I am only aware of an attribute tu disable the whole Schema >>>>>>> Compat >>>>>>> plugin (exposed via ipa-compat-manage tool), but this would not fly for >>>>>>> people >>>>>>> with legacy clients reading from Compat tree. >>>>>>> >>>>>>> I am thinking, is there an easy way we can recommend to admins on how to do >>>>>>> disable just certain Schema Compatibility rules? Ideally having a config >>>>>>> options something like: >>>>>>> >>>>>>> schema-compat-enabled: on|off >>>>>>> >>>>>>> That could be changed via ldapmodify. >>>>>>> >>>>>>> [1] https://fedorahosted.org/sssd/ticket/1108 >>>>>> There is nothing like that in slapi-nis. If you want to remove container >>>>>> configuration, you just remove it. >>>>>> >>>>>> So, doing as DM 'ldapdelete "cn=sudoers,cn=Schema >>>>>> Compatibility,cn=plugins,cn=config"' >>>>>> is our simplest way. >>>>>> >>>>>> One can create an update file for ipa-ldap-updater, for example: >>>>>> --8<--8<--8<--8<--8<--8<--8<-- >>>>>> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >>>>>> deleteentry: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >>>>>> -->8-->8-->8-->8-->8-->8-->8-- >>>>>> >>>>>> and then run it as ipa-ldap-updater ./89-remove-sudo-compat-tree.update >>>>> >>>>> This is what I was afraid of... >>>>> >>>>>> I'm not sure if running server upgrade would not restore the >>>>>> configuration, though. >>>>> >>>>> I think it would. >>>>> >>>>>> On the other hand, if no users are going to use the configuration, it >>>>>> should not hurt anymore to have it enabled. With current slapi-nis state >>>>>> there should be no problems anymore. >>>>> >>>>> Well, slapi-nis will still maintain the memory cache, AFAIK. >>>>> >>>>> How difficult would it be to implement >>>>> >>>>> schema-compat-enabled: on|off >>>>> >>>>> ? It seems to me as the best way forward. >>>> The attribute itself is not hard to implement. It is much more complex >>>> to ensure the map is ignored if disabled. >>> >>> Even if we require 389-ds-base restart after this configuration? I would guess >>> that it should be then easy to simply ignore the disabled rule and do not >>> load it. >> It is not about restart. slapi-nis has long supported changing >> configuration on flight. You don't need to restart 389-ds on removal of >> the configuration. >> >> Removing this feature is certainly not welcomed. >> >> My observation about the complexity is basically questioning the need to >> do such switch at all -- by working on the switch we are delaying work >> on slapi-nis successor. > >My point is that if we do not have a nice and easy way of disabling the Schema >Compat rules, the whole value of not using Schema Compat trees by SSSD is >lower, as we cannot save the memory and CPU for 389-ds-base in maintaining this >extra trees - right? > >As you talk about the slapi-nis successor, is there any technical way of a >short-term approach that would let us do the proposed, before we get the successor? Give me some time to look what I can do. -- / Alexander Bokovoy From slaznick at redhat.com Fri Mar 4 13:53:33 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 4 Mar 2016 14:53:33 +0100 Subject: [Freeipa-devel] [WIP] Time-Based HBAC Policies Message-ID: <56D9935D.9050507@redhat.com> Hello, So in the previous month and a bit I was reworking the time-based policies according to the changes we agreed on (http://pad.engineering.redhat.com/ipa-time-based-HBAC-design, line 83). Let me briefly walk you through what was done (no TLDR, sorry, but split the text in chapters): *Time rule templates* In the attachment is the proposal how this could be done using costemplates. Currently, the time rule templates have their own directory in the realm tree. The idea is that it could be used for both HBAC and Sudo rules so it needs to be in a location both should be able to reach. Should we not want them used in Sudo rules, the template directory could be moved to HBAC directory. There are also some new permissions for accessing these time rule templates which may need to be revised if the templates should be used both for sudo and HBAC rules. *iCalendar format validation *So there is an iCalendar string validation now. During its creation, I came across several issues with python-icalendar which is basically why it took me so long to write the validation. I made several fixes to the python-icalendar library, most of them are already merged in the repository master (https://github.com/collective/icalendar), one should be pushed in the next library major release. My pull requests: https://github.com/collective/icalendar/pull/175 https://github.com/collective/icalendar/pull/179 https://github.com/collective/icalendar/pull/180 https://github.com/collective/icalendar/pull/183 https://github.com/collective/icalendar/pull/189 I still have one fix in the making, that one should force the strong types in iCalendar as these are also missing in python-icalendar but required by the RFC. Also, obviously, if you want to try the patches, you will need the current python-icalendar implementation from Github. I haven't put python-icalendar dependency into the .spec file yet for this reason. * **Summary *We are now able to import iCalendar strings from files and more or less be sure that the parts we need will be consistent with the RFC 5545 (basically, we are only checking that VEVENT components are correct, to bring strict checking to python-icalendar would take some time and I believe I spent way too much time with it already (there is an issue on their github page, though, it's 4 years old)). *TODO now *0)**Update the design* *1a) The hbacrule-*-accesstime should probably be split into 2 commands, one that reads iCalendar strings from files, and one that creates those strings from "some kind of user input" (similarly for timeruletemplates). 1b) Create the format of user input we could expect for the second kind of command from 1a). We need to be able to convert it to iCalendar string and back so that we are able to present the data stored on the server in human readable form. http://jkbrzt.github.io/rrule/ NL part might be of help although it aims mostly on RRULE property of VEVENT components, whereas we may want to use DTEND, EXDATE, RDATE and DURATION as well to be able to specify events more properly. 2) Represent the HBAC time rules on SSSD side. I already have a skeleton of this based on libical (https://github.com/libical/libical), which hopefully seems to be more viable than python-icalendar. I do not mean to do the validation of received iCalendar string on the SSSD side anymore (at least not in an excessive way), just get the required properties from VEVENT components and evaluate them accordingly. *Discuss *I would really appreciate your input on these topics:* *1)**How to represent the iCalendar strings on the client side in CLI (while thinking about WebUI as well)? 2a) Do we want to use the time rules for Sudo rules as well? 2b) If 2a), is the proposed location of time rule templates along with the privileges ok? Standa ** -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-HBAC-Access-Time-Rules-icalendar-format-validation.patch Type: text/x-patch Size: 14926 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Templating-of-access-time-rules-for-HBAC.patch Type: text/x-patch Size: 22745 bytes Desc: not available URL: From pspacek at redhat.com Fri Mar 4 14:04:46 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 4 Mar 2016 15:04:46 +0100 Subject: [Freeipa-devel] [PATCH 0390] Fix build with GCC 4.9+ In-Reply-To: <20160303075911.GA3753@mail.corp.redhat.com> References: <56C710B0.3020005@redhat.com> <56CF166F.1010003@redhat.com> <20160301110658.GA31766@mail.corp.redhat.com> <56D59AA1.5070306@redhat.com> <20160303075911.GA3753@mail.corp.redhat.com> Message-ID: <56D995FE.8020504@redhat.com> On 3.3.2016 08:59, Lukas Slebodnik wrote: > On (01/03/16 14:35), Petr Spacek wrote: >> On 1.3.2016 12:06, Lukas Slebodnik wrote: >>> On (25/02/16 15:57), Petr Spacek wrote: >>>> On 19.2.2016 13:55, Petr Spacek wrote: >>>>> Hello, >>>>> >>>>> Fix build with GCC 4.9+. >>>>> >>>>> GCC 4.9+ is too aggressive when optimizing functions with nonnull >>>>> attributes. This removes most of asserts() in the plugin. >>>>> GCC 6 adds warnings for these cases. >>>>> >>>>> We are disabling the unwanted condition pruning by adding >>>>> -fno-delete-null-pointer-checks argument. >>>>> BIND 9 did the same in its commit 603a78708343f063b44affb882ef93bb19a5142a. >>>>> >>>>> Additionally we silence warnings to prevent build failures when -Werror >>>>> is used. >>>>> >>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1307346 >>>> >>>> Updated version is attached. It contains less autotools magic because it >>>> enables attribute nonnull only under Clang static analyzer and Coverity - as a >>>> result we do not have to silence GCC warnings from -Wnonnull. >>>> >>>> Please review so I can fix build in Fedora 24. >>>> >>>> Thank you. >>>> >>>> -- >>>> Petr^2 Spacek >>> >>> >From 4732fe9f4e525c44b46e7ed0734ccaec94fba49e Mon Sep 17 00:00:00 2001 >>>> From: Petr Spacek >>>> Date: Fri, 19 Feb 2016 13:39:27 +0100 >>>> Subject: [PATCH] Fix build with GCC 4.9+. >>>> >>>> GCC 4.9+ is too aggressive when optimizing functions with nonnull >>>> attributes. This removes most of asserts() in the plugin. >>>> GCC 6 adds warnings for these cases. >>>> >>>> We are disabling the unwanted condition pruning by adding >>>> -fno-delete-null-pointer-checks argument. >>>> BIND 9 did the same in its commit 603a78708343f063b44affb882ef93bb19a5142a. >>>> >>>> Additionally we enable nonnull attribute only when the build is running under >>>> Clang static analyzer or Coverity. >>>> >>>> https://bugzilla.redhat.com/show_bug.cgi?id=1307346 >>>> --- >>>> configure.ac | 13 +++++++++++++ >>>> src/util.h | 8 ++++++-- >>>> 2 files changed, 19 insertions(+), 2 deletions(-) >>>> >>>> diff --git a/configure.ac b/configure.ac >>>> index a06708b1a5ee64bb64c80272c10ed1a35670c8d0..a0123ac0a62b5acd5238f028d8c42e83af4060db 100644 >>>> --- a/configure.ac >>>> +++ b/configure.ac >>>> @@ -39,6 +39,19 @@ AC_TRY_COMPILE([ >>>> [CFLAGS="$SAVED_CFLAGS" >>>> AC_MSG_RESULT([no])]) >>>> >>>> +# Check if build chain supports -fno-delete-null-pointer-checks >>>> +# this flag avoids too agressive optimizations which would remove some asserts >>>> +# BIND 9 did the same in its commit 603a78708343f063b44affb882ef93bb19a5142a >>>> +AC_MSG_CHECKING([for -fno-delete-null-pointer-checks compiler flag]) >>>> +SAVED_CFLAGS="$CFLAGS" >>>> +CFLAGS="$CFLAGS -fno-delete-null-pointer-checks" >>>> +AC_TRY_COMPILE([ >>>> + extern int fdef(void); >>>> +],[], >>>> +[AC_MSG_RESULT([yes])], >>>> +[CFLAGS="$SAVED_CFLAGS" >>>> + AC_MSG_RESULT([no])]) >>>> + >>> NACK. >>> >>> It failes with clang. >>> >>> configure:12982: checking for -fno-delete-null-pointer-checks compiler flag >>> configure:12999: clang -c -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -fvisibility=hidden -fno-delete-null-pointer-checks conftest.c >&5 >>> clang-3.8: warning: optimization flag '-fno-delete-null-pointer-checks' is not supported >>> clang-3.8: warning: argument unused during compilation: '-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1' >>> configure:12999: $? = 0 >>> configure:13000: result: yes >>> >>> Reproducer: >>> autoreconf -if && CC=clang ./configure && make >> >> Thanks! I was testing this only with Clang static analyzer ... >> >> Here is updated patch. >> >> -- >> Petr^2 Spacek > >>From 6b2ac51fe4ff75c9f59499cbaa4306f70db46425 Mon Sep 17 00:00:00 2001 >> From: Petr Spacek >> Date: Fri, 19 Feb 2016 13:39:27 +0100 >> Subject: [PATCH] Fix build with GCC 4.9+. >> >> GCC 4.9+ is too aggressive when optimizing functions with nonnull >> attributes. This removes most of asserts() in the plugin. >> GCC 6 adds warnings for these cases. >> >> We are disabling the unwanted condition pruning by adding >> -fno-delete-null-pointer-checks argument. >> BIND 9 did the same in its commit 603a78708343f063b44affb882ef93bb19a5142a. >> >> Additionally we enable nonnull attribute only when the build is running under >> Clang static analyzer or Coverity. >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1307346 >> --- >> configure.ac | 14 ++++++++++++++ >> src/util.h | 8 ++++++-- >> 2 files changed, 20 insertions(+), 2 deletions(-) >> >> diff --git a/configure.ac b/configure.ac >> index a06708b1a5ee64bb64c80272c10ed1a35670c8d0..48f5cb63c3bb5535fe1da56abe7583e15d4b5f92 100644 >> --- a/configure.ac >> +++ b/configure.ac >> @@ -39,6 +39,20 @@ AC_TRY_COMPILE([ >> [CFLAGS="$SAVED_CFLAGS" >> AC_MSG_RESULT([no])]) >> >> +# Check if build chain supports -fno-delete-null-pointer-checks >> +# this flag avoids too agressive optimizations which would remove some asserts >> +# BIND 9 did the same in its commit 603a78708343f063b44affb882ef93bb19a5142a >> +AC_MSG_CHECKING([for -fno-delete-null-pointer-checks compiler flag]) >> +SAVED_CFLAGS="$CFLAGS" >> +CFLAGS="-fno-delete-null-pointer-checks -Werror" >> +AC_TRY_COMPILE([ >> + extern int fdef(void); >> +],[], >> +[AC_MSG_RESULT([yes]) >> + CFLAGS="$SAVED_CFLAGS -fno-delete-null-pointer-checks"], >> +[CFLAGS="$SAVED_CFLAGS" >> + AC_MSG_RESULT([no])]) >> + >> # Get CFLAGS from isc-config.sh >> AC_ARG_VAR([BIND9_CFLAGS], >> [C compiler flags for bind9, overriding isc-config.sh]) >> diff --git a/src/util.h b/src/util.h >> index 9849ff9b6c38ec1c6dd143440d5b5e584b2ecd51..402503c339a5ab6ca5273cae420e743b9fc252ab 100644 >> --- a/src/util.h >> +++ b/src/util.h >> @@ -103,11 +103,15 @@ extern isc_boolean_t verbose_checks; /* from settings.c */ >> /* If no argument index list is given to the nonnull attribute, >> * all pointer arguments are marked as non-null. */ >> #define ATTR_NONNULLS ATTR_NONNULL() >> -#ifdef __GNUC__ >> +#if defined(__COVERITY__) || defined(__clang_analyzer__) >> #define ATTR_NONNULL(...) __attribute__((nonnull(__VA_ARGS__))) >> -#define ATTR_CHECKRESULT __attribute__((warn_unused_result)) >> #else >> #define ATTR_NONNULL(...) >> +#endif >> + >> +#if defined(__GNUC__) >> +#define ATTR_CHECKRESULT __attribute__((warn_unused_result)) >> +#else >> #define ATTR_CHECKRESULT >> #endif > > ACK Thanks, pushed to master: acd26eedac09749f82646ea1ac0a662109cca7a8 -- Petr^2 Spacek From rcritten at redhat.com Fri Mar 4 14:05:20 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 4 Mar 2016 09:05:20 -0500 Subject: [Freeipa-devel] host-del & client uninstall: additional discussion related to DNS needed In-Reply-To: <56D94486.6040703@redhat.com> References: <56D84F94.3000705@redhat.com> <56D86810.1080600@redhat.com> <56D87122.9000709@redhat.com> <56D94486.6040703@redhat.com> Message-ID: <56D99620.6000108@redhat.com> Petr Spacek wrote: > On 3.3.2016 18:15, Martin Basti wrote: >> >> >> On 03.03.2016 17:36, Petr Vobornik wrote: >>> On 03/03/2016 03:52 PM, Martin Basti wrote: >>>> Hello all, >>>> >>>> related tickets: >>>> https://fedorahosted.org/freeipa/ticket/5676 >>>> https://fedorahosted.org/freeipa/ticket/5675 >>>> https://fedorahosted.org/freeipa/ticket/5715 >>>> >>>> I'm trying to implement both tickets, but I don't like the way we >>>> decided on devel meeting anymore. >>>> >>>> https://fedorahosted.org/freeipa/ticket/5676#comment:1 >>>> >>>> 1) >>>> ipa host-del --updatedns >>>> >>>> I propose to only delete A, AAAA and related PTR records (SSHFP records >>>> explained later). The record are somehow managed by IPA >>>> >>>> I don't like the idea of having an extra option to specify record types >>>> that should be removed or a flag that will remove DNS entry completely. >>>> IMO that is duplication of dnsrecord-mod/del functionality, host-del >>>> should not be used for managing DNS. If somebody wants better >>>> granularity, the one should use 'dnsrecord-mod zone rec --type-rec=' or >>>> 'dnsrecord-del --del-all' >>> >>> AFAIK the proposal on devel meeting was: >>> >>> --update-dns will delete A, AAAA, SSHFP >>> --update-dns=all will delete the whole DNS record LDAP entry >>> >>> there was also a proposal for granularity, e.g., --update-dns=a,aaaa. >> Yes this looks for me like doing an alias for dnsrecord-del command >> >>> >>> Then it was agreed that --update-dns won't search for SRV records (not >>> mentioned here, so OK). >>> >>> PTR records weren't discussed or decision was not recorded. >> When we remove A/AAAA, then we should remove PTR as well >>> >>> The proposal above keeps backwards compatibility though it may not be >>> possible to do with current framework. Or do we have support for multivalued >>> enum with default value(s) which acts as a flag? >> It needs big hacks in framework, to support is as Flag for old client and Enum >> for new clients >>> >>> If the new option type is too complicated to introduce, then I would prefer >>> to keep current option(flag) with behavior matching proposal for >>> --update-dns or --update-dns=all. >> To use "--update-dns will delete A, AAAA, SSHFP" only was proposed by me here. >> >>> >>> Definitely big +1 on not introducing a new option. >>> >>> No need to over-engineer it. >>> >>> Not sure about PTR records. >>> >>>> >>>> Note: due backward compatibility --updatedns cannot be migrated to ENUM, >>>> new option needed >>> >>>> >>>> 2) >>>> SSHFP records and host-del (https://fedorahosted.org/freeipa/ticket/5715) >>>> >>>> host-del removes SSH keys from LDAP, thus there is no reason to keep >>>> SSHFP record in DNS, thus SSHFP records should be removed always (even >>>> without --updatedns option) >>> >>> ACK >>> >>>> >>>> 3) >>>> ipa-client-install --uninstall >>>> >>>> SSHFP record are always added via nsupdate to DNS, IMO during client >>>> uninstall all SSHFP record related to client should be removed via >>>> nsupdate too. >>> >>> IMHO not necessary will be solved either by #5676 and/or #5715(currently >>> uninstall indirectly calls ipa-host-disable) >> However host-disable does not do nsupdate, so it will work only for IPA DNS. >> So if nsupdate set SSHPF on non-IPA server, we do not have reverse operation >> in uninstall for that. >> >>> >>>> >>>> 4) >>>> https://fedorahosted.org/freeipa/ticket/5676 >>>> >>>> ipa-client-install --uninstall --delete-host #suggestions how to name >>>> option for removing host entry for ldap welcome >>>> >>>> Should this option call 'host-del' or 'host-del --updatedns'? >>>> >>>> I would like to avoid additional DNS related option to be added to >>>> ipa-client-install >>>> >>>> Also do we really want to implement this ticket? What is the gain there? >>> >>> The devel discussions which is recorded in >>> https://fedorahosted.org/freeipa/ticket/5676#comment:1 >>> >>> Suggests to change default behavior in ipa-client-install --uninstall so >>> that it will call: >>> >>> `ipa host-del --update-dns` instead of `ipa-join --unenroll`. So it will >>> also do #3. >>> >>> Further proposal in #5676 is to introduce a new option(--keephost ??) to >>> keep the host records, i.e., the old behavior. >>> >>> But comment: >>> """ >>> simo: maybe keeping backward compatibility is more important, discuss later >>> if --remove option would be better >>> """ >>> suggest that further discussion is needed >> >> I agree with backward compatibility here. A current user may be very surprised >> that all DNS records of the host disappear. > > The general problem is that installation process (aka ipa-client-install) is a > mess without documented design (at least when it comes to DNS parts) so it is > quite hard to do the reverse on --uninstall. > > Given that were planning to implement integration with external DNS in future > we might want to postpone ipa-client-install changes related to DNS and do > overhaul at once. > > For example host plugin will need changes as many assumptions about DNS usage > are oversimplified or simply wrong so delaying changes might save some > headache caused by two behavior changes in two subsequent releases. > I'm not sure what you'd be looking for in ipa-client install but even if you knew exactly what changes were made I don't think it would be enough to do everything in uninstall. It wouldn't handle DNS changes made post-install, for example, so even if state was stored somewhere it could still result in left-over DNS entries. This is particularly important when considering client -> master promotion where a slew of DNS entries will be created. Or am I misunderstanding your point? rob From mkosek at redhat.com Fri Mar 4 14:08:26 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 4 Mar 2016 15:08:26 +0100 Subject: [Freeipa-devel] Disabling Schema Compatibility rule In-Reply-To: <20160304133005.GC4492@redhat.com> References: <56D94AC0.1040802@redhat.com> <20160304091047.GW4492@redhat.com> <56D977F9.9030002@redhat.com> <20160304115936.GZ4492@redhat.com> <56D97A4C.4000705@redhat.com> <20160304120943.GA4492@redhat.com> <56D97DDC.9030404@redhat.com> <20160304133005.GC4492@redhat.com> Message-ID: <56D996DA.3050202@redhat.com> On 03/04/2016 02:30 PM, Alexander Bokovoy wrote: > On Fri, 04 Mar 2016, Martin Kosek wrote: >> On 03/04/2016 01:09 PM, Alexander Bokovoy wrote: >>> On Fri, 04 Mar 2016, Martin Kosek wrote: >>>> On 03/04/2016 12:59 PM, Alexander Bokovoy wrote: >>>>> On Fri, 04 Mar 2016, Martin Kosek wrote: >>>>>> On 03/04/2016 10:10 AM, Alexander Bokovoy wrote: >>>>>>> On Fri, 04 Mar 2016, Martin Kosek wrote: >>>>>>>> Hi Alexander and others, >>>>>>>> >>>>>>>> As you know, SSSD 1.13.4 added support of reading the native SUDO tree >>>>>>>> [1]. >>>>>>>> This means that FreeIPA deployments with all clients being SSSD 1.13.4 or >>>>>>>> older >>>>>>>> will be able to disable the sudoers schema compatiblity tree >>>>>>>> (cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config). >>>>>>>> >>>>>>>> Right now, I am only aware of an attribute tu disable the whole Schema >>>>>>>> Compat >>>>>>>> plugin (exposed via ipa-compat-manage tool), but this would not fly for >>>>>>>> people >>>>>>>> with legacy clients reading from Compat tree. >>>>>>>> >>>>>>>> I am thinking, is there an easy way we can recommend to admins on how >>>>>>>> to do >>>>>>>> disable just certain Schema Compatibility rules? Ideally having a config >>>>>>>> options something like: >>>>>>>> >>>>>>>> schema-compat-enabled: on|off >>>>>>>> >>>>>>>> That could be changed via ldapmodify. >>>>>>>> >>>>>>>> [1] https://fedorahosted.org/sssd/ticket/1108 >>>>>>> There is nothing like that in slapi-nis. If you want to remove container >>>>>>> configuration, you just remove it. >>>>>>> >>>>>>> So, doing as DM 'ldapdelete "cn=sudoers,cn=Schema >>>>>>> Compatibility,cn=plugins,cn=config"' >>>>>>> is our simplest way. >>>>>>> >>>>>>> One can create an update file for ipa-ldap-updater, for example: >>>>>>> --8<--8<--8<--8<--8<--8<--8<-- >>>>>>> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >>>>>>> deleteentry: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config >>>>>>> -->8-->8-->8-->8-->8-->8-->8-- >>>>>>> >>>>>>> and then run it as ipa-ldap-updater ./89-remove-sudo-compat-tree.update >>>>>> >>>>>> This is what I was afraid of... >>>>>> >>>>>>> I'm not sure if running server upgrade would not restore the >>>>>>> configuration, though. >>>>>> >>>>>> I think it would. >>>>>> >>>>>>> On the other hand, if no users are going to use the configuration, it >>>>>>> should not hurt anymore to have it enabled. With current slapi-nis state >>>>>>> there should be no problems anymore. >>>>>> >>>>>> Well, slapi-nis will still maintain the memory cache, AFAIK. >>>>>> >>>>>> How difficult would it be to implement >>>>>> >>>>>> schema-compat-enabled: on|off >>>>>> >>>>>> ? It seems to me as the best way forward. >>>>> The attribute itself is not hard to implement. It is much more complex >>>>> to ensure the map is ignored if disabled. >>>> >>>> Even if we require 389-ds-base restart after this configuration? I would guess >>>> that it should be then easy to simply ignore the disabled rule and do not >>>> load it. >>> It is not about restart. slapi-nis has long supported changing >>> configuration on flight. You don't need to restart 389-ds on removal of >>> the configuration. >>> >>> Removing this feature is certainly not welcomed. >>> >>> My observation about the complexity is basically questioning the need to >>> do such switch at all -- by working on the switch we are delaying work >>> on slapi-nis successor. >> >> My point is that if we do not have a nice and easy way of disabling the Schema >> Compat rules, the whole value of not using Schema Compat trees by SSSD is >> lower, as we cannot save the memory and CPU for 389-ds-base in maintaining this >> extra trees - right? >> >> As you talk about the slapi-nis successor, is there any technical way of a >> short-term approach that would let us do the proposed, before we get the >> successor? > Give me some time to look what I can do. Thank you. First, we should just assess how much it would cost and that would enable us compare the costs and benefits and choose to either wait for the slapi-nis successor or do something now. Martin From pspacek at redhat.com Fri Mar 4 14:11:39 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 4 Mar 2016 15:11:39 +0100 Subject: [Freeipa-devel] Feature template - proposed changes Message-ID: <56D9979B.4070309@redhat.com> Hello, I've updated Feature template to make sure that important the design decisions are recorded somewhere. Of course all this is open for discussion. I did this soon because I believe that it is better to actually see how it looks like instead of discussing vaporware. Wiki has revert button if necessary, feel free to use it. New texts: http://www.freeipa.org/page/Feature_template#Design_Assumptions http://www.freeipa.org/page/Feature_template#Use_Cases I also did one unrelated change: Now "Feature Management" chapter precedes "Design" chapter with all the gory details. This should make the page more useful for random users who find it using a search engine. Intents: 1. Consider usability *very* early in the design process. 2. Think about LDAP schema support for UI workflows very early. DNS locations proved that UI is a nightmare which is better to think about in the very beginning, even before thinking about LDAP schema. I hope it will help in long term. -- Petr^2 Spacek From mkosek at redhat.com Fri Mar 4 14:23:00 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 4 Mar 2016 15:23:00 +0100 Subject: [Freeipa-devel] Feature template - proposed changes In-Reply-To: <56D9979B.4070309@redhat.com> References: <56D9979B.4070309@redhat.com> Message-ID: <56D99A44.20906@redhat.com> On 03/04/2016 03:11 PM, Petr Spacek wrote: > Hello, > > I've updated Feature template to make sure that important the design decisions > are recorded somewhere. > > Of course all this is open for discussion. I did this soon because I believe > that it is better to actually see how it looks like instead of discussing > vaporware. Wiki has revert button if necessary, feel free to use it. > > New texts: > http://www.freeipa.org/page/Feature_template#Design_Assumptions Looks good to me. > http://www.freeipa.org/page/Feature_template#Use_Cases Does not look good to me. Practical examples of how features is used is in How to Test section, ideally organized by Use Cases, like in http://www.freeipa.org/page/V4/User_Certificates#How_to_Test If we start adding gory details and examples right in Use Cases section, we would kill the clarity of that section that intends to just give you overview of the use cases. I would rather imagine something like http://www.freeipa.org/page/V4/Authentication_Indicators#Strong_Authentication_on_Selected_System which is an impromptu format for the new User Story based approach. The expectations is that rest of the page will then work with these User Stories/Use Cases, whether it is Design, How To Test, UI examples or Test Plan. > I also did one unrelated change: > Now "Feature Management" chapter precedes "Design" chapter with all the gory > details. This should make the page more useful for random users who find it > using a search engine. > > Intents: > 1. Consider usability *very* early in the design process. > 2. Think about LDAP schema support for UI workflows very early. These are good intents. However, while I agree with the intents, I am curious how this is supposed to work, because the CLI/UI often works with the terms that are being defined in Design. See for example here: http://www.freeipa.org/page/V4/User_Certificates#Feature_Management It already assumes you know some parts of the design, like matching attribute. Or: http://www.freeipa.org/page/V4/OTP#Feature_Management It already assumes you know what OTP token is, what Radius Proxy server is and how it relates, etc. > DNS locations proved that UI is a nightmare which is better to think about in > the very beginning, even before thinking about LDAP schema. > > I hope it will help in long term. While it may make sense to *think* about the interfaces first, why does it also have to be in the design page as the first thing, given it breaks the natural and logical flow of the text? From mkosek at redhat.com Fri Mar 4 14:33:40 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 4 Mar 2016 15:33:40 +0100 Subject: [Freeipa-devel] Proposing design template changes (Re: Feature template - proposed changes) In-Reply-To: <56D9979B.4070309@redhat.com> References: <56D9979B.4070309@redhat.com> Message-ID: <56D99CC4.2060903@redhat.com> On 03/04/2016 03:11 PM, Petr Spacek wrote: > Hello, > > I've updated Feature template to make sure that important the design decisions > are recorded somewhere. > > Of course all this is open for discussion. I did this soon because I believe > that it is better to actually see how it looks like instead of discussing > vaporware. Wiki has revert button if necessary, feel free to use it. Just for the record, I would be cautious when changing such an impactful page like Design Template. Your way, if somebody now copies the Feature template, he/she would be basing the design work on a template proposal that was not discussed yet and that is subject to change. I believe the Mediawiki approach for that is User name space, where you can do the proposal by copying this page without affecting the "production design template": https://www.mediawiki.org/wiki/Help:Namespaces#User Just 2 cents. Let me know if there is better way than what I proposed. Martin From slaznick at redhat.com Fri Mar 4 14:39:33 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 4 Mar 2016 15:39:33 +0100 Subject: [Freeipa-devel] [WIP] Time-Based HBAC Policies In-Reply-To: <56D9935D.9050507@redhat.com> References: <56D9935D.9050507@redhat.com> Message-ID: <56D99E25.7050502@redhat.com> Based on Alexander's suggestion I created a copr repo with latest python-icalendar version. https://copr.fedorainfracloud.org/coprs/stlaz/python-icalendar/packages/ On 03/04/2016 02:53 PM, Stanislav Laznicka wrote: > Hello, > > So in the previous month and a bit I was reworking the time-based > policies according to the changes we agreed on > (http://pad.engineering.redhat.com/ipa-time-based-HBAC-design, line > 83). Let me briefly walk you through what was done (no TLDR, sorry, > but split the text in chapters): > > *Time rule templates* > In the attachment is the proposal how this could be done using > costemplates. Currently, the time rule templates have their own > directory in the realm tree. The idea is that it could be used for > both HBAC and Sudo rules so it needs to be in a location both should > be able to reach. Should we not want them used in Sudo rules, the > template directory could be moved to HBAC directory. There are also > some new permissions for accessing these time rule templates which may > need to be revised if the templates should be used both for sudo and > HBAC rules. > > *iCalendar format validation > *So there is an iCalendar string validation now. During its creation, > I came across several issues with python-icalendar which is basically > why it took me so long to write the validation. I made several fixes > to the python-icalendar library, most of them are already merged in > the repository master (https://github.com/collective/icalendar), one > should be pushed in the next library major release. > > My pull requests: > https://github.com/collective/icalendar/pull/175 > https://github.com/collective/icalendar/pull/179 > https://github.com/collective/icalendar/pull/180 > https://github.com/collective/icalendar/pull/183 > https://github.com/collective/icalendar/pull/189 > > I still have one fix in the making, that one should force the strong > types in iCalendar as these are also missing in python-icalendar but > required by the RFC. > > Also, obviously, if you want to try the patches, you will need the > current python-icalendar implementation from Github. I haven't put > python-icalendar dependency into the .spec file yet for this reason. > * > **Summary > *We are now able to import iCalendar strings from files and more or > less be sure that the parts we need will be consistent with the RFC > 5545 (basically, we are only checking that VEVENT components are > correct, to bring strict checking to python-icalendar would take some > time and I believe I spent way too much time with it already (there is > an issue on their github page, though, it's 4 years old)). > > *TODO now > *0)**Update the design* > *1a) The hbacrule-*-accesstime should probably be split into 2 > commands, one that reads iCalendar strings from files, and one that > creates those strings from "some kind of user input" (similarly for > timeruletemplates). > 1b) Create the format of user input we could expect for the second > kind of command from 1a). We need to be able to convert it to > iCalendar string and back so that we are able to present the data > stored on the server in human readable form. > http://jkbrzt.github.io/rrule/ NL part might be of help although it > aims mostly on RRULE property of VEVENT components, whereas we may > want to use DTEND, EXDATE, RDATE and DURATION as well to be able to > specify events more properly. > 2) Represent the HBAC time rules on SSSD side. I already have a > skeleton of this based on libical > (https://github.com/libical/libical), which hopefully seems to be more > viable than python-icalendar. I do not mean to do the validation of > received iCalendar string on the SSSD side anymore (at least not in an > excessive way), just get the required properties from VEVENT > components and evaluate them accordingly. > > *Discuss > *I would really appreciate your input on these topics:* > *1)**How to represent the iCalendar strings on the client side in CLI > (while thinking about WebUI as well)? > 2a) Do we want to use the time rules for Sudo rules as well? > 2b) If 2a), is the proposed location of time rule templates along with > the privileges ok? > > Standa > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Fri Mar 4 14:41:00 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 4 Mar 2016 15:41:00 +0100 Subject: [Freeipa-devel] Feature template - proposed changes In-Reply-To: <56D9979B.4070309@redhat.com> References: <56D9979B.4070309@redhat.com> Message-ID: <56D99E7C.9090107@redhat.com> On 03/04/2016 03:11 PM, Petr Spacek wrote: > Hello, > > I've updated Feature template to make sure that important the design decisions > are recorded somewhere. > > Of course all this is open for discussion. I did this soon because I believe > that it is better to actually see how it looks like instead of discussing > vaporware. Wiki has revert button if necessary, feel free to use it. > > New texts: > http://www.freeipa.org/page/Feature_template#Design_Assumptions > http://www.freeipa.org/page/Feature_template#Use_Cases On top of what Petr proposed, I would also like to propose new "Troubleshooting" section that were often asked for by people supporting our users or advising on the lists. I would imagine we would specify any specific, logs, log levels or procedures that could help people investigate what's wrong with the feature. The SSSD project implemented that as "How To Debug" section, see here: https://fedorahosted.org/sssd/wiki/PageTemplates/FeatureDesign Martin From mkosek at redhat.com Fri Mar 4 14:56:05 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 4 Mar 2016 15:56:05 +0100 Subject: [Freeipa-devel] [WIP] Time-Based HBAC Policies In-Reply-To: <56D99E25.7050502@redhat.com> References: <56D9935D.9050507@redhat.com> <56D99E25.7050502@redhat.com> Message-ID: <56D9A205.7060308@redhat.com> On 03/04/2016 03:39 PM, Stanislav Laznicka wrote: > Based on Alexander's suggestion I created a copr repo with latest > python-icalendar version. > > https://copr.fedorainfracloud.org/coprs/stlaz/python-icalendar/packages/ Thanks. When we get to end-to-end functionality (again), it should again make sense to have a repo including all changes packages, including freeipa and sssd. From pspacek at redhat.com Fri Mar 4 14:59:35 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 4 Mar 2016 15:59:35 +0100 Subject: [Freeipa-devel] Feature template - proposed changes In-Reply-To: <56D99A44.20906@redhat.com> References: <56D9979B.4070309@redhat.com> <56D99A44.20906@redhat.com> Message-ID: <56D9A2D7.8030401@redhat.com> On 4.3.2016 15:23, Martin Kosek wrote: > On 03/04/2016 03:11 PM, Petr Spacek wrote: >> Hello, >> >> I've updated Feature template to make sure that important the design decisions >> are recorded somewhere. >> >> Of course all this is open for discussion. I did this soon because I believe >> that it is better to actually see how it looks like instead of discussing >> vaporware. Wiki has revert button if necessary, feel free to use it. >> >> New texts: >> http://www.freeipa.org/page/Feature_template#Design_Assumptions > > Looks good to me. > >> http://www.freeipa.org/page/Feature_template#Use_Cases > > Does not look good to me. Practical examples of how features is used is in How > to Test section, ideally organized by Use Cases, like in > http://www.freeipa.org/page/V4/User_Certificates#How_to_Test > > If we start adding gory details and examples right in Use Cases section, we > would kill the clarity of that section that intends to just give you overview > of the use cases. Okay, now I understand that. Funnily enough the only thing I changed is addition of bullet "* Explicitly list use cases which were considered but will not supported for some reason. Include the reason, too ;-)" The text you are criticizing is there from the very first version of the page [2012-07-24T21:09:49 as can be seen on http://www.freeipa.org/index.php?title=Feature_template&oldid=5161]. > I would rather imagine something like > > http://www.freeipa.org/page/V4/Authentication_Indicators#Strong_Authentication_on_Selected_System > > which is an impromptu format for the new User Story based approach. The > expectations is that rest of the page will then work with these User > Stories/Use Cases, whether it is Design, How To Test, UI examples or Test Plan. Agreed. >> I also did one unrelated change: >> Now "Feature Management" chapter precedes "Design" chapter with all the gory >> details. This should make the page more useful for random users who find it >> using a search engine. >> >> Intents: >> 1. Consider usability *very* early in the design process. >> 2. Think about LDAP schema support for UI workflows very early. > > These are good intents. However, while I agree with the intents, I am curious > how this is supposed to work, because the CLI/UI often works with the terms > that are being defined in Design. > > See for example here: > http://www.freeipa.org/page/V4/User_Certificates#Feature_Management > It already assumes you know some parts of the design, like matching attribute. > > Or: > http://www.freeipa.org/page/V4/OTP#Feature_Management > It already assumes you know what OTP token is, what Radius Proxy server is and > how it relates, etc. Well, that points to an interesting problem of user interface design. Is the user assumed to read the *design* page before using the feature (so he knows the terms as you pointed out)? If it is true then we failed spectacularly at providing usable user interfaces. Looking at https://www.nngroup.com/articles/ten-usability-heuristics/ second principle: # Match between system and the real world ## The system should speak the users' language, with words, phrases and concepts familiar to the user, rather than system-oriented terms. Follow real-world conventions, making information appear in a natural and logical order. My understanding to this is that terms should be 'the usual' terms used in given field. FreeIPA did not invent neither of OTP, RADIUS, DNS, PKI, AD etc. Interface should be self-describing. If it is not then we failed. If there is hard to understand but standard terminology, link to an external article and do not spend time on describing it 25th time (most likely using slightly inconsistent terms). Obviously there will be exceptions but wiki has hyperlinks so this can be handled if absolutely necessary. >> DNS locations proved that UI is a nightmare which is better to think about in >> the very beginning, even before thinking about LDAP schema. >> >> I hope it will help in long term. > > While it may make sense to *think* about the interfaces first, why does it also > have to be in the design page as the first thing, given it breaks the natural > and logical flow of the text? In my eyes this is more logical and makes the page more useful to a wider audience as I explained in the previous e-mail. AFAIK 'How to test' section was added purposely to make the page usable by non-developers and this is just going in the same direction. Looking at TOC the developer-only sections are just 'Design' and 'Implementation'. If we wanted to be radical and wanted to make the page really nice, shiny, logical, and easy to use by causal users we could move Design and Implementation into sub-page /all-the-gory-details. I understand that could be too radical. -- Petr^2 Spacek From pspacek at redhat.com Fri Mar 4 15:04:05 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 4 Mar 2016 16:04:05 +0100 Subject: [Freeipa-devel] Proposing design template changes (Re: Feature template - proposed changes) In-Reply-To: <56D99CC4.2060903@redhat.com> References: <56D9979B.4070309@redhat.com> <56D99CC4.2060903@redhat.com> Message-ID: <56D9A3E5.5030008@redhat.com> On 4.3.2016 15:33, Martin Kosek wrote: > On 03/04/2016 03:11 PM, Petr Spacek wrote: >> Hello, >> >> I've updated Feature template to make sure that important the design decisions >> are recorded somewhere. >> >> Of course all this is open for discussion. I did this soon because I believe >> that it is better to actually see how it looks like instead of discussing >> vaporware. Wiki has revert button if necessary, feel free to use it. > > Just for the record, I would be cautious when changing such an impactful page > like Design Template. Your way, if somebody now copies the Feature template, > he/she would be basing the design work on a template proposal that was not > discussed yet and that is subject to change. > > I believe the Mediawiki approach for that is User name space, where you can do > the proposal by copying this page without affecting the "production design > template": > > https://www.mediawiki.org/wiki/Help:Namespaces#User > > Just 2 cents. Let me know if there is better way than what I proposed. Oh, I did not know about this User: namespace! So I reverted to its original state http://www.freeipa.org/page/Feature_template and moved the proposed version to http://www.freeipa.org/page/User:Pspacek/Feature_template -- Petr^2 Spacek From ofayans at redhat.com Fri Mar 4 15:31:23 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Fri, 4 Mar 2016 16:31:23 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <56D93B98.4090307@redhat.com> References: <5640A90B.6030906@redhat.com> <56560124.4060904@redhat.com> <5656CB3B.8010000@redhat.com> <5656D5EE.7010208@redhat.com> <565862E6.4020100@redhat.com> <56586807.9080805@redhat.com> <565870D6.40908@redhat.com> <56587616.5030609@redhat.com> <565DB7D3.5040500@redhat.com> <565F0BDD.8080206@redhat.com> <565F17EE.3020701@redhat.com> <5666DC18.2040906@redhat.com> <56675E31.3050203@redhat.com> <5667F49B.5020709@redhat.com> <5667FEFB.6090904@redhat.com> <56680C2E.7060805@redhat.com> <56680DDD.2000106@redhat.com> <566FDD80.7030805@redhat.com> <56717785.4020304@redhat.com> <567195B9.9070104@redhat.com> <56727AA7.2030809@redhat.com> <5675E08C.7030109@redhat.com> <56D43687.10502@redhat.com> <56D57DDE.3020306@redhat.com> <56D57F0C.1060103@redhat.com> <56D59F78.1000000@redhat.com> <56D5D9C3.8000102@redhat.com> <56D621DF.406@redhat.com> <56D6ACF5.4070402@redhat.com> <56D6E0E7.8020503@redhat.com> <56D87699.6030305@redhat.com> <56D93B28.2020302@redhat.com> <56D93B98.4090307@redhat.com> Message-ID: <56D9AA4B.103@redhat.com> Hi, Martin. An updated version of the patch is attached. Please see my comments below On 03/04/2016 08:39 AM, Martin Basti wrote: > > > On 04.03.2016 08:37, Martin Basti wrote: >> >> >> On 03.03.2016 18:38, Martin Basti wrote: >>> >>> >>> On 02.03.2016 13:47, Oleg Fayans wrote: >>>> Hi Martin, >>>> >>>> I've made the requested changes. >>>> >>>> The full set of necessary patches is attached. >>>> >>>> >>>> On 03/02/2016 10:05 AM, Martin Basti wrote: >>>>> >>>>> On 02.03.2016 00:12, Oleg Fayans wrote: >>>>>> Hi Martin, >>>>>> >>>>>> On 03/01/2016 07:04 PM, Martin Basti wrote: >>>>>>> On 01.03.2016 14:56, Martin Basti wrote: >>>>>>>> >>>>>>>> On 01.03.2016 12:37, Martin Basti wrote: >>>>>>>>> On 01.03.2016 12:32, Martin Basti wrote: >>>>>>>>>> On 29.02.2016 13:16, Oleg Fayans wrote: >>>>>>>>>>> Hi all, >>>>>>>>>>> >>>>>>>>>>> Finally the tests pass. >>>>>>>>>>> >>>>>>>>>>> The patch 0024 applies on top of patch 0022 (please, consider >>>>>>>>>>> reviewing >>>>>>>>>>> it also). Besides, the whole functionality depends on Martin's >>>>>>>>>>> patch N 0421 >>>>>>>>>>> >>>>>>>>>>> All patches pass pylint. >>>>>>>>>> hello, >>>>>>>>>> >>>>>>>>>> I cannot apply patches on master branch >>>>>>>>>> Martin^2 >>>>>>>>> My bad I applied wrong patch >>>>>>>>> >>>>>>>>>>> On 12/19/2015 11:56 PM, Martin Basti wrote: >>>>>>>>>>>> On 17.12.2015 10:04, Oleg Fayans wrote: >>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>> >>>>>>>>>>>>> I am sorry, in my previous email I attached the old version of >>>>>>>>>>>>> patch >>>>>>>>>>>>> 0016. The correct on is attached. >>>>>>>>>>>>> >>>>>>>>>>>>> On 12/16/2015 05:47 PM, Martin Basti wrote: >>>>>>>>>>>>>> On 16.12.2015 15:39, Martin Basti wrote: >>>>>>>>>>>>>>> On 15.12.2015 10:29, Oleg Fayans wrote: >>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> The updated patches are attached. Patch 0017 includes all >>>>>>>>>>>>>>>> changes from >>>>>>>>>>>>>>>> patch 0018, so, if you approve this one, there would be no >>>>>>>>>>>>>>>> need to >>>>>>>>>>>>>>>> continue with the review of 0018. This one contains all >>>>>>>>>>>>>>>> changes >>>>>>>>>>>>>>>> related >>>>>>>>>>>>>>>> to you remarks from 0018 review. Please see my explanation >>>>>>>>>>>>>>>> on the >>>>>>>>>>>>>>>> stdout+stderr part in the thread from patch 0018. >>>>>>>>>>>>>>>> With these two patches applied one of the tests fails >>>>>>>>>>>>>>>> due this >>>>>>>>>>>>>>>> bug: >>>>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5550 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 12/09/2015 12:17 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>> On 09.12.2015 12:10, Martin Basti wrote: >>>>>>>>>>>>>>>>>> On 09.12.2015 11:14, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>> Hi Martin >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On 12/09/2015 10:30 AM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>> On 08.12.2015 23:48, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>> Substituted a hardcoded suffix name with a constant >>>>>>>>>>>>>>>>>>>>> DOMAIN_SUFFIX_NAME >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On 12/08/2015 02:33 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> The patches are rebased against the current master. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> On 12/02/2015 05:10 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>> On 02.12.2015 16:18, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> On 12/01/2015 04:08 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>> On 27.11.2015 16:26, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>> And patch N 16 passes lint too: >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> On 11/27/2015 04:03 PM, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> On 11/27/2015 03:26 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>> On 27.11.2015 15:04, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> All your suggestions were taken into >>>>>>>>>>>>>>>>>>>>>>>>>>>>> account. Both >>>>>>>>>>>>>>>>>>>>>>>>>>>>> patches are >>>>>>>>>>>>>>>>>>>>>>>>>>>>> updated. Thank you for your help! >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 11/26/2015 10:50 AM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 26.11.2015 10:04, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi Martin, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I agree to all your points but one. please, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> see my >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> comment >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> below >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 11/25/2015 07:42 PM, Martin Basti wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 0) Note >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please be aware of >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5469 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> during >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> KRA testing >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please do not use MIN and MAX_DOMAIN_LEVEL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> constants, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> this may >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> change >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> over time, use DOMAIN_LEVEL_0 and >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> DOMAIN_LEVEL_1 for >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level 0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and 1 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Why uninstall KRA then server, is not >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> enough >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> just >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> uninstall >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> server >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> which >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> covers KRA uninstall? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + def teardown_method(self, method): >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + for host in self.replicas: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + host.run_command(self.kra_uninstall, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> raiseonerr=False) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + tasks.uninstall_master(host) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Can be this function more generic? It >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> should >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> allow >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> specify >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> host >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> where >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> KRA should be installed not just master >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + def test_kra_install_master(self): >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + self.master.run_command(self.kra_install) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> TestLevel0(Dummy): >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Can be the test name more specific, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> something >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> like >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> TestReplicaPromotionLevel0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 5) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> please remove this, the patch is on review >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and it >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> will be >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> pushed >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> sooner >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> than tests >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + @pytest.mark.xfail # Ticket N 5455 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and as I mentioned in ticket #5455, I >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cannot >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> reproduce >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> it with >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ipa-kra-install, so please provide steps to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> reproduce if >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> you >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> insist >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> this still does not work as expected >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> with KRA. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 6) This is completely wrong, it removes >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> everything >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> that we >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tried to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> achieve with previous patches with domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level in CI >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Actually, being able to configure domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level per >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> class >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> is WAY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> more >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> convenient, than to always have to think >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> which >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level is >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> appropriate for which particular test during >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> jenkins >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> job >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> configuration. In fact, I should have >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> thought >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> about it >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> from the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> very >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> beginning. For example, in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> test_replica_promotion.py we >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> have on >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> class, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> which intiates with domain level = 1, while >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> others - >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 0. With config-based approach, we would >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> have to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> implement a >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> separate >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> step that raises domain level. Overall, I am >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> against >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> approach, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> when you have to remember to set certain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> any particular test. The tests themselves >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> should be >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> aware of >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain level they need. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I do not say that we should not have >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> something >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> overrides >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> settings >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> in from config in a particular test case, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I say >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> patch is >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> doing it >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> wrong. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I agree it is useful to have param >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain_level in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> install_master, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> intall_topo methods, but is cannot be >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> MAX_DOMAIN_LEVEL by >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> default, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> because with your current patch the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain_level in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config is >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> used >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> at all, it will be always MAX_DOMAIN_LEVEL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> For example I want to achieve this goal: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> test_vault.py, this test suite can run on >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level1 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and on >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level0, so with one test we can test 2 domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> levels >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> just >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> putting >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain level into config file. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I agree that with extraordinary test like >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> replica >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> promotion test >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> is, we >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> need something that allows override the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> file. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> As I said bellow, domain_level default value >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> should be >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> None in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> install_master and install_topo plugin. If >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain level >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> was >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> specified >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> use the specified one, if not (value is None) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> use the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config file. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Agreed :) >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Martin >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [PATCH] Enabled setting domain_level per >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> class >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> derived from >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> TestIntegration >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> When I configure domain level 0 in yaml >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config, how >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> is this >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> supposed to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> get into install methods when you >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> removed that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> code? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - "--domain-level=%i" % >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> host.config.domain_level >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + "--domain-level=%i" % domain_level >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> You always use MAX_DOMAIN_LEVEL in this >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> case or >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> whatever is >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> specified in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain_level option. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I suggest to use domain_level=None, and >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> when >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> it is >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> None use >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 'host.config.domain_level', if it is not >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> None, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> use >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> With this we can specify domain level in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> file for >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> test >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> can >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> be used for both domain levels and you can >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> manually >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> specify >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> for test that requires specific domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Also this should go away >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @classmethod >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> def install(cls, mh): >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + if hasattr(cls, "domain_level") >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cls.master: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + cls.master.config.domain_level = >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cls.domain_level >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> if cls.topology is None: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> return >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I do not see reason why test should >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> override >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> configuration in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> config in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> this case. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Martin >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 25.11.2015 16:44, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Here is the updated version of the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> patch (more >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tests + >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> fixed the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> issues of the first one) + patch 0017, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> implements the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> necessary >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> changes in the background code, i. e. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> patch 16 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> does not >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> without >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> patch 17 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 11/18/2015 05:20 PM, Martin Basti >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 09.11.2015 15:09, Oleg Fayans wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hi guys, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Here are first two automated >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> testcases from >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> this >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> (so far >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> incomplete) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> testplan: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Testplan review is highly appreciated >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> PATCH 16: NACK >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> What is the reason to add an unused >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> parameter to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> install_topo()? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Also it is good practise to add new >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> option >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> as the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> last >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> parameter. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cab you in both tests specify a domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> constant >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> instead of >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> number literal? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> both test call install_topo with custom >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> domain >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> level, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> but it >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> cannot >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> work >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> because 1) (did you run the test?) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> How the test "TestLevel1" is supposed to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> work? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Respectively why there is call of >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> install_topo() >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> installs >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> replica. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> As this test just tests that >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ipa-replica-prepare is >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> working >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> anymore, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> is it worth to spend 20 minutes with >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> installing >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> replica and >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> then >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> just no >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> tot use it? IMO to install master in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> install >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> step is >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> enough. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> ./make-lint >>>>>>>>>>>>>>>>>>>>>>>>>>>> ************* Module >>>>>>>>>>>>>>>>>>>>>>>>>>>> ipatests.test_integration.base >>>>>>>>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/base.py:66: >>>>>>>>>>>>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>>>>>>>>>>>> IntegrationTest.install] Class >>>>>>>>>>>>>>>>>>>>>>>>>>>> 'IntegrationTest' >>>>>>>>>>>>>>>>>>>>>>>>>>>> has no >>>>>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>>>>>>>>> ************* Module >>>>>>>>>>>>>>>>>>>>>>>>>>>> ipatests.test_integration.test_replica_promotion >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:16: >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> [E1101(no-member), Dummy.install] Class 'Dummy' >>>>>>>>>>>>>>>>>>>>>>>>>>>> has no >>>>>>>>>>>>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:117: >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>>>>>>>>>>>> TestCAInstall.test_ca_install_without_replica_file] >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no >>>>>>>>>>>>>>>>>>>>>>>>>>>> 'setup_replica' >>>>>>>>>>>>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> Is it so hard to run pylint before patch is >>>>>>>>>>>>>>>>>>>>>>>>>>>> posted >>>>>>>>>>>>>>>>>>>>>>>>>>>> for >>>>>>>>>>>>>>>>>>>>>>>>>>>> review? >>>>>>>>>>>>>>>>>>>>>>>>>>> Sorry, my bad. Fixed. >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>>>>>>>>>> Why is this change in the patch? >>>>>>>>>>>>>>>>>>>>>>>>> - # Clean up the test directory >>>>>>>>>>>>>>>>>>>>>>>>> - host.run_command(['rm', '-rvf', >>>>>>>>>>>>>>>>>>>>>>>>> host.config.test_dir]) >>>>>>>>>>>>>>>>>>>>>>>> Otherwise 2 out of 8 tests fail with IOError at >>>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>>> 78 of >>>>>>>>>>>>>>>>>>>>>>>> ipatests/test_integration/tasks.py >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> I do not understand yet how does this happen, >>>>>>>>>>>>>>>>>>>>>>>> but if >>>>>>>>>>>>>>>>>>>>>>>> you >>>>>>>>>>>>>>>>>>>>>>>> remove >>>>>>>>>>>>>>>>>>>>>>>> ipatests folder once, it then fails to be created >>>>>>>>>>>>>>>>>>>>>>>> again. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> So this should be in separated patch and >>>>>>>>>>>>>>>>>>>>>>> investigated >>>>>>>>>>>>>>>>>>>>>>> properly. >>>>>>>>>>>>>>>>>>>>>> Agree. Removed >>>>>>>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>>>>>>>>>> is enough to have this check only in >>>>>>>>>>>>>>>>>>>>>>>>> install_master, >>>>>>>>>>>>>>>>>>>>>>>>> install_topo can >>>>>>>>>>>>>>>>>>>>>>>>> pass None to install_master >>>>>>>>>>>>>>>>>>>>>>>>> + if domain_level is None: >>>>>>>>>>>>>>>>>>>>>>>>> + domain_level = master.config.domain_level >>>>>>>>>>>>>>>>>>>>>>>> Done >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> 3) >>>>>>>>>>>>>>>>>>>>>>>>> IMO replica-manage del should cleanup hosts >>>>>>>>>>>>>>>>>>>>>>>>> entry, so >>>>>>>>>>>>>>>>>>>>>>>>> following >>>>>>>>>>>>>>>>>>>>>>>>> code >>>>>>>>>>>>>>>>>>>>>>>>> should not be needed. >>>>>>>>>>>>>>>>>>>>>>>>> + if cleanhost: >>>>>>>>>>>>>>>>>>>>>>>>> + kinit_admin(master) >>>>>>>>>>>>>>>>>>>>>>>>> + master.run_command(["ipa", "host-del", >>>>>>>>>>>>>>>>>>>>>>>>> "--updatedns", >>>>>>>>>>>>>>>>>>>>>>>>> replica.hostname], >>>>>>>>>>>>>>>>>>>>>>>>> + raiseonerr=False) >>>>>>>>>>>>>>>>>>>>>>>> Well, in fact it does not. At least the >>>>>>>>>>>>>>>>>>>>>>>> corresponding dns >>>>>>>>>>>>>>>>>>>>>>>> record >>>>>>>>>>>>>>>>>>>>>>>> stays >>>>>>>>>>>>>>>>>>>>>>>> and causes the subsequent ipa-client-install to >>>>>>>>>>>>>>>>>>>>>>>> fail. >>>>>>>>>>>>>>>>>>>>>>>> Probably >>>>>>>>>>>>>>>>>>>>>>>> it's a >>>>>>>>>>>>>>>>>>>>>>>> bug. On the other hand, if I promote an existing >>>>>>>>>>>>>>>>>>>>>>>> client to >>>>>>>>>>>>>>>>>>>>>>>> replica and >>>>>>>>>>>>>>>>>>>>>>>> then delete this replica, then, I probably want the >>>>>>>>>>>>>>>>>>>>>>>> host >>>>>>>>>>>>>>>>>>>>>>>> record >>>>>>>>>>>>>>>>>>>>>>>> (that >>>>>>>>>>>>>>>>>>>>>>>> was created during client-install) to stay in the >>>>>>>>>>>>>>>>>>>>>>>> system. So, >>>>>>>>>>>>>>>>>>>>>>>> does not >>>>>>>>>>>>>>>>>>>>>>>> look like a bug to me. >>>>>>>>>>>>>>>>>>>>>>> No you don't, because replica uninstallation also >>>>>>>>>>>>>>>>>>>>>>> removes the >>>>>>>>>>>>>>>>>>>>>>> client. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> I tried it with ipa42, ipa-replica-manage del >>>>>>>>>>>>>>>>>>>>>>> removes >>>>>>>>>>>>>>>>>>>>>>> host >>>>>>>>>>>>>>>>>>>>>>> entry, >>>>>>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>>>>>> DNS A records, only SSHFP records stay there (I'm >>>>>>>>>>>>>>>>>>>>>>> not >>>>>>>>>>>>>>>>>>>>>>> sure >>>>>>>>>>>>>>>>>>>>>>> if it >>>>>>>>>>>>>>>>>>>>>>> is bug >>>>>>>>>>>>>>>>>>>>>>> or feature) >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Also I received this message >>>>>>>>>>>>>>>>>>>>>>> """ >>>>>>>>>>>>>>>>>>>>>>> Failed to cleanup replica1.ipa.test DNS entries: no >>>>>>>>>>>>>>>>>>>>>>> matching >>>>>>>>>>>>>>>>>>>>>>> entry >>>>>>>>>>>>>>>>>>>>>>> found >>>>>>>>>>>>>>>>>>>>>>> You may need to manually remove them from the tree >>>>>>>>>>>>>>>>>>>>>>> """ >>>>>>>>>>>>>>>>>>>>>>> But, A record has been removed, so this is probably >>>>>>>>>>>>>>>>>>>>>>> false >>>>>>>>>>>>>>>>>>>>>>> positive and >>>>>>>>>>>>>>>>>>>>>>> it needs to have a ticket. >>>>>>>>>>>>>>>>>>>>>> Agree, that was an issue with my setup. >>>>>>>>>>>>>>>>>>>>>> Removed >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> 4) >>>>>>>>>>>>>>>>>>>>>>>>> This variable is not used >>>>>>>>>>>>>>>>>>>>>>>>> + kra_uninstall = ["ipa-kra-install", >>>>>>>>>>>>>>>>>>>>>>>>> "--uninstall", "-U"] >>>>>>>>>>>>>>>>>>>>>>>> Removed >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> 5) >>>>>>>>>>>>>>>>>>>>>>>>> Why do you need this >>>>>>>>>>>>>>>>>>>>>>>>> + kra_install = ["ipa-kra-install", "-U", "-p", >>>>>>>>>>>>>>>>>>>>>>>>> config.dirman_password] >>>>>>>>>>>>>>>>>>>>>>>>> when you implemented tasks.install_kra that >>>>>>>>>>>>>>>>>>>>>>>>> returns >>>>>>>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>>>>>>> exactly >>>>>>>>>>>>>>>>>>>>>>>>> the same >>>>>>>>>>>>>>>>>>>>>>>>> result? >>>>>>>>>>>>>>>>>>>>>>>> Right. Removed >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> 6) >>>>>>>>>>>>>>>>>>>>>>>>> PEP8 >>>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:928:1: E302 >>>>>>>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:934:1: E302 >>>>>>>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:939:1: E302 >>>>>>>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:943:1: E302 >>>>>>>>>>>>>>>>>>>>>>>>> expected 2 >>>>>>>>>>>>>>>>>>>>>>>>> blank >>>>>>>>>>>>>>>>>>>>>>>>> lines, >>>>>>>>>>>>>>>>>>>>>>>>> found 1 >>>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/tasks.py:950:80: E501 >>>>>>>>>>>>>>>>>>>>>>>>> line too >>>>>>>>>>>>>>>>>>>>>>>>> long >>>>>>>>>>>>>>>>>>>>>>>>> (80 > 79 >>>>>>>>>>>>>>>>>>>>>>>>> characters) >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:29:80: >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>>>> too long (85 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:64:80: >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>>>> too long (85 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:67:80: >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>>>> too long (88 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:93:80: >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:94:80: >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>>>> too long (83 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:118:80: >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>>>> too long (81 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:128:80: >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:129:80: >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>>>> too long (82 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:181:80: >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> E501 >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> line >>>>>>>>>>>>>>>>>>>>>>>>> too long (80 > 79 characters) >>>>>>>>>>>>>>>>>>>>>>>> Most of these complaints are unrelated to the >>>>>>>>>>>>>>>>>>>>>>>> current >>>>>>>>>>>>>>>>>>>>>>>> patches. >>>>>>>>>>>>>>>>>>>>>>>> It's better to create a separate patch >>>>>>>>>>>>>>>>>>>>>>>> addressing PEP8 >>>>>>>>>>>>>>>>>>>>>>>> errors. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> I beg for your pardon, those PEP8 errors have been >>>>>>>>>>>>>>>>>>>>>>> introduced by >>>>>>>>>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>>>>>>>>> patches. >>>>>>>>>>>>>>>>>>>>>> Fixed >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> 7) >>>>>>>>>>>>>>>>>>>>>>>>> Why this must be stored in instance? IMO to >>>>>>>>>>>>>>>>>>>>>>>>> have it >>>>>>>>>>>>>>>>>>>>>>>>> stored as >>>>>>>>>>>>>>>>>>>>>>>>> local >>>>>>>>>>>>>>>>>>>>>>>>> variable is perfect >>>>>>>>>>>>>>>>>>>>>>>>> TestKRAInstall, TestCAInstall >>>>>>>>>>>>>>>>>>>>>>>>> self.replica1_filename = >>>>>>>>>>>>>>>>>>>>>>>>> tasks.get_replica_filename(replica1) >>>>>>>>>>>>>>>>>>>>>>>>> self.replica2_filename = >>>>>>>>>>>>>>>>>>>>>>>>> tasks.get_replica_filename(replica2) >>>>>>>>>>>>>>>>>>>>>>>> Agree. Fixed >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> This patch is missing something. >>>>>>>>>>>>>>>>>>> I am sorry, I forgot to revert my previous change. The >>>>>>>>>>>>>>>>>>> correct >>>>>>>>>>>>>>>>>>> patch is >>>>>>>>>>>>>>>>>>> attached >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> ************* Module >>>>>>>>>>>>>>>>>> ipatests.test_integration.test_replica_promotion >>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:15: >>>>>>>>>>>>>>>>>> [E1123(unexpected-keyword-arg), Dummy.install] Unexpected >>>>>>>>>>>>>>>>>> keyword >>>>>>>>>>>>>>>>>> argument 'domain_level' in function call) >>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:15: >>>>>>>>>>>>>>>>>> [E1101(no-member), Dummy.install] Class 'Dummy' has no >>>>>>>>>>>>>>>>>> 'domain_level' >>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:19: >>>>>>>>>>>>>>>>>> [E1101(no-member), Dummy.teardown_method] Module >>>>>>>>>>>>>>>>>> 'ipatests.test_integration.tasks' has no >>>>>>>>>>>>>>>>>> 'uninstall_replica' >>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:67: >>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>> TestReplicaPromotionLevel0.test_backup_restore] >>>>>>>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no >>>>>>>>>>>>>>>>>> 'ipa_backup' >>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:72: >>>>>>>>>>>>>>>>>> [E1101(no-member), >>>>>>>>>>>>>>>>>> TestReplicaPromotionLevel0.test_backup_restore] >>>>>>>>>>>>>>>>>> Module 'ipatests.test_integration.tasks' has no >>>>>>>>>>>>>>>>>> 'ipa_restore' >>>>>>>>>>>>>>>>>> member) >>>>>>>>>>>>>>>>>> ipatests/test_integration/test_replica_promotion.py:120: >>>>>>>>>>>>>>>>>> [E1123(unexpected-keyword-arg), TestCAInstall.install] >>>>>>>>>>>>>>>>>> Unexpected >>>>>>>>>>>>>>>>>> keyword argument 'domain_level' in function call) >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Sorry I forgot to apply patch 17, my bad, I'm >>>>>>>>>>>>>>>>> continuing with >>>>>>>>>>>>>>>>> review >>>>>>>>>>>>>>> LGTM, I haven't had time to test it, but if you are sure >>>>>>>>>>>>>>> that >>>>>>>>>>>>>>> test is >>>>>>>>>>>>>>> working, we may push this. >>>>>>>>>>>>>>> >>>>>>>>>>>>>> Is this expected due the bug you mentioned? >>>>>>>>>>>>>> _____ >>>>>>>>>>>>>> __________________________________________________________________________ >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> TestReplicaPromotionLevel0.test_kra_install_master >>>>>>>>>>>>>> ________________________________________________________________________________ >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> self = >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> object at 0x7f5071a59e50> >>>>>>>>>>>>>> >>>>>>>>>>>>>> def test_kra_install_master(self): >>>>>>>>>>>>>> result1 = tasks.install_kra(self.master, >>>>>>>>>>>>>> raiseonerr=False) >>>>>>>>>>>>>>> assert result1.returncode == 0, >>>>>>>>>>>>>>> result1.stderr_text >>>>>>>>>>>>>> E AssertionError: Usage: ipa-kra-install [options] >>>>>>>>>>>>>> [replica_file] >>>>>>>>>>>>>> E >>>>>>>>>>>>>> E ipa-kra-install: error: Replica file >>>>>>>>>>>>>> /root/ipatests/replica-info.gpg does not exist >>>>>>>>>>>>>> E The ipa-kra-install command failed. See >>>>>>>>>>>>>> /var/log/ipaserver-kra-install.log for more information >>>>>>>>>>>>>> E >>>>>>>>>>>>>> E assert 2 == 0 >>>>>>>>>>>>>> E + where 2 = >>>>>>>>>>>>> object at >>>>>>>>>>>>>> 0x7f5071adbd50>.returncode >>>>>>>>>>>>>> >>>>>>>>>>>> IMO the test needs fix, KRA on replica file needs KRA related >>>>>>>>>>>> certificates in replica file >>>>>>>>>>>> >>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> RUN >>>>>>>>>>>> ['ipa-kra-install', '-U', '-p', 'Secret123', >>>>>>>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] RUN >>>>>>>>>>>> ['ipa-kra-install', '-U', '-p', 'Secret123', >>>>>>>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] >>>>>>>>>>>> Missing >>>>>>>>>>>> KRA >>>>>>>>>>>> certificates, please create a new replica file. >>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] The >>>>>>>>>>>> ipa-kra-install command failed. See >>>>>>>>>>>> /var/log/ipaserver-kra-install.log >>>>>>>>>>>> for more information >>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd27] Exit >>>>>>>>>>>> code: 1 >>>>>>>>>>>> FAILED >>>>>>>>>>>> traceback >>>>>>>>>>>> >>>>>>>>>>>> self = >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> object at 0x7f660bc1a590> >>>>>>>>>>>> >>>>>>>> I just read the code. >>>>>>>> >>>>>>>> PATCH 16: >>>>>>>> 0) >>>>>>>> PEP8 >>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:24:14: E111 >>>>>>>> indentation is not a multiple of four >>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:24:14: E113 >>>>>>>> unexpected indentation >>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:148:80: E501 >>>>>>>> line too long (80 > 79 characters) >>>>>>>> ./ipatests/test_integration/test_replica_promotion.py:150:80: E501 >>>>>>>> line too long (81 > 79 characters) >>>>>>>> >>>>>>>> 1) >>>>>>>> workaround is not workaround, because the host entry is removed >>>>>>>> anyway, the error is raised from POST callback, please remove it >>>>>>>> + # Workaround for 5627 >>>>>>>> + if "host not found" in result.stderr_text: >>>>>>>> + self.master.run_command(["ipa", >>>>>>>> + "host-del", >>>>>>>> + host.hostname], >>>>>>>> raiseonerr=False) >>>>>>> sorry, I was wrong with this, check is in pre_callback, but please >>>>>>> remove it anyway, I will send patch to fix it ASAP >>>>>> Done >>>>> I realized that the fix I'm working on is for 4.4 only, so for 4.3 add >>>>> this as separated patch. >>>> Done, patch 0027 >>>> >>>>>>>> 2) >>>>>>>> Please name it better, for example "replica" instead of "i" >>>>>>>> + for i in self.replicas: >>>>>>>> + tasks.install_replica(master, i, setup_ca=False, >>>>>>>> + setup_dns=True) >>>>>> Done >>>>>> >>>>>>>> 3) >>>>>>>> Please use constant for domain level (multiple times) >>>>>>>> + result1 = tasks.install_ca(replica1, domain_level=1, >>>>>>>> raiseonerr=False) >>>>>>>> >>>>>>>> + tasks.install_ca(replica1, domain_level=0) >>>>>>>> + result2 = tasks.install_ca(replica2, domain_level=0, >>>>>>>> raiseonerr=False) >>>>>>>> ... more times >>>>>> Done >>>>>> >>>>>>>> 4) >>>>>>>> This link does not exists, only connect is deprecated not >>>>>>>> ipa-replica-manage at all >>>>>>>> + def test_replica_manage_commands(self): >>>>>>>> + """ >>>>>>>> + TestCase: >>>>>>>> http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan >>>>>>>> + #Test_case:_ipa-replica-manage_is_deprecated_in_domain_level_1 >>>>>>>> + """ >>>>>> Fixed >>>>>> >>>>>>>> 5) >>>>>>>> Missing testcases: >>>>>>>> >>>>>>>> Test case: Unprivileged users are not allowed to enroll and promote >>>>>>>> clients >>>>>>>> Test case: Replica created using old workflow is functional after >>>>>>>> domain upgrade >>>>>>>> Test case: ipa-csreplica-manage connect is deprecated in domain >>>>>>>> level 1 >>>>>>>> Test case: Replica can be installed using one command >>>>>>>> Test case: Prohibit ipa server uninstallation from disconnecting >>>>>>>> topology segment >>>>>>>> >>>>>> They are on the way, not fully ready yet >>>>>> >>>>>>>> PATCH 24: >>>>>>>> >>>>>>>> 1) >>>>>>>> why there is this change, how it is related to this patch?: >>>>>>>> def apply_common_fixes(host): >>>>>>>> + prepare_host(host) >>>>>>>> fix_etc_hosts(host) >>>>>>>> fix_hostname(host) >>>>>>>> - prepare_host(host) >>>>>> Good catch! That was one of my attempts to address the issue that was >>>>>> successfully resolved in patch 0025. Will remove it once we agree >>>>>> on the >>>>>> rest of the changes >>>> Removed >>>> >>>>>>>> 2) >>>>>>>> Why is there this change, how it is related to this patch?: >>>>>>>> def replica_prepare(master, replica): >>>>>>>> - apply_common_fixes(replica) >>>>>>>> fix_apache_semaphores(replica) >>>>>>>> ... >>>>>>>> def install_replica(master, replica, setup_ca=True, >>>>>>>> setup_dns=False, >>>>>>>> ... >>>>>>>> + apply_common_fixes(replica) >>>>>> Just to make this call independent from domain level (at >>>>>> domain_level 1 >>>>>> replica_prepare never gets called) >>>>> It should be in separate commit, because it is not related to adding >>>>> domain_level in class functionality >>>> Done. Patch 0026 >>>> >>>>>> >>>>>>>> 3) >>>>>>>> why is there this change, how it is related to this patch?: >>>>>>>> - >>>>>>>> + args.extend(['-n', replica.domain.name, >>>>>>>> + '-r', replica.domain.realm]) >>>>>> At least -r is a required parameter. -n was added for further >>>>>> robustness. Can be safely removed, though >>>>> It should be in separate commit, as this is not related to domain >>>>> levels >>>> Done. Patch 0026 >>>> >>>>>>>> 4) >>>>>>>> why there force, how is this change related to this patch (domain >>>>>>>> levels)? >>>>>>>> '-w', client.config.admin_password, >>>>>>>> - '--server', master.hostname] >>>>>>>> + '--server', master.hostname, >>>>>>>> + '--force'] >>>>>>>> + list(extra_args)) >>>>>> client refuses to install unless everything is super clear in the dns >>>>>> setup (including reverse zone). Otherwise the installer fails and >>>>>> informs you that you may use '--force' at your own risk. I can >>>>>> rerun the >>>>>> tests without this option to provide you with the exact output, if >>>>>> you >>>>>> like. >>>>> It should be in separated commit, because it is not related to domain >>>>> levels >>>> I've run the tests without this option again at it passed. Must have >>>> been some temporary issue. Removed this change. >>>> >>>>>>>> Otherwise domain level related changes LGTM >>>>>>>> >>>>>>>> PATCH 25 >>>>>>>> >>>>>>>> LGTM >>>>>>>> >>>>>>>> Martin^2 >>>>>>>> >>> >>> 1) >>> this method is unused please remove it >>> >>> def test_kra_install_master(self): Well, in fact it is used twice: in both domain levels, so I'd better keep it: -bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py --collect-only ==================================================================================== test session starts ===================================================================================== platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder, multihost collected 8 items >>> >>> 2) >>> Why are these there? I do not see any usage >>> >>> from env_config import get_global_config >>> config = get_global_config() Removed >>> >>> 3) nitpick >>> + num_clients = 0 >>> this is set by default Removed >>> >>> otherwise LGTM >>> >>> Results of testing tomorrow. >>> >>> Martin^2 >>> >> >> I applied all patches including workarounds, but test failed. >> >> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >> >> >> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] RUN >> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >> '--setup-ca', '--ip-address', '192.168.144.102', >> '/root/ipatests/replica-info.gpg'] >> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] The host >> replica1.ipa.test already exists on the master server. >> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] You should >> remove it before proceeding: >> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] % ipa >> host-del replica1.ipa.test >> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >> ipa-replica-install command failed. See >> /var/log/ipareplica-install.log for more information >> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] Exit code: 3 >> FAILED this is exactly the error that happens when a workaround for 5627 is not applied. I have re-run the tests with all the patches and everything passed. Could you please double-check, whether patch 0027 was applied correctly? bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py --pdb ==================================================================================== test session starts ===================================================================================== platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: sourceorder, multihost collected 8 items test_integration/test_replica_promotion.py ........ ================================================================================ 8 passed in 7561.93 seconds ================================================================================= >> > And it needs ticket, otherwise it will not be in 4-3 branch. https://fedorahosted.org/freeipa/ticket/5723 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0016.10-Integration-tests-for-replica-promotion-feature.patch Type: text/x-patch Size: 10684 bytes Desc: not available URL: From pvoborni at redhat.com Fri Mar 4 15:48:22 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 4 Mar 2016 16:48:22 +0100 Subject: [Freeipa-devel] Feature template - proposed changes In-Reply-To: <56D99E7C.9090107@redhat.com> References: <56D9979B.4070309@redhat.com> <56D99E7C.9090107@redhat.com> Message-ID: <56D9AE46.5020608@redhat.com> On 03/04/2016 03:41 PM, Martin Kosek wrote: > On 03/04/2016 03:11 PM, Petr Spacek wrote: >> Hello, >> >> I've updated Feature template to make sure that important the design decisions >> are recorded somewhere. >> >> Of course all this is open for discussion. I did this soon because I believe >> that it is better to actually see how it looks like instead of discussing >> vaporware. Wiki has revert button if necessary, feel free to use it. >> >> New texts: >> http://www.freeipa.org/page/Feature_template#Design_Assumptions >> http://www.freeipa.org/page/Feature_template#Use_Cases > > On top of what Petr proposed, I would also like to propose new > "Troubleshooting" section that were often asked for by people supporting our > users or advising on the lists. > > I would imagine we would specify any specific, logs, log levels or procedures > that could help people investigate what's wrong with the feature. > > The SSSD project implemented that as "How To Debug" section, see here: > https://fedorahosted.org/sssd/wiki/PageTemplates/FeatureDesign Good Idea -- Petr Vobornik From pspacek at redhat.com Fri Mar 4 15:48:35 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 4 Mar 2016 16:48:35 +0100 Subject: [Freeipa-devel] host-del & client uninstall: additional discussion related to DNS needed In-Reply-To: <56D99620.6000108@redhat.com> References: <56D84F94.3000705@redhat.com> <56D86810.1080600@redhat.com> <56D87122.9000709@redhat.com> <56D94486.6040703@redhat.com> <56D99620.6000108@redhat.com> Message-ID: <56D9AE53.7060409@redhat.com> On 4.3.2016 15:05, Rob Crittenden wrote: > Petr Spacek wrote: >> On 3.3.2016 18:15, Martin Basti wrote: >>> >>> >>> On 03.03.2016 17:36, Petr Vobornik wrote: >>>> On 03/03/2016 03:52 PM, Martin Basti wrote: >>>>> Hello all, >>>>> >>>>> related tickets: >>>>> https://fedorahosted.org/freeipa/ticket/5676 >>>>> https://fedorahosted.org/freeipa/ticket/5675 >>>>> https://fedorahosted.org/freeipa/ticket/5715 >>>>> >>>>> I'm trying to implement both tickets, but I don't like the way we >>>>> decided on devel meeting anymore. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/5676#comment:1 >>>>> >>>>> 1) >>>>> ipa host-del --updatedns >>>>> >>>>> I propose to only delete A, AAAA and related PTR records (SSHFP records >>>>> explained later). The record are somehow managed by IPA >>>>> >>>>> I don't like the idea of having an extra option to specify record types >>>>> that should be removed or a flag that will remove DNS entry completely. >>>>> IMO that is duplication of dnsrecord-mod/del functionality, host-del >>>>> should not be used for managing DNS. If somebody wants better >>>>> granularity, the one should use 'dnsrecord-mod zone rec --type-rec=' or >>>>> 'dnsrecord-del --del-all' >>>> >>>> AFAIK the proposal on devel meeting was: >>>> >>>> --update-dns will delete A, AAAA, SSHFP >>>> --update-dns=all will delete the whole DNS record LDAP entry >>>> >>>> there was also a proposal for granularity, e.g., --update-dns=a,aaaa. >>> Yes this looks for me like doing an alias for dnsrecord-del command >>> >>>> >>>> Then it was agreed that --update-dns won't search for SRV records (not >>>> mentioned here, so OK). >>>> >>>> PTR records weren't discussed or decision was not recorded. >>> When we remove A/AAAA, then we should remove PTR as well >>>> >>>> The proposal above keeps backwards compatibility though it may not be >>>> possible to do with current framework. Or do we have support for multivalued >>>> enum with default value(s) which acts as a flag? >>> It needs big hacks in framework, to support is as Flag for old client and Enum >>> for new clients >>>> >>>> If the new option type is too complicated to introduce, then I would prefer >>>> to keep current option(flag) with behavior matching proposal for >>>> --update-dns or --update-dns=all. >>> To use "--update-dns will delete A, AAAA, SSHFP" only was proposed by me here. >>> >>>> >>>> Definitely big +1 on not introducing a new option. >>>> >>>> No need to over-engineer it. >>>> >>>> Not sure about PTR records. >>>> >>>>> >>>>> Note: due backward compatibility --updatedns cannot be migrated to ENUM, >>>>> new option needed >>>> >>>>> >>>>> 2) >>>>> SSHFP records and host-del (https://fedorahosted.org/freeipa/ticket/5715) >>>>> >>>>> host-del removes SSH keys from LDAP, thus there is no reason to keep >>>>> SSHFP record in DNS, thus SSHFP records should be removed always (even >>>>> without --updatedns option) >>>> >>>> ACK >>>> >>>>> >>>>> 3) >>>>> ipa-client-install --uninstall >>>>> >>>>> SSHFP record are always added via nsupdate to DNS, IMO during client >>>>> uninstall all SSHFP record related to client should be removed via >>>>> nsupdate too. >>>> >>>> IMHO not necessary will be solved either by #5676 and/or #5715(currently >>>> uninstall indirectly calls ipa-host-disable) >>> However host-disable does not do nsupdate, so it will work only for IPA DNS. >>> So if nsupdate set SSHPF on non-IPA server, we do not have reverse operation >>> in uninstall for that. >>> >>>> >>>>> >>>>> 4) >>>>> https://fedorahosted.org/freeipa/ticket/5676 >>>>> >>>>> ipa-client-install --uninstall --delete-host #suggestions how to name >>>>> option for removing host entry for ldap welcome >>>>> >>>>> Should this option call 'host-del' or 'host-del --updatedns'? >>>>> >>>>> I would like to avoid additional DNS related option to be added to >>>>> ipa-client-install >>>>> >>>>> Also do we really want to implement this ticket? What is the gain there? >>>> >>>> The devel discussions which is recorded in >>>> https://fedorahosted.org/freeipa/ticket/5676#comment:1 >>>> >>>> Suggests to change default behavior in ipa-client-install --uninstall so >>>> that it will call: >>>> >>>> `ipa host-del --update-dns` instead of `ipa-join --unenroll`. So it will >>>> also do #3. >>>> >>>> Further proposal in #5676 is to introduce a new option(--keephost ??) to >>>> keep the host records, i.e., the old behavior. >>>> >>>> But comment: >>>> """ >>>> simo: maybe keeping backward compatibility is more important, discuss later >>>> if --remove option would be better >>>> """ >>>> suggest that further discussion is needed >>> >>> I agree with backward compatibility here. A current user may be very surprised >>> that all DNS records of the host disappear. >> >> The general problem is that installation process (aka ipa-client-install) is a >> mess without documented design (at least when it comes to DNS parts) so it is >> quite hard to do the reverse on --uninstall. >> >> Given that were planning to implement integration with external DNS in future >> we might want to postpone ipa-client-install changes related to DNS and do >> overhaul at once. >> >> For example host plugin will need changes as many assumptions about DNS usage >> are oversimplified or simply wrong so delaying changes might save some >> headache caused by two behavior changes in two subsequent releases. >> > > I'm not sure what you'd be looking for in ipa-client install but even if > you knew exactly what changes were made I don't think it would be enough > to do everything in uninstall. It wouldn't handle DNS changes made > post-install, for example, so even if state was stored somewhere it > could still result in left-over DNS entries. > > This is particularly important when considering client -> master > promotion where a slew of DNS entries will be created. > > Or am I misunderstanding your point? You are right, it might be too stateful for 100% clean solution. Honestly the cleanest thing we could do is not touch DNS at all for clients. It should be job of the provisioning system and I do not really understand why the functionality was added to ipa-client-install and not to some other tool. The same applies to DNS updates from SSSD - it is a job for NetworkManager (or something else), not SSSD. If we wanted to leave the functionality as it is we should do something like this: * If ipa-client-install adds a new record type which was not present at the targer name before installation, we should delete it during uninstall. This should handle the cases where IP address or SSH key changed after the install. (This applies to cases where A record for client.example.com did not exist before.) * We should not delete record types which existed before the install as they were obviously provisioned by something else. Speaking of server promotion, if we do service record management right (I intend to do this when implementing IPA integration with external DNS servers) we should be able to find all the records which were automatically created and delete them. Reference to invalid assumptions was to host plugin mess mentioned in other thread. Unfortunately the mess is not limited to host plugin so it will be a lot of work. -- Petr^2 Spacek From pvoborni at redhat.com Fri Mar 4 15:50:46 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 4 Mar 2016 16:50:46 +0100 Subject: [Freeipa-devel] Feature template - proposed changes In-Reply-To: <56D9A2D7.8030401@redhat.com> References: <56D9979B.4070309@redhat.com> <56D99A44.20906@redhat.com> <56D9A2D7.8030401@redhat.com> Message-ID: <56D9AED6.8090606@redhat.com> On 03/04/2016 03:59 PM, Petr Spacek wrote: > On 4.3.2016 15:23, Martin Kosek wrote: >> On 03/04/2016 03:11 PM, Petr Spacek wrote: >>> Hello, >>> >>> I've updated Feature template to make sure that important the design decisions >>> are recorded somewhere. >>> >>> Of course all this is open for discussion. I did this soon because I believe >>> that it is better to actually see how it looks like instead of discussing >>> vaporware. Wiki has revert button if necessary, feel free to use it. >>> >>> New texts: >>> http://www.freeipa.org/page/Feature_template#Design_Assumptions >> >> Looks good to me. >> >>> http://www.freeipa.org/page/Feature_template#Use_Cases >> >> Does not look good to me. Practical examples of how features is used is in How >> to Test section, ideally organized by Use Cases, like in >> http://www.freeipa.org/page/V4/User_Certificates#How_to_Test >> >> If we start adding gory details and examples right in Use Cases section, we >> would kill the clarity of that section that intends to just give you overview >> of the use cases. > > Okay, now I understand that. > Funnily enough the only thing I changed is addition of bullet "* Explicitly > list use cases which were considered but will not supported for some reason. > Include the reason, too ;-)" > > The text you are criticizing is there from the very first version of the page > [2012-07-24T21:09:49 as can be seen on > http://www.freeipa.org/index.php?title=Feature_template&oldid=5161]. > > >> I would rather imagine something like >> >> http://www.freeipa.org/page/V4/Authentication_Indicators#Strong_Authentication_on_Selected_System >> >> which is an impromptu format for the new User Story based approach. The >> expectations is that rest of the page will then work with these User >> Stories/Use Cases, whether it is Design, How To Test, UI examples or Test Plan. > > Agreed. > > >>> I also did one unrelated change: >>> Now "Feature Management" chapter precedes "Design" chapter with all the gory >>> details. This should make the page more useful for random users who find it >>> using a search engine. >>> >>> Intents: >>> 1. Consider usability *very* early in the design process. >>> 2. Think about LDAP schema support for UI workflows very early. >> >> These are good intents. However, while I agree with the intents, I am curious >> how this is supposed to work, because the CLI/UI often works with the terms >> that are being defined in Design. >> >> See for example here: >> http://www.freeipa.org/page/V4/User_Certificates#Feature_Management >> It already assumes you know some parts of the design, like matching attribute. >> >> Or: >> http://www.freeipa.org/page/V4/OTP#Feature_Management >> It already assumes you know what OTP token is, what Radius Proxy server is and >> how it relates, etc. > > Well, that points to an interesting problem of user interface design. > > Is the user assumed to read the *design* page before using the feature (so he > knows the terms as you pointed out)? If it is true then we failed > spectacularly at providing usable user interfaces. > > Looking at > https://www.nngroup.com/articles/ten-usability-heuristics/ > second principle: > > # Match between system and the real world > ## The system should speak the users' language, with words, phrases and > concepts familiar to the user, rather than system-oriented terms. Follow > real-world conventions, making information appear in a natural and logical order. > > > My understanding to this is that terms should be 'the usual' terms used in > given field. FreeIPA did not invent neither of OTP, RADIUS, DNS, PKI, AD etc. > > Interface should be self-describing. If it is not then we failed. If there is > hard to understand but standard terminology, link to an external article and > do not spend time on describing it 25th time (most likely using slightly > inconsistent terms). > > Obviously there will be exceptions but wiki has hyperlinks so this can be > handled if absolutely necessary. +1 to Petr's comment. UIs sections should be readable by users. Low-level details can be in implementation section. > > >>> DNS locations proved that UI is a nightmare which is better to think about in >>> the very beginning, even before thinking about LDAP schema. >>> >>> I hope it will help in long term. >> >> While it may make sense to *think* about the interfaces first, why does it also >> have to be in the design page as the first thing, given it breaks the natural >> and logical flow of the text? > > In my eyes this is more logical and makes the page more useful to a wider > audience as I explained in the previous e-mail. > > AFAIK 'How to test' section was added purposely to make the page usable by > non-developers and this is just going in the same direction. > > Looking at TOC the developer-only sections are just 'Design' and > 'Implementation'. If we wanted to be radical and wanted to make the page > really nice, shiny, logical, and easy to use by causal users we could move > Design and Implementation into sub-page /all-the-gory-details. > > I understand that could be too radical. > -- Petr Vobornik From pvoborni at redhat.com Fri Mar 4 16:33:08 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 4 Mar 2016 17:33:08 +0100 Subject: [Freeipa-devel] FreeIPA COPR repos for 4.2.4 and 4.3.1 release candidates Message-ID: <56D9B8C4.4070605@redhat.com> Hello all, COPR repostories for testing of upcoming 4.3.1 and 4.2.4 releases were created in new @freeipa group: * @freeipa/freeipa-4-2-rc for f23 * @freeipa/freeipa-4-3-rc for f23, f24, rawhide @freeipa/freeipa-4-2-rc is undergoing pre-release testing. It also means that there is push freeze in ipa-4-2 branch. 4.3.1 is not finished yet, but the COPR repository already contains initial package matching state of ipa-4-3 branch from today. [1] https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-2-rc/ [2] https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-rc/ -- Petr Vobornik From mbasti at redhat.com Fri Mar 4 16:33:15 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 4 Mar 2016 17:33:15 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <56D9AA4B.103@redhat.com> References: <5640A90B.6030906@redhat.com> <5656CB3B.8010000@redhat.com> <5656D5EE.7010208@redhat.com> <565862E6.4020100@redhat.com> <56586807.9080805@redhat.com> <565870D6.40908@redhat.com> <56587616.5030609@redhat.com> <565DB7D3.5040500@redhat.com> <565F0BDD.8080206@redhat.com> <565F17EE.3020701@redhat.com> <5666DC18.2040906@redhat.com> <56675E31.3050203@redhat.com> <5667F49B.5020709@redhat.com> <5667FEFB.6090904@redhat.com> <56680C2E.7060805@redhat.com> <56680DDD.2000106@redhat.com> <566FDD80.7030805@redhat.com> <56717785.4020304@redhat.com> <567195B9.9070104@redhat.com> <56727AA7.2030809@redhat.com> <5675E08C.7030109@redhat.com> <56D43687.10502@redhat.com> <56D57DDE.3020306@redhat.com> <56D57F0C.1060103@redhat.com> <56D59F78.1000000@redhat.com> <56D5D9C3.8000102@redhat.com> <56D621DF.406@redhat.com> <56D6ACF5.4070402@redhat.com> <56D6E0E7.8020503@redhat.com> <56D87699.6030305@redhat.com> <56D93B28.2020302@redhat.com> <56D93B98.4090307@redhat.com> <56D9AA4B.103@redhat.com> Message-ID: <56D9B8CB.3040507@redhat.com> * old messages have been removed * >>>> 1) >>>> this method is unused please remove it >>>> >>>> def test_kra_install_master(self): > Well, in fact it is used twice: in both domain levels, so I'd better > keep it: > > -bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py > --collect-only > ==================================================================================== > test session starts > ===================================================================================== > platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 > rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini > plugins: sourceorder, multihost > collected 8 items > > > > > > > > > > > > > > > > > > > aah my bad, I forgot that pytest executes it when it begins with test_* even in parent class > >>>> 2) >>>> Why are these there? I do not see any usage >>>> >>>> from env_config import get_global_config >>>> config = get_global_config() > Removed > >>>> 3) nitpick >>>> + num_clients = 0 >>>> this is set by default > Removed > >>>> otherwise LGTM >>>> >>>> Results of testing tomorrow. >>>> >>>> Martin^2 >>>> >>> I applied all patches including workarounds, but test failed. >>> >>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>> >>> >>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] RUN >>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>> '--setup-ca', '--ip-address', '192.168.144.102', >>> '/root/ipatests/replica-info.gpg'] >>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] The host >>> replica1.ipa.test already exists on the master server. >>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] You should >>> remove it before proceeding: >>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] % ipa >>> host-del replica1.ipa.test >>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>> ipa-replica-install command failed. See >>> /var/log/ipareplica-install.log for more information >>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] Exit code: 3 >>> FAILED > this is exactly the error that happens when a workaround for 5627 is not > applied. I have re-run the tests with all the patches and everything > passed. Could you please double-check, whether patch 0027 was applied > correctly? > > bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py --pdb > ==================================================================================== > test session starts > ===================================================================================== > platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 > rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini > plugins: sourceorder, multihost > collected 8 items > > test_integration/test_replica_promotion.py ........ > > ================================================================================ > 8 passed in 7561.93 seconds > ================================================================================= > I will >> And it needs ticket, otherwise it will not be in 4-3 branch. > https://fedorahosted.org/freeipa/ticket/5723 From pvoborni at redhat.com Fri Mar 4 18:03:43 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 4 Mar 2016 19:03:43 +0100 Subject: [Freeipa-devel] [PATCH] 0007 webui: Add a field for GID in the user add dialog In-Reply-To: <56D58D07.709@redhat.com> References: <56D58D07.709@redhat.com> Message-ID: <56D9CDFF.9090406@redhat.com> On 03/01/2016 01:37 PM, Pavel Vomacka wrote: > Hi, > > The patch adds new field in user add dialog. This combo box lists GIDs > of posix groups > so user can choose one. It is also possible to fill a GID number > which is not in the list. > > Link to the ticket: https://fedorahosted.org/freeipa/ticket/5505 > > -- > Pavel^3 Vomacka > 1. We can keep default label 'GID' by removing 'label' from spec, which is also used on details page. No need to add a new string. 2. It is hard to pick a group from a list because the only thing administrator see are GID numbers, e.g.,: * 330800000 * 330800002 It would be good to show a group name there or group name + GID * admins * editors Reasoning: a) If admin wants to set arbitrary GID number not manage in IPA, he already knows it and can enter it directly. b) If he want's to set a specific group then he will search for it by name. Such change will require a change in combobox widget so that we can specify a label field and a value field. E.g. list will operate with e.g.: [ { label: 'admins', value: 330800000 }, { label: 'editors', value: 330800000 } ] and not [ 330800000, 330800000 ] I tried if it is possible to do easily and yes. See attached wippatch. Would be good to check if it breaks anything. If not then we can merge it into your patch. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: wip-freeipa-pvoborni-0780-try-different-value-and-label-field-in-entity-widget.patch Type: text/x-patch Size: 2245 bytes Desc: not available URL: From lslebodn at redhat.com Fri Mar 4 19:51:43 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 4 Mar 2016 20:51:43 +0100 Subject: [Freeipa-devel] host-del & client uninstall: additional discussion related to DNS needed In-Reply-To: <56D9AE53.7060409@redhat.com> References: <56D84F94.3000705@redhat.com> <56D86810.1080600@redhat.com> <56D87122.9000709@redhat.com> <56D94486.6040703@redhat.com> <56D99620.6000108@redhat.com> <56D9AE53.7060409@redhat.com> Message-ID: <20160304195143.GA12651@mail.corp.redhat.com> On (04/03/16 16:48), Petr Spacek wrote: >On 4.3.2016 15:05, Rob Crittenden wrote: >> Petr Spacek wrote: >>> On 3.3.2016 18:15, Martin Basti wrote: >>>> >>>> >>>> On 03.03.2016 17:36, Petr Vobornik wrote: >>>>> On 03/03/2016 03:52 PM, Martin Basti wrote: >>>>>> Hello all, >>>>>> >>>>>> related tickets: >>>>>> https://fedorahosted.org/freeipa/ticket/5676 >>>>>> https://fedorahosted.org/freeipa/ticket/5675 >>>>>> https://fedorahosted.org/freeipa/ticket/5715 >>>>>> >>>>>> I'm trying to implement both tickets, but I don't like the way we >>>>>> decided on devel meeting anymore. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/5676#comment:1 >>>>>> >>>>>> 1) >>>>>> ipa host-del --updatedns >>>>>> >>>>>> I propose to only delete A, AAAA and related PTR records (SSHFP records >>>>>> explained later). The record are somehow managed by IPA >>>>>> >>>>>> I don't like the idea of having an extra option to specify record types >>>>>> that should be removed or a flag that will remove DNS entry completely. >>>>>> IMO that is duplication of dnsrecord-mod/del functionality, host-del >>>>>> should not be used for managing DNS. If somebody wants better >>>>>> granularity, the one should use 'dnsrecord-mod zone rec --type-rec=' or >>>>>> 'dnsrecord-del --del-all' >>>>> >>>>> AFAIK the proposal on devel meeting was: >>>>> >>>>> --update-dns will delete A, AAAA, SSHFP >>>>> --update-dns=all will delete the whole DNS record LDAP entry >>>>> >>>>> there was also a proposal for granularity, e.g., --update-dns=a,aaaa. >>>> Yes this looks for me like doing an alias for dnsrecord-del command >>>> >>>>> >>>>> Then it was agreed that --update-dns won't search for SRV records (not >>>>> mentioned here, so OK). >>>>> >>>>> PTR records weren't discussed or decision was not recorded. >>>> When we remove A/AAAA, then we should remove PTR as well >>>>> >>>>> The proposal above keeps backwards compatibility though it may not be >>>>> possible to do with current framework. Or do we have support for multivalued >>>>> enum with default value(s) which acts as a flag? >>>> It needs big hacks in framework, to support is as Flag for old client and Enum >>>> for new clients >>>>> >>>>> If the new option type is too complicated to introduce, then I would prefer >>>>> to keep current option(flag) with behavior matching proposal for >>>>> --update-dns or --update-dns=all. >>>> To use "--update-dns will delete A, AAAA, SSHFP" only was proposed by me here. >>>> >>>>> >>>>> Definitely big +1 on not introducing a new option. >>>>> >>>>> No need to over-engineer it. >>>>> >>>>> Not sure about PTR records. >>>>> >>>>>> >>>>>> Note: due backward compatibility --updatedns cannot be migrated to ENUM, >>>>>> new option needed >>>>> >>>>>> >>>>>> 2) >>>>>> SSHFP records and host-del (https://fedorahosted.org/freeipa/ticket/5715) >>>>>> >>>>>> host-del removes SSH keys from LDAP, thus there is no reason to keep >>>>>> SSHFP record in DNS, thus SSHFP records should be removed always (even >>>>>> without --updatedns option) >>>>> >>>>> ACK >>>>> >>>>>> >>>>>> 3) >>>>>> ipa-client-install --uninstall >>>>>> >>>>>> SSHFP record are always added via nsupdate to DNS, IMO during client >>>>>> uninstall all SSHFP record related to client should be removed via >>>>>> nsupdate too. >>>>> >>>>> IMHO not necessary will be solved either by #5676 and/or #5715(currently >>>>> uninstall indirectly calls ipa-host-disable) >>>> However host-disable does not do nsupdate, so it will work only for IPA DNS. >>>> So if nsupdate set SSHPF on non-IPA server, we do not have reverse operation >>>> in uninstall for that. >>>> >>>>> >>>>>> >>>>>> 4) >>>>>> https://fedorahosted.org/freeipa/ticket/5676 >>>>>> >>>>>> ipa-client-install --uninstall --delete-host #suggestions how to name >>>>>> option for removing host entry for ldap welcome >>>>>> >>>>>> Should this option call 'host-del' or 'host-del --updatedns'? >>>>>> >>>>>> I would like to avoid additional DNS related option to be added to >>>>>> ipa-client-install >>>>>> >>>>>> Also do we really want to implement this ticket? What is the gain there? >>>>> >>>>> The devel discussions which is recorded in >>>>> https://fedorahosted.org/freeipa/ticket/5676#comment:1 >>>>> >>>>> Suggests to change default behavior in ipa-client-install --uninstall so >>>>> that it will call: >>>>> >>>>> `ipa host-del --update-dns` instead of `ipa-join --unenroll`. So it will >>>>> also do #3. >>>>> >>>>> Further proposal in #5676 is to introduce a new option(--keephost ??) to >>>>> keep the host records, i.e., the old behavior. >>>>> >>>>> But comment: >>>>> """ >>>>> simo: maybe keeping backward compatibility is more important, discuss later >>>>> if --remove option would be better >>>>> """ >>>>> suggest that further discussion is needed >>>> >>>> I agree with backward compatibility here. A current user may be very surprised >>>> that all DNS records of the host disappear. >>> >>> The general problem is that installation process (aka ipa-client-install) is a >>> mess without documented design (at least when it comes to DNS parts) so it is >>> quite hard to do the reverse on --uninstall. >>> >>> Given that were planning to implement integration with external DNS in future >>> we might want to postpone ipa-client-install changes related to DNS and do >>> overhaul at once. >>> >>> For example host plugin will need changes as many assumptions about DNS usage >>> are oversimplified or simply wrong so delaying changes might save some >>> headache caused by two behavior changes in two subsequent releases. >>> >> >> I'm not sure what you'd be looking for in ipa-client install but even if >> you knew exactly what changes were made I don't think it would be enough >> to do everything in uninstall. It wouldn't handle DNS changes made >> post-install, for example, so even if state was stored somewhere it >> could still result in left-over DNS entries. >> >> This is particularly important when considering client -> master >> promotion where a slew of DNS entries will be created. >> >> Or am I misunderstanding your point? > >You are right, it might be too stateful for 100% clean solution. > >Honestly the cleanest thing we could do is not touch DNS at all for clients. >It should be job of the provisioning system and I do not really understand why >the functionality was added to ipa-client-install and not to some other tool. >The same applies to DNS updates from SSSD - it is a job for NetworkManager (or >something else), not SSSD. > DNS updates are not enabled by default with ipa provider. ipa-client install configure it :-) +1 for NetworkManager (or something else) LS From ftweedal at redhat.com Mon Mar 7 04:50:17 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 7 Mar 2016 14:50:17 +1000 Subject: [Freeipa-devel] [PATCH 0404] ipalib: Fix user certificate docstrings In-Reply-To: <56D9765A.4040602@redhat.com> References: <56D9765A.4040602@redhat.com> Message-ID: <20160307045017.GU12127@dhcp-40-8.bne.redhat.com> On Fri, Mar 04, 2016 at 12:49:46PM +0100, Tomas Babej wrote: > Hi, > > this fixes incorrect usercertificate attribute docstrings in several IPA > objects. > > Tomas > ACK. From jcholast at redhat.com Mon Mar 7 06:33:52 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 7 Mar 2016 07:33:52 +0100 Subject: [Freeipa-devel] Design review request: RFC 2818 certificate compliance In-Reply-To: <20160229065915.GC21191@dhcp-40-8.bne.redhat.com> References: <20160229065915.GC21191@dhcp-40-8.bne.redhat.com> Message-ID: <56DD20D0.50706@redhat.com> Hi, On 29.2.2016 07:59, Fraser Tweedale wrote: > Hi all (especially those interested in certificates), > > Please provide early review of my design for RFC 2818 compliance > which will address the following tickets: > > - #4970 Server certificate profile should always include a Subject Alternate name for the host > - #5706 [RFE] Support SAN-only certificates > > http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance > > The design is a WIP and there is no code for it yet. Looking for > feedback and (hopefully) validation of the approach before > committing cycles to implementing new profile components in Dogtag. 1) Do wildcard certificates need special handling? There is no mention of them in the design doc. 2) Should we accept invalid CSR where CN length is greater than 64? I wouldn't be surprised if these existed in the wild. 3) Sometimes it is not clear which parts belong to Dogtag and which to IPA itself. For example the upgrade section - I assume Dogtag should update registry.cfg and IPA caIPAserviceCert profile, but it is not clearly stated anywhere. Honza -- Jan Cholasta From jcholast at redhat.com Mon Mar 7 06:56:16 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 7 Mar 2016 07:56:16 +0100 Subject: [Freeipa-devel] [PATCH 0001] Add new parameter --ssh-update to ipa-client-install In-Reply-To: <56D7E547.30208@redhat.com> References: <1456175624.5411.4.camel@stefany.eu> <56CF0060.3090202@redhat.com> <56CF0353.5060705@redhat.com> <1456604366.2844.13.camel@stefany.eu> <56D71A1A.1060602@redhat.com> <1456953339.2507.7.camel@stefany.eu> <56D7E547.30208@redhat.com> Message-ID: <56DD2610.1080601@redhat.com> On 3.3.2016 08:18, Jan Cholasta wrote: > On 2.3.2016 22:15, Martin ?tefany wrote: >> Hi, >> >> On St, 2016-03-02 at 17:51 +0100, Martin Basti wrote: >>> >>> >>> On 27.02.2016 21:19, Martin ?tefany wrote: >>>> Hi, >>>> >>>> I did as Jan suggested, everything is now a new command 'ipa- >>>> sshupdate', >>>> (so it's based on Jan's 'ipa-certupdate', yeah, a bit of copy- >>>> paste), >>>> rest is based on ipa-client-install's code. I'm not sure if this is >>>> correct, but you might want to change ipa-client-install to just >>>> 'import >>>> ipaclient.ipa_sshupdate' for ssh update, or not - I'm not sure how >>>> this >>>> is compatible with 'code deduplication', 're-usage', etc. >>>> >>>> Another open point from my side is PEP8 compliance, I've ran the new >>>> code through pep8 utility with defaults and it's 'OK'. But so is >>>> code in >>>> my employer's project and they look slightly 'different', mainly for >>>> brackets, strings, etc. Please, have a look to that, too, I'm happy >>>> for >>>> any guidance. >>>> >>>> Martin >>>> >>>> On ?t, 2016-02-25 at 14:36 +0100, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> On 25.2.2016 14:23, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 22.02.2016 22:13, Martin ?tefany wrote: >>>>>>> Hi, >>>>>>> >>>>>>> please, review the attached patch which adds --ssh-update to >>>>>>> ipa- >>>>>>> client- >>>>>>> install. >>>>>>> >>>>>>> Ticket:https://fedorahosted.org/freeipa/ticket/2655 >>>>>> Hello, >>>>>> thank you for your patch. >>>>>> Please attach a patch as a file next time. >>>>>> >>>>>> I have doubts that this should be part of ipa-client-install, >>>>>> this >>>>>> needs >>>>>> a broader discussion. >>>>> +1, I think it should be a separate command (ignore my earlier >>>>> suggestion from Trac to incorporate this into ipa-client-install, >>>>> I >>>>> was >>>>> young and stupid). >>>>> >>>>> See client/ipa-certupdate and ipaclient/ipa_certupdate.py for an >>>>> example >>>>> of how such a command should be implemented. >>>>> >>>>>> >>>>>> Code comments inline: >>>>>>> >>>>>>> --- >>>>>>> Martin >>>>>>> >>>>>>>> From 4974a57f48a0cd48b83724297ae2af572bc530eb Mon Sep 17 >>>>>>>> 00:00:00 2001 >>>>>>> From: Martin Stefany >>>>>>> Date: Mon, 22 Feb 2016 20:58:13 +0000 >>>>>>> Subject: [PATCH] Add new parameter --ssh-update to ipa-client- >>>>>>> install >>>>>>> >>>>>>> Add a new parameter '--ssh-update' which can be used later >>>>>>> after >>>>>>> freeipa >>>>>>> client is installed to update SSH hostkeys and SSHFP DNS >>>>>>> records >>>>>>> for >>>>>>> host. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/2655 >>>>>>> --- >>>>>>> ipa-client/ipa-install/ipa-client-install | 102 >>>>>>> +++++++++++++++++++++++++++++- >>>>>>> 1 file changed, 99 insertions(+), 3 deletions(-) >>>>>>> >>>>>>> diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa- >>>>>>> client/ipa- >>>>>>> install/ipa-client-install >>>>>>> index >>>>>>> 789ff591591673744ee3b922e5c0181233ad553c..97adfb6b449fb441bdda >>>>>>> da89 >>>>>>> a3b151 >>>>>>> 33e398ca50 100755 >>>>>>> --- a/ipa-client/ipa-install/ipa-client-install >>>>>>> +++ b/ipa-client/ipa-install/ipa-client-install >>>>>>> @@ -71,6 +71,7 @@ CLIENT_INSTALL_ERROR = 1 >>>>>>> CLIENT_NOT_CONFIGURED = 2 >>>>>>> CLIENT_ALREADY_CONFIGURED = 3 >>>>>>> CLIENT_UNINSTALL_ERROR = 4 # error after restoring >>>>>>> files/state >>>>>>> +CLIENT_SSHUPDATE_ERROR = 5 # error during update of SSH >>>>>>> public >>>>>>> keys >>>>>>> >>>>>>> def parse_options(): >>>>>>> def validate_ca_cert_file_option(option, opt, value, >>>>>>> parser): >>>>>>> @@ -215,6 +216,12 @@ def parse_options(): >>>>>>> "be run with -- >>>>>>> unattended >>>>>>> option") >>>>>>> parser.add_option_group(uninstall_group) >>>>>>> >>>>>>> + sshupdate_group = OptionGroup(parser, "SSH key update >>>>>>> options") >>>>>>> + sshupdate_group.add_option("--ssh-update", >>>>>>> dest="ssh_update", >>>>>>> + action="store_true", default=False, >>>>>>> + help="update local host's SSH public >>>>>>> keys >>>>>>> in host >>>>>>> entry and DNS.") >>>>>>> + parser.add_option_group(sshupdate_group) >>>>>>> + >>>>>>> options, args = parser.parse_args() >>>>>>> safe_opts = parser.get_safe_opts(options) >>>>>>> >>>>>>> @@ -840,6 +847,92 @@ def uninstall(options, env): >>>>>>> >>>>>>> return rv >>>>>>> >>>>>>> +def sshupdate(options, env): >>>>>>> + if not is_ipa_client_installed(): >>>>>>> + root_logger.error("IPA client is not configured on >>>>>>> this >>>>>>> system.") >>>>>>> + return CLIENT_NOT_CONFIGURED >>>>>>> + >>>>>>> + api.bootstrap(context='cli_installer', >>>>>>> debug=options.debug) >>>>>>> + api.finalize() >>>>>>> + if 'config_loaded' not in api.env: >>>>>>> + root_logger.error("Failed to initialize IPA API.") >>>>>>> + return CLIENT_SSHUPDATE_ERROR >>>>>>> + >>>>>>> + # Now, let's try to connect to the server's RPC interface >>>>>>> + connected = False >>>>>>> + try: >>>>>>> + api.Backend.rpcclient.connect() >>>>>>> + connected = True >>>>>>> + root_logger.debug("Try RPC connection") >>>>>>> + api.Backend.rpcclient.forward('ping') >>>>>>> + except errors.KerberosError as e: >>>>>>> + if connected: >>>>>>> + api.Backend.rpcclient.disconnect() >>>>>>> + root_logger.info( >>>>>>> + "Cannot connect to the server due to Kerberos >>>>>>> error: >>>>>>> %s. " >>>>>>> + "Trying with delegate=True", e) >>>>>>> + try: >>>>>>> + api.Backend.rpcclient.connect(delegate=True) >>>>>>> + root_logger.debug("Try RPC connection") >>>>>>> + api.Backend.rpcclient.forward('ping') >>>>>>> + >>>>>>> + root_logger.info("Connection with delegate=True >>>>>>> successful") >>>>>>> + >>>>>>> + # The remote server is not capable of Kerberos >>>>>>> S4U2Proxy >>>>>>> + # delegation. This features is implemented in IPA >>>>>>> server >>>>>>> + # version 2.2 and higher >>>>>>> + root_logger.warning( >>>>>>> + "Target IPA server has a lower version than >>>>>>> the >>>>>>> enrolled " >>>>>>> + "client") >>>>>>> + root_logger.warning( >>>>>>> + "Some capabilities including the ipa command >>>>>>> capability >>>>>>> " >>>>>>> + "may not be available") >>>>>>> + except errors.PublicError as e2: >>>>>>> + root_logger.warning( >>>>>>> + "Second connect with delegate=True also >>>>>>> failed: >>>>>>> %s", >>>>>>> e2) >>>>>>> + root_logger.error( >>>>>>> + "Cannot connect to the IPA server RPC >>>>>>> interface: >>>>>>> %s", >>>>>>> e2) >>>>>>> + return CLIENT_SSHUPDATE_ERROR >>>>>>> + except errors.PublicError as e: >>>>>>> + root_logger.error( >>>>>>> + "Cannot connect to the server due to generic >>>>>>> error: >>>>>>> %s", e) >>>>>>> + return CLIENT_SSHUPDATE_ERROR >>>>>> I think you should be kinited with client keytab, client is >>>>>> allowed >>>>>> to >>>>>> modify its SSHpublic keys in ldap. I'd only require to be root >>>>>> to >>>>>> execute it. >>>>>> >>>>>> kinit -kt /etc/krb5.keytab host/`hostname` >>>>>> ipa host-mod `hostname` --sshpubkey="something" >>>>>> >>>>>> Also this rpcconnection looks to me too much complicated, I >>>>>> think it >>>>>> should be just simple rpcconnect >>>>>> >>>>>>> + >>>>>>> + # We need to pull IPA server address from default.conf >>>>>>> + try: >>>>>>> + parser = RawConfigParser() >>>>>>> + parser.read(paths.IPA_DEFAULT_CONF) >>>>>>> + cli_realm = parser.get('global', 'realm') >>>>>>> + hostname = parser.get('global', 'host') >>>>>>> + # TODO: consult with review team >>>>>>> + # except ConfigParser.NoSectionError as e: >>>>>>> + # pass >>>>>>> + # except ConfigParser.ParsingError as e: >>>>>>> + # pass >>>>>>> + finally: >>>>>>> + pass >>>>>> You can raise error there. >>>>>> >>>>>>> + >>>>>>> + host_principal = 'host/%s@%s' % (hostname, cli_realm) >>>>>>> + # Obtain the TGT. We do it with the temporary krb5.conf, >>>>>>> so >>>>>>> that >>>>>>> + # only the KDC we're installing under is contacted. >>>>>>> + # Other KDCs might not have replicated the principal yet. >>>>>>> + # Once we have the TGT, it's usable on any server. >>>>>> I don't think that temporary krb5.conf should be used here >>>>>>> + try: >>>>>>> + ipautil.kinit_keytab(host_principal, >>>>>>> paths.KRB5_KEYTAB, >>>>>>> + CCACHE_FILE, >>>>>>> + # config=krb_name, >>>>>>> + attempts=options.kinit_attempts) >>>>>>> + env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = >>>>>>> CCACHE_FILE >>>>>>> + except Krb5Error as e: >>>>>>> + print_port_conf_info() >>>>>>> + root_logger.error("Failed to obtain host TGT: %s" % >>>>>>> e) >>>>>>> + # failure to get ticket makes it impossible to login >>>>>>> and >>>>>>> bind >>>>>>> + # from sssd to LDAP, abort installation and rollback >>>>>>> changes >>>>>>> + return CLIENT_INSTALL_ERROR >>>>>> This is not install error. >>>>>> >>>>>>> + >>>>>>> + # passing server parameter seems unneccessary, thus >>>>>>> passing >>>>>>> only "" >>>>>>> + update_ssh_keys("", hostname, >>>>>>> services.knownservices.sshd.get_config_dir(), >>>>>>> options.create_sshfp) >>>>>>> + >>>>>>> def configure_ipa_conf(fstore, cli_basedn, cli_realm, >>>>>>> cli_domain, >>>>>>> cli_server, hostname): >>>>>>> ipaconf = ipaclient.ipachangeconf.IPAChangeConf("IPA >>>>>>> Installer") >>>>>>> ipaconf.setOptionAssignment(" =") @@ -2797,7 +2890,7 @@ >>>>>>> def >>>>>>> install(options, env, fstore, >>>>>>> statestore): connected = True >>>>>>> root_logger.debug("Try RPC connection") >>>>>>> api.Backend.rpcclient.forward('ping') >>>>>>> - except errors.KerberosError, e: >>>>>>> + except errors.KerberosError as e: >>>>>> Please don't modify code that already exists and it is not >>>>>> related >>>>>> to >>>>>> this change >>>>>>> if connected: >>>>>>> api.Backend.rpcclient.disconnect() >>>>>>> root_logger.info( >>>>>>> @@ -2820,13 +2913,13 @@ def install(options, env, fstore, >>>>>>> statestore): >>>>>>> root_logger.warning( >>>>>>> "Some capabilities including the ipa >>>>>>> command >>>>>>> capability " >>>>>>> "may not be available") >>>>>>> - except errors.PublicError, e2: >>>>>>> + except errors.PublicError as e2: >>>>>> Remove this from patch too >>>>>>> root_logger.warning( >>>>>>> "Second connect with delegate=True also >>>>>>> failed: >>>>>>> %s", e2) >>>>>>> root_logger.error( >>>>>>> "Cannot connect to the IPA server RPC >>>>>>> interface: >>>>>>> %s", e2) >>>>>>> return CLIENT_INSTALL_ERROR >>>>>>> - except errors.PublicError, e: >>>>>>> + except errors.PublicError as e: >>>>>> and this too >>>>>>> root_logger.error( >>>>>>> "Cannot connect to the server due to generic >>>>>>> error: >>>>>>> %s", e) >>>>>>> return CLIENT_INSTALL_ERROR >>>>>>> @@ -3088,6 +3181,9 @@ def main(): >>>>>>> if options.uninstall: >>>>>>> return uninstall(options, env) >>>>>>> >>>>>>> + if options.ssh_update: >>>>>>> + return sshupdate(options, env) >>>>>>> + >>>>>>> if is_ipa_client_installed(on_master=options.on_master): >>>>>>> root_logger.error("IPA client is already configured >>>>>>> on >>>>>>> this >>>>>>> system.") >>>>>>> root_logger.info( >>>>>>> -- >>>>>>> 1.8.3.1 >>>>>>> >>>>>>> >>>>>> Martin^2 >>>>>> >>>>>> >>>>> Honza >>> >>> Thanks, >>> >>> I have a few comments >>> >>> 1) >>> Please use new license format in header of the new files >>> >>> # >>> # Copyright (C) 2016 FreeIPA Contributors see COPYING for license >>> # >> OK >>> >>> 2) >>> This is very bad, I sent patch to fix it in client code >>> + except ValueError as UnicodeDecodeError: >>> + continue >>> >>> it should be except (ValueError, UnicodeDecodeError): >>> and maybe debug log? >> Something like? : >> >> + for line in f: >> + line = line[:-1].lstrip() >> + if not line or line.startswith('#'): >> + continue >> + try: >> + pubkey = ssh.SSHPublicKey(line) >> + self.log.info("Adding SSH public key from %s", >> filename) >> + pubkeys.append(pubkey) >> + except (ValueError, UnicodeDecodeError) as e: >> + self.log.debug( >> + "Skipping SSH public key from %s due to error: >> %s", >> + filename, e >> + ) >> >> I had to move it inside try-except clause since not assigning pubkey and >> handling exception causes then "exception: UnboundLocalError: local >> variable 'pubkey' referenced before assignment" :\ >> Should it be debug or warning? >>> >>> 3) >>> I see many errors, respectively not so nice code there, but I realized >>> that everything is from ipa-client-install. I think it would be better >>> to extract update_ssh_keys, and do_nsupdate to separate module and >>> reuse it in both scripts. > > +1 > >>> >>> I have to find out which (ipaclient, ipalib, ...) module are the best. > > ipaclient, obviously. Specifically, ipaclient/install/ssh.py. > >>> >>> Then fix issues with these functions. > > 4) I would prefer if the script was named "ipa-client-sshinstall", as > that's consistent with "ipa-server-certinstall", which does a similar > thing with certificates on server. I meant "ipa-cacert-manage install", "ipa-server-certinstall" installs the certs locally, it does not upload them to IPA. The point is, we use the verb "install" when something is transmitted from the user to IPA. -- Jan Cholasta From mkosek at redhat.com Mon Mar 7 07:13:03 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 7 Mar 2016 08:13:03 +0100 Subject: [Freeipa-devel] Feature template - proposed changes In-Reply-To: <56D9A2D7.8030401@redhat.com> References: <56D9979B.4070309@redhat.com> <56D99A44.20906@redhat.com> <56D9A2D7.8030401@redhat.com> Message-ID: <56DD29FF.7060400@redhat.com> On 03/04/2016 03:59 PM, Petr Spacek wrote: > On 4.3.2016 15:23, Martin Kosek wrote: >> On 03/04/2016 03:11 PM, Petr Spacek wrote: >>> Hello, >>> >>> I've updated Feature template to make sure that important the design decisions >>> are recorded somewhere. >>> >>> Of course all this is open for discussion. I did this soon because I believe >>> that it is better to actually see how it looks like instead of discussing >>> vaporware. Wiki has revert button if necessary, feel free to use it. >>> >>> New texts: >>> http://www.freeipa.org/page/Feature_template#Design_Assumptions >> >> Looks good to me. >> >>> http://www.freeipa.org/page/Feature_template#Use_Cases >> >> Does not look good to me. Practical examples of how features is used is in How >> to Test section, ideally organized by Use Cases, like in >> http://www.freeipa.org/page/V4/User_Certificates#How_to_Test >> >> If we start adding gory details and examples right in Use Cases section, we >> would kill the clarity of that section that intends to just give you overview >> of the use cases. > > Okay, now I understand that. > Funnily enough the only thing I changed is addition of bullet "* Explicitly > list use cases which were considered but will not supported for some reason. > Include the reason, too ;-)" > > The text you are criticizing is there from the very first version of the page > [2012-07-24T21:09:49 as can be seen on > http://www.freeipa.org/index.php?title=Feature_template&oldid=5161]. Heh, sorry the extra rant then - I will therefore blame Rob instead ;-) In all seriousness, we should clarify that in this Feature template improvement session. > >> I would rather imagine something like >> >> http://www.freeipa.org/page/V4/Authentication_Indicators#Strong_Authentication_on_Selected_System >> >> which is an impromptu format for the new User Story based approach. The >> expectations is that rest of the page will then work with these User >> Stories/Use Cases, whether it is Design, How To Test, UI examples or Test Plan. > > Agreed. > > >>> I also did one unrelated change: >>> Now "Feature Management" chapter precedes "Design" chapter with all the gory >>> details. This should make the page more useful for random users who find it >>> using a search engine. >>> >>> Intents: >>> 1. Consider usability *very* early in the design process. >>> 2. Think about LDAP schema support for UI workflows very early. >> >> These are good intents. However, while I agree with the intents, I am curious >> how this is supposed to work, because the CLI/UI often works with the terms >> that are being defined in Design. >> >> See for example here: >> http://www.freeipa.org/page/V4/User_Certificates#Feature_Management >> It already assumes you know some parts of the design, like matching attribute. >> >> Or: >> http://www.freeipa.org/page/V4/OTP#Feature_Management >> It already assumes you know what OTP token is, what Radius Proxy server is and >> how it relates, etc. > > Well, that points to an interesting problem of user interface design. > > Is the user assumed to read the *design* page before using the feature (so he > knows the terms as you pointed out)? If it is true then we failed > spectacularly at providing usable user interfaces. > > Looking at > https://www.nngroup.com/articles/ten-usability-heuristics/ > second principle: > > # Match between system and the real world > ## The system should speak the users' language, with words, phrases and > concepts familiar to the user, rather than system-oriented terms. Follow > real-world conventions, making information appear in a natural and logical order. > > > My understanding to this is that terms should be 'the usual' terms used in > given field. FreeIPA did not invent neither of OTP, RADIUS, DNS, PKI, AD etc. > > Interface should be self-describing. If it is not then we failed. If there is > hard to understand but standard terminology, link to an external article and > do not spend time on describing it 25th time (most likely using slightly > inconsistent terms). > > Obviously there will be exceptions but wiki has hyperlinks so this can be > handled if absolutely necessary. Hmm, that's a good point. I am not completely sold yet as I kind of liked the original logical flow of the design page. But I think we will see that on the first non-trivial example of design page. Maybe you could hane the DNS Location design page updated with your proposed flow, so that we see if it indeed makes sense? That design page can be surely considered non-trivial. >>> DNS locations proved that UI is a nightmare which is better to think about in >>> the very beginning, even before thinking about LDAP schema. >>> >>> I hope it will help in long term. >> >> While it may make sense to *think* about the interfaces first, why does it also >> have to be in the design page as the first thing, given it breaks the natural >> and logical flow of the text? > > In my eyes this is more logical and makes the page more useful to a wider > audience as I explained in the previous e-mail. > > AFAIK 'How to test' section was added purposely to make the page usable by > non-developers and this is just going in the same direction. Right. > Looking at TOC the developer-only sections are just 'Design' and > 'Implementation'. If we wanted to be radical and wanted to make the page > really nice, shiny, logical, and easy to use by causal users we could move > Design and Implementation into sub-page /all-the-gory-details. > > I understand that could be too radical. I may surprise you, but I think this is actually not that bad idea. To me, it seems that the feature page are more and more read by non-developers, whether it is people supporting other users, quality engineers, UX designers, etc. We should be thinking of our users when writing the design page in the first place, so maybe the proposal would actually make sense - I am curious what others think. From pspacek at redhat.com Mon Mar 7 09:58:54 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 7 Mar 2016 10:58:54 +0100 Subject: [Freeipa-devel] [PATCH 0087] Pylint: enable parallelism In-Reply-To: <56D989E4.908@redhat.com> References: <56D5AB3F.6080702@redhat.com> <56D989E4.908@redhat.com> Message-ID: <56DD50DE.80906@redhat.com> On 4.3.2016 14:13, Tomas Babej wrote: > On 03/01/2016 03:46 PM, Petr Spacek wrote: >> Hello, >> >> Pylint: enable parallelism >> >> The config file specifies 8 cores but Pylint very quickly >> ends up with 3 cores so do not worry about overwhelming your system. > > I like the idea of the patch, however, on my single-CPU VM this causes > additional overhead and lint ends up taking more time (+15%). > >>From the pylint docs [1]: > > If the provided number is 0 then the number of CPUs will be used. > > I'd suggest we use this value instead, to get the best of both worlds :) Here you go. Petr^2 Spacek > Tomas > > [1] https://docs.pylint.org/run.html -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0087-2-Pylint-enable-parallelism.patch Type: text/x-patch Size: 705 bytes Desc: not available URL: From pvomacka at redhat.com Mon Mar 7 10:24:28 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 7 Mar 2016 11:24:28 +0100 Subject: [Freeipa-devel] [PATCH] 0007 webui: Add a field for GID in the user add dialog In-Reply-To: <56D9CDFF.9090406@redhat.com> References: <56D58D07.709@redhat.com> <56D9CDFF.9090406@redhat.com> Message-ID: <56DD56DC.2050708@redhat.com> On 03/04/2016 07:03 PM, Petr Vobornik wrote: > On 03/01/2016 01:37 PM, Pavel Vomacka wrote: >> Hi, >> >> The patch adds new field in user add dialog. This combo box lists GIDs >> of posix groups >> so user can choose one. It is also possible to fill a GID number >> which is not in the list. >> >> Link to the ticket: https://fedorahosted.org/freeipa/ticket/5505 >> >> -- >> Pavel^3 Vomacka >> > > 1. We can keep default label 'GID' by removing 'label' from spec, > which is also used on details page. No need to add a new string. > > 2. It is hard to pick a group from a list because the only thing > administrator see are GID numbers, e.g.,: > * 330800000 > * 330800002 > > It would be good to show a group name there or group name + GID > * admins > * editors > > Reasoning: > a) If admin wants to set arbitrary GID number not manage in IPA, he > already knows it and can enter it directly. > b) If he want's to set a specific group then he will search for it by > name. > > Such change will require a change in combobox widget so that we can > specify a label field and a value field. E.g. list will operate with > e.g.: > [ > { label: 'admins', value: 330800000 }, > { label: 'editors', value: 330800000 } > ] > > and not [ 330800000, 330800000 ] > > I tried if it is possible to do easily and yes. See attached wippatch. > Would be good to check if it breaks anything. If not then we can merge > it into your patch. Hi, thank you for your patch. It's definitely better to see names of groups instead of numbers. Your solution works well. I merged your patch with mine and the result is attached. I also removed definitions of new string (was used as label) from my first patch . Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0007-2-Add-field-for-group-id-in-user-add-dialog.patch Type: text/x-patch Size: 2602 bytes Desc: not available URL: From jfenal at gmail.com Mon Mar 7 10:48:51 2016 From: jfenal at gmail.com (=?UTF-8?B?SsOpcsO0bWUgRmVuYWw=?=) Date: Mon, 7 Mar 2016 11:48:51 +0100 Subject: [Freeipa-devel] French translation for FreeIPA In-Reply-To: References: Message-ID: 2016-02-29 18:45 GMT+01:00 J?r?me Fenal : > Hi all, > > Just a quick note to let you that I completed the translation of what > was available to translate on Zanata. > > Can you please check it passes the QA, that the strings available on > Zanata are the latest ones, and that it can flow back into RHEL7? > ?Hello there, No news good news, or everybody is swamped in BZs? :-)? ?Cheers, J. ?-?- J?r?me Fenal -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Mon Mar 7 11:20:53 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 7 Mar 2016 12:20:53 +0100 Subject: [Freeipa-devel] French translation for FreeIPA In-Reply-To: References: Message-ID: <56DD6415.1060107@redhat.com> On 03/07/2016 11:48 AM, J?r?me Fenal wrote: > 2016-02-29 18:45 GMT+01:00 J??r??me Fenal : > >> Hi all, >> >> Just a quick note to let you that I completed the translation of what >> was available to translate on Zanata. >> >> Can you please check it passes the QA, that the strings available on >> Zanata are the latest ones, and that it can flow back into RHEL7? >> > > ???Hello there, > > No news good news, or everybody is swamped in BZs? :-)??? Hi J?r?me, Thanks for the translation! The new strings should get to FreeIPA 4.3.1, right Tomas? As for RHEL, there is not special process around adding the translated strings. The new ones should get there whenever the FreeIPA is rebased. From tbabej at redhat.com Mon Mar 7 11:22:24 2016 From: tbabej at redhat.com (Tomas Babej) Date: Mon, 7 Mar 2016 12:22:24 +0100 Subject: [Freeipa-devel] [PATCH 0404] ipalib: Fix user certificate docstrings In-Reply-To: <20160307045017.GU12127@dhcp-40-8.bne.redhat.com> References: <56D9765A.4040602@redhat.com> <20160307045017.GU12127@dhcp-40-8.bne.redhat.com> Message-ID: <56DD6470.6010700@redhat.com> On 03/07/2016 05:50 AM, Fraser Tweedale wrote: > On Fri, Mar 04, 2016 at 12:49:46PM +0100, Tomas Babej wrote: >> Hi, >> >> this fixes incorrect usercertificate attribute docstrings in several IPA >> objects. >> >> Tomas >> > ACK. > Pushed to master: 8bf6aa2c1c957025c7d466f7a33202a191764f0b From tbabej at redhat.com Mon Mar 7 11:35:27 2016 From: tbabej at redhat.com (Tomas Babej) Date: Mon, 7 Mar 2016 12:35:27 +0100 Subject: [Freeipa-devel] [PATCH 0087] Pylint: enable parallelism In-Reply-To: <56DD50DE.80906@redhat.com> References: <56D5AB3F.6080702@redhat.com> <56D989E4.908@redhat.com> <56DD50DE.80906@redhat.com> Message-ID: <56DD677F.7090105@redhat.com> On 03/07/2016 10:58 AM, Petr Spacek wrote: > On 4.3.2016 14:13, Tomas Babej wrote: >> On 03/01/2016 03:46 PM, Petr Spacek wrote: >>> Hello, >>> >>> Pylint: enable parallelism >>> >>> The config file specifies 8 cores but Pylint very quickly >>> ends up with 3 cores so do not worry about overwhelming your system. >> >> I like the idea of the patch, however, on my single-CPU VM this causes >> additional overhead and lint ends up taking more time (+15%). >> >> >From the pylint docs [1]: >> >> If the provided number is 0 then the number of CPUs will be used. >> >> I'd suggest we use this value instead, to get the best of both worlds :) > > Here you go. > > Petr^2 Spacek > > >> Tomas >> >> [1] https://docs.pylint.org/run.html >> >> Thanks, ACK. Pushed to master: 42c01eb3270d8c47c41f7f9b0da7064edb4b0e47 Tomas From lslebodn at redhat.com Mon Mar 7 11:46:58 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 7 Mar 2016 12:46:58 +0100 Subject: [Freeipa-devel] FreeIPA COPR repos for 4.2.4 and 4.3.1 release candidates In-Reply-To: <56D9B8C4.4070605@redhat.com> References: <56D9B8C4.4070605@redhat.com> Message-ID: <20160307114658.GE28936@mail.corp.redhat.com> On (04/03/16 17:33), Petr Vobornik wrote: >Hello all, > >COPR repostories for testing of upcoming 4.3.1 and 4.2.4 releases were >created in new @freeipa group: >* @freeipa/freeipa-4-2-rc for f23 >* @freeipa/freeipa-4-3-rc for f23, f24, rawhide > >@freeipa/freeipa-4-2-rc is undergoing pre-release testing. It also means that >there is push freeze in ipa-4-2 branch. > >4.3.1 is not finished yet, but the COPR repository already contains initial >package matching state of ipa-4-3 branch from today. > >[1] https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-2-rc/ I can see three test failing with freeipa-4.2 test_dnssec.py -- it' s known bug in freeipa test_vault.py -- there are failures due to problem with installation of replica test_caless.py -- TypeError: install() takes exactly 2 arguments (1 given) -- It should be already fixed in master e5189ef6e23e4691f6c74541da5bc1a0b0f2e73f 3507bcd3dfe2b0f1e7fae6f219a925ec6904ab47 BTW I'm lazy to file bugs in track. Feel free to file it yourselft if you need to backport/fix tests. LS From mbabinsk at redhat.com Mon Mar 7 11:47:22 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 7 Mar 2016 12:47:22 +0100 Subject: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns Message-ID: <56DD6A4A.4050004@redhat.com> https://fedorahosted.org/freeipa/ticket/5696 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0137-spec-add-conflict-with-bind-chroot-to-freeipa-server.patch Type: text/x-patch Size: 774 bytes Desc: not available URL: From lslebodn at redhat.com Mon Mar 7 11:57:56 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 7 Mar 2016 12:57:56 +0100 Subject: [Freeipa-devel] French translation for FreeIPA In-Reply-To: <56DD6415.1060107@redhat.com> References: <56DD6415.1060107@redhat.com> Message-ID: <20160307115755.GF28936@mail.corp.redhat.com> On (07/03/16 12:20), Martin Kosek wrote: >On 03/07/2016 11:48 AM, J?r?me Fenal wrote: >> 2016-02-29 18:45 GMT+01:00 J??r??me Fenal : >> >>> Hi all, >>> >>> Just a quick note to let you that I completed the translation of what >>> was available to translate on Zanata. >>> >>> Can you please check it passes the QA, that the strings available on >>> Zanata are the latest ones, and that it can flow back into RHEL7? >>> >> >> ???Hello there, >> >> No news good news, or everybody is swamped in BZs? :-)??? > >Hi J?r?me, > >Thanks for the translation! The new strings should get to FreeIPA 4.3.1, right >Tomas? FreeIPA 4.2.x will be released sooner :-) Do you plan to include new translation there? LS From mkosek at redhat.com Mon Mar 7 12:03:32 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 7 Mar 2016 13:03:32 +0100 Subject: [Freeipa-devel] French translation for FreeIPA In-Reply-To: <20160307115755.GF28936@mail.corp.redhat.com> References: <56DD6415.1060107@redhat.com> <20160307115755.GF28936@mail.corp.redhat.com> Message-ID: <56DD6E14.3090502@redhat.com> On 03/07/2016 12:57 PM, Lukas Slebodnik wrote: > On (07/03/16 12:20), Martin Kosek wrote: >> On 03/07/2016 11:48 AM, J?r?me Fenal wrote: >>> 2016-02-29 18:45 GMT+01:00 J??r??me Fenal : >>> >>>> Hi all, >>>> >>>> Just a quick note to let you that I completed the translation of what >>>> was available to translate on Zanata. >>>> >>>> Can you please check it passes the QA, that the strings available on >>>> Zanata are the latest ones, and that it can flow back into RHEL7? >>>> >>> >>> ???Hello there, >>> >>> No news good news, or everybody is swamped in BZs? :-)??? >> >> Hi J?r?me, >> >> Thanks for the translation! The new strings should get to FreeIPA 4.3.1, right >> Tomas? > FreeIPA 4.2.x will be released sooner :-) > Do you plan to include new translation there? As we do not have branches with our translations, I am actually not sure adding new translations there is a good idea, there may be too big differences with current master in Zanata and what is in FreeIPA 4.2.x. Tomas should know better than I. From jcholast at redhat.com Mon Mar 7 12:27:36 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 7 Mar 2016 13:27:36 +0100 Subject: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns In-Reply-To: <56DD6A4A.4050004@redhat.com> References: <56DD6A4A.4050004@redhat.com> Message-ID: <56DD73B8.3080705@redhat.com> Hi, On 7.3.2016 12:47, Martin Babinsky wrote: > https://fedorahosted.org/freeipa/ticket/5696 Shouldn't we rather fix IPA to work with bind running in chroot (which is AFAIK considered good security practice)? Honza -- Jan Cholasta From fskola at redhat.com Mon Mar 7 13:53:36 2016 From: fskola at redhat.com (Filip =?UTF-8?B?xaBrb2xh?=) Date: Mon, 7 Mar 2016 14:53:36 +0100 Subject: [Freeipa-devel] [PATCH 0006] Refactor test_hostgroup_plugin In-Reply-To: <991418926.1327028.1450781870579.JavaMail.zimbra@redhat.com> References: <1693360345.1327020.1450781862487.JavaMail.zimbra@redhat.com> <991418926.1327028.1450781870579.JavaMail.zimbra@redhat.com> Message-ID: <20160307145336.2fa0f064@dhcp-24-122.brq.redhat.com> Sorry, forgot to cc you, Milan. F. On Tue, 22 Dec 2015 05:57:50 -0500 (EST) Filip Skola wrote: > And also sending refactored hostgroup plugin test. > > F From pspacek at redhat.com Mon Mar 7 14:17:01 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 7 Mar 2016 15:17:01 +0100 Subject: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns In-Reply-To: <56DD73B8.3080705@redhat.com> References: <56DD6A4A.4050004@redhat.com> <56DD73B8.3080705@redhat.com> Message-ID: <56DD8D5D.6090301@redhat.com> On 7.3.2016 13:27, Jan Cholasta wrote: > Hi, > > On 7.3.2016 12:47, Martin Babinsky wrote: >> https://fedorahosted.org/freeipa/ticket/5696 > > Shouldn't we rather fix IPA to work with bind running in chroot (which is > AFAIK considered good security practice)? I would not invest into it: http://www.freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot#NOTE:_Chroot_should_not_be_considered_a_security_feature -- Petr^2 Spacek From mkosek at redhat.com Mon Mar 7 15:28:25 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 7 Mar 2016 16:28:25 +0100 Subject: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns In-Reply-To: <56DD8D5D.6090301@redhat.com> References: <56DD6A4A.4050004@redhat.com> <56DD73B8.3080705@redhat.com> <56DD8D5D.6090301@redhat.com> Message-ID: <56DD9E19.6010608@redhat.com> On 03/07/2016 03:17 PM, Petr Spacek wrote: > On 7.3.2016 13:27, Jan Cholasta wrote: >> Hi, >> >> On 7.3.2016 12:47, Martin Babinsky wrote: >>> https://fedorahosted.org/freeipa/ticket/5696 >> >> Shouldn't we rather fix IPA to work with bind running in chroot (which is >> AFAIK considered good security practice)? > > I would not invest into it: > http://www.freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot#NOTE:_Chroot_should_not_be_considered_a_security_feature +1 Martin From pvomacka at redhat.com Mon Mar 7 15:29:55 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 7 Mar 2016 16:29:55 +0100 Subject: [Freeipa-devel] [TESTS][PATCH 0011] WebUI: Creating user without private group In-Reply-To: <56CF0AD6.4060505@redhat.com> References: <56CF0AD6.4060505@redhat.com> Message-ID: <56DD9E73.1020609@redhat.com> On 02/25/2016 03:08 PM, Lenka Doudova wrote: > Hi, > > here's a patch for webUI tests that provides test for creating user > without private group. > Related to ticket https://fedorahosted.org/freeipa/ticket/4986 > > Since the option to specify GID when creating a user is not available > https://fedorahosted.org/freeipa/ticket/5505 the test creates a new > posix group, makes it a default user group instead of 'ipausers' and > then attemps to create the user without private group. Returning > default user group value to 'ipausers' is provided even for cases when > the test fails so it would not block other tests from performing > properly. > > Lenka > > Hi, ACK, works well. Pavel^3 Vomacka -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Mon Mar 7 17:02:39 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 7 Mar 2016 18:02:39 +0100 Subject: [Freeipa-devel] [PATCH 0138] only search for Kerberos SRV records when autodiscovery was requested Message-ID: <56DDB42F.2070504@redhat.com> A quick fix for https://fedorahosted.org/freeipa/ticket/4305 I'm aware that we were talking about putting realmd discovery into IPADiscovery class and stuff, but that is a bit beyond the scope of this ticket. I will open ticket(s) tracking: 1.) Offload at least the IPA realm DNS discovery to realmd D-Bus interface 2.) rewrite (not refactoring: the stuff also needs a substantial functional redesign IMHO) of the DNS discovery in the client-side installers. I will make sure that this effort is not forgotten and we are not left with yet-another temporary fix. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0138-only-search-for-Kerberos-SRV-records-when-autodiscov.patch Type: text/x-patch Size: 1653 bytes Desc: not available URL: From mkubik at redhat.com Tue Mar 8 09:27:49 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Tue, 8 Mar 2016 10:27:49 +0100 Subject: [Freeipa-devel] [PATCH 0005] Refactor test_nesting, create HostGroupTracker In-Reply-To: <212120579.19163053.1453974347696.JavaMail.zimbra@redhat.com> References: <2134068455.1326509.1450781775764.JavaMail.zimbra@redhat.com> <1902672460.4566340.1452602887525.JavaMail.zimbra@redhat.com> <1118746236.11920442.1452868635399.JavaMail.zimbra@redhat.com> <569CD698.4020900@redhat.com> <1592657483.12984474.1453123591078.JavaMail.zimbra@redhat.com> <56A7B764.3080202@redhat.com> <212120579.19163053.1453974347696.JavaMail.zimbra@redhat.com> Message-ID: <56DE9B15.40305@redhat.com> On 01/28/2016 10:45 AM, Filip Skola wrote: > >> The same as with patch 0002: >> ************* Module ipatests.test_xmlrpc.tracker.hostgroup_plugin >> W:142,26: Calling a dict.iter*() method (dict-iter-method) >> >> Please use dict.items method. >> >> -- >> Milan Kubik >> >> > Hi, > > attaching a fixed patch. This patch is dependent on updated group plugin test patch 0002-7. > > Filip Hello, sorry for delay. The patch no longer applies after 0002-8. -- Milan Kubik From mkubik at redhat.com Tue Mar 8 09:52:31 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Tue, 8 Mar 2016 10:52:31 +0100 Subject: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin In-Reply-To: <713443456.32722025.1456135756669.JavaMail.zimbra@redhat.com> References: <20151120135636.71171d5c@vor2.netbox.priv> <569CD602.1030604@redhat.com> <1869235561.17372506.1453716664538.JavaMail.zimbra@redhat.com> <56A7B34E.2050906@redhat.com> <1320714330.19162635.1453974171503.JavaMail.zimbra@redhat.com> <56BA0388.7040307@redhat.com> <56BAF20B.3080305@redhat.com> <56BAF2FB.5050100@redhat.com> <713443456.32722025.1456135756669.JavaMail.zimbra@redhat.com> Message-ID: <56DEA0DF.2060602@redhat.com> On 02/22/2016 11:09 AM, Filip Skola wrote: > > ----- Original Message ----- >> On 02/10/2016 09:17 AM, Milan Kub?k wrote: >>> On 02/09/2016 04:19 PM, Milan Kub?k wrote: >>>> On 01/28/2016 10:42 AM, Filip Skola wrote: >>>>> ----- Original Message ----- >>>>>> On 01/25/2016 11:11 AM, Filip Skola wrote: >>>>>>> ----- Original Message ----- >>>>>>>> On 01/15/2016 03:38 PM, Filip Skola wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> sending rebased patch. >>>>>>>>> >>>>>>>>> F. >>>>>>>>> >>>>>>>>> ----- Original Message ----- >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> sorry for delays. The patch no longer applies to master. Rebase >>>>>>>>>> it, >>>>>>>>>> please. >>>>>>>>>> >>>>>>>>>> Milan >>>>>>>>>> >>>>>>>>>> ----- Original Message ----- >>>>>>>>>> From: "Filip ?kola" >>>>>>>>>> To: "Milan Kub?k" >>>>>>>>>> Cc: freeipa-devel at redhat.com >>>>>>>>>> Sent: Wednesday, 9 December, 2015 7:01:02 PM >>>>>>>>>> Subject: Re: [Freeipa-devel] [PATCH 0002] Refactor >>>>>>>>>> test_group_plugin >>>>>>>>>> >>>>>>>>>> On Mon, 7 Dec 2015 17:49:18 +0100 >>>>>>>>>> Milan Kub?k wrote: >>>>>>>>>> >>>>>>>>>>> On 12/03/2015 08:15 PM, Filip ?kola wrote: >>>>>>>>>>>> On Mon, 30 Nov 2015 17:18:30 +0100 >>>>>>>>>>>> Milan Kub?k wrote: >>>>>>>>>>>> >>>>>>>>>>>>> On 11/23/2015 04:42 PM, Filip ?kola wrote: >>>>>>>>>>>>>> Sending updated patch. >>>>>>>>>>>>>> >>>>>>>>>>>>>> F. >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Mon, 23 Nov 2015 14:59:34 +0100 >>>>>>>>>>>>>> Filip ?kola wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Found couple of issues (broke some dependencies). >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> NACK >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> F. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Fri, 20 Nov 2015 13:56:36 +0100 >>>>>>>>>>>>>>> Filip ?kola wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Another one. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> F. >>>>>>>>>>>>> Hi, the tests look good. Few remarks, though. >>>>>>>>>>>>> >>>>>>>>>>>>> 1. Please, use the shortes copyright notice in new modules. >>>>>>>>>>>>> >>>>>>>>>>>>> # >>>>>>>>>>>>> # Copyright (C) 2015 FreeIPA Contributors see >>>>>>>>>>>>> COPYING for >>>>>>>>>>>>> license # >>>>>>>>>>>>> >>>>>>>>>>>>> 2. The tests `test_group_remove_group_from_protected_group` and >>>>>>>>>>>>> `test_group_full_set_of_objectclass_not_available_post_detach` >>>>>>>>>>>>> were not ported. Please, include them in the patch. >>>>>>>>>>>>> >>>>>>>>>>>>> Also, for less hassle, please rebase your patches on top of >>>>>>>>>>>>> freeipa-mkubik-0025-3-Separated-Tracker-implementations-into-standalone-pa.patch >>>>>>>>>>>>> >>>>>>>>>>>>> Which changes the location of tracker implementations and >>>>>>>>>>>>> prevents >>>>>>>>>>>>> circular imports. >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks. >>>>>>>>>>>>> >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> these cases are there, in corresponding classes. They are marked >>>>>>>>>>>> with the original comments. (However I can move them to separate >>>>>>>>>>>> class if desirable.) >>>>>>>>>>>> >>>>>>>>>>>> The copyright notice is changed. Also included a few changes >>>>>>>>>>>> in the >>>>>>>>>>>> test with user without private group. >>>>>>>>>>>> >>>>>>>>>>>> Filip >>>>>>>>>>> NACK >>>>>>>>>>> >>>>>>>>>>> linter: >>>>>>>>>>> ************* Module tracker.group_plugin >>>>>>>>>>> ipatests/test_xmlrpc/tracker/group_plugin.py:257: >>>>>>>>>>> [E0102(function-redefined), GroupTracker.check_remove_member] >>>>>>>>>>> method >>>>>>>>>>> already defined line 253) >>>>>>>>>>> >>>>>>>>>>> Probably a leftover after the rebase made on top of my patch. >>>>>>>>>>> Please >>>>>>>>>>> fix it. You can check youch changes by make-lint script before >>>>>>>>>>> sending them. >>>>>>>>>>> >>>>>>>>>>> Thanks >>>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> I learned to use make-lint! >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> F. >>>>>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> NACK, pylint doesn't seem to like the way the fixtures are imported >>>>>>>> (pytest does a lot of runtime magic) [1]. >>>>>>>> One possible solution would be [2]. Though, I don't think this >>>>>>>> would be >>>>>>>> a good idea in our environment. I suggest to create the fixtures >>>>>>>> on per >>>>>>>> module basis. >>>>>>>> >>>>>>>> >>>>>>>> [1]: http://fpaste.org/311949/53118942/ >>>>>>>> [2]: >>>>>>>> https://pytest.org/latest/fixture.html#using-fixtures-from-classes-modules-or-projects >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Milan Kubik >>>>>>>> >>>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> the fixtures were copied into corresponding module. Please note >>>>>>> that this >>>>>>> patch has a dependence on my patch 0001 (user plugin). >>>>>>> >>>>>>> Filip >>>>>> Linter: >>>>>> ************* Module ipatests.test_xmlrpc.tracker.group_plugin >>>>>> W:100,26: Calling a dict.iter*() method (dict-iter-method) >>>>>> >>>>>> please use dict.items >>>>>> >>>>>> -- >>>>>> Milan Kubik >>>>>> >>>>>> >>>>> Hi, sorry. This has been fixed in this patch. >>>>> >>>>> Filip >>>> ACK, thanks for the patience. :) >>>> >>> Sorry, there are some other things I need clarified. NACK. >>> Mail will follow later. >>> >> What is the purpose of `make_fixture_detach` in your patches? They are >> not used anywhere and the finalizer does nothing. >> >> -- >> Milan Kubik >> >> > Hi, > > none, I guess, probably a leftover copied from the tracker in the early days. Deleting the function. > > Filip Ack. -- Milan Kubik From mbasti at redhat.com Tue Mar 8 10:43:49 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 8 Mar 2016 11:43:49 +0100 Subject: [Freeipa-devel] [PATCH 431] Configure 389ds with default cipher suite Message-ID: <56DEACE5.3030807@redhat.com> https://fedorahosted.org/freeipa/ticket/5684 patch attached -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0431-Configure-389ds-with-default-cipher-suite.patch Type: text/x-patch Size: 2157 bytes Desc: not available URL: From mbasti at redhat.com Tue Mar 8 11:02:08 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 8 Mar 2016 12:02:08 +0100 Subject: [Freeipa-devel] [PATCH 0432] stageuser-activate: noralize manager value Message-ID: <56DEB130.3030005@redhat.com> https://fedorahosted.org/freeipa/ticket/5481 Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0432-stageuser-activate-Normalize-manager-value.patch Type: text/x-patch Size: 1859 bytes Desc: not available URL: From ofayans at redhat.com Tue Mar 8 11:38:00 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 8 Mar 2016 12:38:00 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <56D9B8CB.3040507@redhat.com> References: <5640A90B.6030906@redhat.com> <5656D5EE.7010208@redhat.com> <565862E6.4020100@redhat.com> <56586807.9080805@redhat.com> <565870D6.40908@redhat.com> <56587616.5030609@redhat.com> <565DB7D3.5040500@redhat.com> <565F0BDD.8080206@redhat.com> <565F17EE.3020701@redhat.com> <5666DC18.2040906@redhat.com> <56675E31.3050203@redhat.com> <5667F49B.5020709@redhat.com> <5667FEFB.6090904@redhat.com> <56680C2E.7060805@redhat.com> <56680DDD.2000106@redhat.com> <566FDD80.7030805@redhat.com> <56717785.4020304@redhat.com> <567195B9.9070104@redhat.com> <56727AA7.2030809@redhat.com> <5675E08C.7030109@redhat.com> <56D43687.10502@redhat.com> <56D57DDE.3020306@redhat.com> <56D57F0C.1060103@redhat.com> <56D59F78.1000000@redhat.com> <56D5D9C3.8000102@redhat.com> <56D621DF.406@redhat.com> <56D6ACF5.4070402@redhat.com> <56D6E0E7.8020503@redhat.com> <56D87699.6030305@redhat.com> <56D93B28.2020302@redhat.com> <56D93B98.4090307@redhat.com> <56D9AA4B.103@redhat.com> <56D9B8CB.3040507@redhat.com> Message-ID: <56DEB998.3070501@redhat.com> The patches were rebased against the current master On 03/04/2016 05:33 PM, Martin Basti wrote: > * old messages have been removed * >>>>> 1) >>>>> this method is unused please remove it >>>>> >>>>> def test_kra_install_master(self): >> Well, in fact it is used twice: in both domain levels, so I'd better >> keep it: >> >> -bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py >> --collect-only >> ==================================================================================== >> >> test session starts >> ===================================================================================== >> >> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini >> plugins: sourceorder, multihost >> collected 8 items >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > aah my bad, I forgot that pytest executes it when it begins with test_* > even in parent class >> >>>>> 2) >>>>> Why are these there? I do not see any usage >>>>> >>>>> from env_config import get_global_config >>>>> config = get_global_config() >> Removed >> >>>>> 3) nitpick >>>>> + num_clients = 0 >>>>> this is set by default >> Removed >> >>>>> otherwise LGTM >>>>> >>>>> Results of testing tomorrow. >>>>> >>>>> Martin^2 >>>>> >>>> I applied all patches including workarounds, but test failed. >>>> >>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>> >>>> >>>> >>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] RUN >>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>> '--setup-ca', '--ip-address', '192.168.144.102', >>>> '/root/ipatests/replica-info.gpg'] >>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] The host >>>> replica1.ipa.test already exists on the master server. >>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] You should >>>> remove it before proceeding: >>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] % ipa >>>> host-del replica1.ipa.test >>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>> ipa-replica-install command failed. See >>>> /var/log/ipareplica-install.log for more information >>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] Exit code: 3 >>>> FAILED >> this is exactly the error that happens when a workaround for 5627 is not >> applied. I have re-run the tests with all the patches and everything >> passed. Could you please double-check, whether patch 0027 was applied >> correctly? >> >> bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py --pdb >> ==================================================================================== >> >> test session starts >> ===================================================================================== >> >> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini >> plugins: sourceorder, multihost >> collected 8 items >> >> test_integration/test_replica_promotion.py ........ >> >> ================================================================================ >> >> 8 passed in 7561.93 seconds >> ================================================================================= >> >> > I will > >>> And it needs ticket, otherwise it will not be in 4-3 branch. >> https://fedorahosted.org/freeipa/ticket/5723 > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0024.2-Enabled-setting-domain-level-explicitly-in-test-clas.patch Type: text/x-patch Size: 4116 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0026.1-replica-installation-fixes.patch Type: text/x-patch Size: 1807 bytes Desc: not available URL: From pvomacka at redhat.com Tue Mar 8 11:43:23 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Tue, 8 Mar 2016 12:43:23 +0100 Subject: [Freeipa-devel] [TESTS][PATCH 0010] WebUI tests - ID views In-Reply-To: <56CC6A9D.5060309@redhat.com> References: <56CC6A9D.5060309@redhat.com> Message-ID: <56DEBADB.5050503@redhat.com> On 02/23/2016 03:20 PM, Lenka Doudova wrote: > Hi, > > attached is patch providing missing test coverage for ID views in webUI. > > Lenka > > Hi, Thank you for your patch. I have small one comment: The delete_associtaion() function duplicates code, it would be good to create auxiliary function and move that code there. NACK. -- Pavel^3 Vomacka -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Tue Mar 8 11:59:05 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 8 Mar 2016 12:59:05 +0100 Subject: [Freeipa-devel] [TESTS][PATCH 0011] WebUI: Creating user without private group In-Reply-To: <56DD9E73.1020609@redhat.com> References: <56CF0AD6.4060505@redhat.com> <56DD9E73.1020609@redhat.com> Message-ID: <56DEBE89.70808@redhat.com> On 03/07/2016 04:29 PM, Pavel Vomacka wrote: > > > On 02/25/2016 03:08 PM, Lenka Doudova wrote: >> Hi, >> >> here's a patch for webUI tests that provides test for creating user >> without private group. >> Related to ticket https://fedorahosted.org/freeipa/ticket/4986 >> >> Since the option to specify GID when creating a user is not available >> https://fedorahosted.org/freeipa/ticket/5505 the test creates a new >> posix group, makes it a default user group instead of 'ipausers' and >> then attemps to create the user without private group. Returning >> default user group value to 'ipausers' is provided even for cases when >> the test fails so it would not block other tests from performing >> properly. >> >> Lenka >> >> > Hi, > > ACK, works well. > > Pavel^3 Vomacka > NACK, don't use naked except, specify at least 'Exception' + except: -- Petr Vobornik From ldoudova at redhat.com Tue Mar 8 12:17:35 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Tue, 8 Mar 2016 13:17:35 +0100 Subject: [Freeipa-devel] [TESTS][PATCH 0011] WebUI: Creating user without private group In-Reply-To: <56DEBE89.70808@redhat.com> References: <56CF0AD6.4060505@redhat.com> <56DD9E73.1020609@redhat.com> <56DEBE89.70808@redhat.com> Message-ID: <56DEC2DF.3000801@redhat.com> On 03/08/2016 12:59 PM, Petr Vobornik wrote: > On 03/07/2016 04:29 PM, Pavel Vomacka wrote: >> >> >> On 02/25/2016 03:08 PM, Lenka Doudova wrote: >>> Hi, >>> >>> here's a patch for webUI tests that provides test for creating user >>> without private group. >>> Related to ticket https://fedorahosted.org/freeipa/ticket/4986 >>> >>> Since the option to specify GID when creating a user is not available >>> https://fedorahosted.org/freeipa/ticket/5505 the test creates a new >>> posix group, makes it a default user group instead of 'ipausers' and >>> then attemps to create the user without private group. Returning >>> default user group value to 'ipausers' is provided even for cases when >>> the test fails so it would not block other tests from performing >>> properly. >>> >>> Lenka >>> >>> >> Hi, >> >> ACK, works well. >> >> Pavel^3 Vomacka >> > > NACK, don't use naked except, specify at least 'Exception' > + except: > Thanks, patch fixed according to Petr's review attached. Lenka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ldoudova-0011.2-WebUI-Test-creating-user-without-private-group.patch Type: text/x-patch Size: 2638 bytes Desc: not available URL: From ldoudova at redhat.com Tue Mar 8 13:34:45 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Tue, 8 Mar 2016 14:34:45 +0100 Subject: [Freeipa-devel] [TESTS][PATCH 0010] WebUI tests - ID views In-Reply-To: <56DEBADB.5050503@redhat.com> References: <56CC6A9D.5060309@redhat.com> <56DEBADB.5050503@redhat.com> Message-ID: <56DED4F5.3000608@redhat.com> On 03/08/2016 12:43 PM, Pavel Vomacka wrote: > > > On 02/23/2016 03:20 PM, Lenka Doudova wrote: >> Hi, >> >> attached is patch providing missing test coverage for ID views in webUI. >> >> Lenka >> >> > Hi, > > Thank you for your patch. I have small one comment: The > delete_associtaion() function duplicates code, it would be good to > create auxiliary function and move that code there. NACK. > > -- > Pavel^3 Vomacka > > Hi, thanks for review, fixed patch attached. Lenka -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ldoudova-0010.2-WebUI-test-ID-views.patch Type: text/x-patch Size: 9179 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Mar 8 15:21:19 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 8 Mar 2016 16:21:19 +0100 Subject: [Freeipa-devel] [PATCH 0139] otptoken-add: improve the robustness of QR code printing to tty Message-ID: <56DEEDEF.6020105@redhat.com> https://fedorahosted.org/freeipa/ticket/5700 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-3-mbabinsk-0139-otptoken-add-improve-the-robustness-of-QR-code-print.patch Type: text/x-patch Size: 3622 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0139-otptoken-add-improve-the-robustness-of-QR-code-print.patch Type: text/x-patch Size: 3354 bytes Desc: not available URL: From mbasti at redhat.com Tue Mar 8 15:29:50 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 8 Mar 2016 16:29:50 +0100 Subject: [Freeipa-devel] [PATCH 0432] use platform path for SSSD log directory Message-ID: <56DEEFEE.3080507@redhat.com> /var/log/SSSD is platform specific, thus should be added to ipaplatform module Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0433-Use-platform-path-constant-for-SSSD-log-dir.patch Type: text/x-patch Size: 1663 bytes Desc: not available URL: From mbasti at redhat.com Tue Mar 8 15:31:31 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 8 Mar 2016 16:31:31 +0100 Subject: [Freeipa-devel] [PATCH 0434] log: add timestamp to filename of logs Message-ID: <56DEF053.4090809@redhat.com> https://fedorahosted.org/freeipa/ticket/4501 Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0434-logging-add-timestamps-to-log-filenames.patch Type: text/x-patch Size: 8682 bytes Desc: not available URL: From mbasti at redhat.com Tue Mar 8 15:33:11 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 8 Mar 2016 16:33:11 +0100 Subject: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin In-Reply-To: <56DEA0DF.2060602@redhat.com> References: <20151120135636.71171d5c@vor2.netbox.priv> <569CD602.1030604@redhat.com> <1869235561.17372506.1453716664538.JavaMail.zimbra@redhat.com> <56A7B34E.2050906@redhat.com> <1320714330.19162635.1453974171503.JavaMail.zimbra@redhat.com> <56BA0388.7040307@redhat.com> <56BAF20B.3080305@redhat.com> <56BAF2FB.5050100@redhat.com> <713443456.32722025.1456135756669.JavaMail.zimbra@redhat.com> <56DEA0DF.2060602@redhat.com> Message-ID: <56DEF0B7.70000@redhat.com> On 08.03.2016 10:52, Milan Kub?k wrote: > On 02/22/2016 11:09 AM, Filip Skola wrote: >> >> ----- Original Message ----- >>> On 02/10/2016 09:17 AM, Milan Kub?k wrote: >>>> On 02/09/2016 04:19 PM, Milan Kub?k wrote: >>>>> On 01/28/2016 10:42 AM, Filip Skola wrote: >>>>>> ----- Original Message ----- >>>>>>> On 01/25/2016 11:11 AM, Filip Skola wrote: >>>>>>>> ----- Original Message ----- >>>>>>>>> On 01/15/2016 03:38 PM, Filip Skola wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> sending rebased patch. >>>>>>>>>> >>>>>>>>>> F. >>>>>>>>>> >>>>>>>>>> ----- Original Message ----- >>>>>>>>>>> Hello, >>>>>>>>>>> >>>>>>>>>>> sorry for delays. The patch no longer applies to master. Rebase >>>>>>>>>>> it, >>>>>>>>>>> please. >>>>>>>>>>> >>>>>>>>>>> Milan >>>>>>>>>>> >>>>>>>>>>> ----- Original Message ----- >>>>>>>>>>> From: "Filip ?kola" >>>>>>>>>>> To: "Milan Kub?k" >>>>>>>>>>> Cc: freeipa-devel at redhat.com >>>>>>>>>>> Sent: Wednesday, 9 December, 2015 7:01:02 PM >>>>>>>>>>> Subject: Re: [Freeipa-devel] [PATCH 0002] Refactor >>>>>>>>>>> test_group_plugin >>>>>>>>>>> >>>>>>>>>>> On Mon, 7 Dec 2015 17:49:18 +0100 >>>>>>>>>>> Milan Kub?k wrote: >>>>>>>>>>> >>>>>>>>>>>> On 12/03/2015 08:15 PM, Filip ?kola wrote: >>>>>>>>>>>>> On Mon, 30 Nov 2015 17:18:30 +0100 >>>>>>>>>>>>> Milan Kub?k wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> On 11/23/2015 04:42 PM, Filip ?kola wrote: >>>>>>>>>>>>>>> Sending updated patch. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> F. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Mon, 23 Nov 2015 14:59:34 +0100 >>>>>>>>>>>>>>> Filip ?kola wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Found couple of issues (broke some dependencies). >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> NACK >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> F. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Fri, 20 Nov 2015 13:56:36 +0100 >>>>>>>>>>>>>>>> Filip ?kola wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Another one. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> F. >>>>>>>>>>>>>> Hi, the tests look good. Few remarks, though. >>>>>>>>>>>>>> >>>>>>>>>>>>>> 1. Please, use the shortes copyright notice in new modules. >>>>>>>>>>>>>> >>>>>>>>>>>>>> # >>>>>>>>>>>>>> # Copyright (C) 2015 FreeIPA Contributors see >>>>>>>>>>>>>> COPYING for >>>>>>>>>>>>>> license # >>>>>>>>>>>>>> >>>>>>>>>>>>>> 2. The tests >>>>>>>>>>>>>> `test_group_remove_group_from_protected_group` and >>>>>>>>>>>>>> `test_group_full_set_of_objectclass_not_available_post_detach` >>>>>>>>>>>>>> >>>>>>>>>>>>>> were not ported. Please, include them in the patch. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Also, for less hassle, please rebase your patches on top of >>>>>>>>>>>>>> freeipa-mkubik-0025-3-Separated-Tracker-implementations-into-standalone-pa.patch >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Which changes the location of tracker implementations and >>>>>>>>>>>>>> prevents >>>>>>>>>>>>>> circular imports. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks. >>>>>>>>>>>>>> >>>>>>>>>>>>> Hi, >>>>>>>>>>>>> >>>>>>>>>>>>> these cases are there, in corresponding classes. They are >>>>>>>>>>>>> marked >>>>>>>>>>>>> with the original comments. (However I can move them to >>>>>>>>>>>>> separate >>>>>>>>>>>>> class if desirable.) >>>>>>>>>>>>> >>>>>>>>>>>>> The copyright notice is changed. Also included a few changes >>>>>>>>>>>>> in the >>>>>>>>>>>>> test with user without private group. >>>>>>>>>>>>> >>>>>>>>>>>>> Filip >>>>>>>>>>>> NACK >>>>>>>>>>>> >>>>>>>>>>>> linter: >>>>>>>>>>>> ************* Module tracker.group_plugin >>>>>>>>>>>> ipatests/test_xmlrpc/tracker/group_plugin.py:257: >>>>>>>>>>>> [E0102(function-redefined), GroupTracker.check_remove_member] >>>>>>>>>>>> method >>>>>>>>>>>> already defined line 253) >>>>>>>>>>>> >>>>>>>>>>>> Probably a leftover after the rebase made on top of my patch. >>>>>>>>>>>> Please >>>>>>>>>>>> fix it. You can check youch changes by make-lint script before >>>>>>>>>>>> sending them. >>>>>>>>>>>> >>>>>>>>>>>> Thanks >>>>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> I learned to use make-lint! >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> F. >>>>>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> NACK, pylint doesn't seem to like the way the fixtures are >>>>>>>>> imported >>>>>>>>> (pytest does a lot of runtime magic) [1]. >>>>>>>>> One possible solution would be [2]. Though, I don't think this >>>>>>>>> would be >>>>>>>>> a good idea in our environment. I suggest to create the fixtures >>>>>>>>> on per >>>>>>>>> module basis. >>>>>>>>> >>>>>>>>> >>>>>>>>> [1]: http://fpaste.org/311949/53118942/ >>>>>>>>> [2]: >>>>>>>>> https://pytest.org/latest/fixture.html#using-fixtures-from-classes-modules-or-projects >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Milan Kubik >>>>>>>>> >>>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> the fixtures were copied into corresponding module. Please note >>>>>>>> that this >>>>>>>> patch has a dependence on my patch 0001 (user plugin). >>>>>>>> >>>>>>>> Filip >>>>>>> Linter: >>>>>>> ************* Module ipatests.test_xmlrpc.tracker.group_plugin >>>>>>> W:100,26: Calling a dict.iter*() method (dict-iter-method) >>>>>>> >>>>>>> please use dict.items >>>>>>> >>>>>>> -- >>>>>>> Milan Kubik >>>>>>> >>>>>>> >>>>>> Hi, sorry. This has been fixed in this patch. >>>>>> >>>>>> Filip >>>>> ACK, thanks for the patience. :) >>>>> >>>> Sorry, there are some other things I need clarified. NACK. >>>> Mail will follow later. >>>> >>> What is the purpose of `make_fixture_detach` in your patches? They are >>> not used anywhere and the finalizer does nothing. >>> >>> -- >>> Milan Kubik >>> >>> >> Hi, >> >> none, I guess, probably a leftover copied from the tracker in the >> early days. Deleting the function. >> >> Filip > Ack. > Pushed to master: de63e16922c4f9926752016a2105bee4b974ba32 From mbasti at redhat.com Tue Mar 8 15:37:27 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 8 Mar 2016 16:37:27 +0100 Subject: [Freeipa-devel] [PATCH 0434] log: add timestamp to filename of logs In-Reply-To: <56DEF053.4090809@redhat.com> References: <56DEF053.4090809@redhat.com> Message-ID: <56DEF1B7.40907@redhat.com> On 08.03.2016 16:31, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/4501 > > Patch attached. > > Rebased patch attached. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0434.2-logging-add-timestamps-to-log-filenames.patch Type: text/x-patch Size: 8712 bytes Desc: not available URL: From simo at redhat.com Tue Mar 8 15:49:33 2016 From: simo at redhat.com (Simo Sorce) Date: Tue, 08 Mar 2016 10:49:33 -0500 Subject: [Freeipa-devel] [PATCH 558] Allow disabling requireing preauth by default for Service Principal Names In-Reply-To: <566193C8.9050609@redhat.com> References: <1448400058.29102.17.camel@redhat.com> <56558064.7010600@redhat.com> <1448908922.3747.94.camel@redhat.com> <565DB5E1.8040500@redhat.com> <1449004137.9040.18.camel@redhat.com> <566193C8.9050609@redhat.com> Message-ID: <1457452173.8257.197.camel@redhat.com> On Fri, 2015-12-04 at 14:23 +0100, Martin Babinsky wrote: > On 12/01/2015 10:08 PM, Simo Sorce wrote: > > On Tue, 2015-12-01 at 15:59 +0100, Martin Babinsky wrote: > >> On 11/30/2015 07:42 PM, Simo Sorce wrote: > >>> On Wed, 2015-11-25 at 10:33 +0100, Martin Babinsky wrote: > >>>> On 11/24/2015 10:20 PM, Simo Sorce wrote: > >>>>> This addresses #3860, giving admins the option to not require preauth > >>>>> for Hosts and services. > >>>>> > >>>>> I did not add this option by default, although it does reduce the load > >>>>> on the KDC as well as speed up TGT acquisition for service principal > >>>>> accounts that acquire TGTs. > >>>>> > >>>>> Tested and working as expected (SPNs are not returned PREAUTH_NEEDED > >>>>> error while normal users are). > >>>>> > >>>>> HTH, > >>>>> Simo. > >>>>> > >>>>> > >>>>> > >>>> Hi Simo, > >>>> > >>>> I was not able to apply the patch on current master branch: > >>>> > >>>> """ > >>>> git am > >>>> ../review/ssorce/3860/freeipa-simo-558-1-Allow-admins-to-disable-preauth-for-SPNs.patch > >>>> -3 > >>>> > >>>> Applying: Allow admins to disable preauth for SPNs. > >>>> error: invalid object 100644 a6b4d4349a9ac6de453d9ad3c679ec32add4e43b > >>>> for 'ipalib/plugins/config.py' > >>>> fatal: git-write-tree: error building trees > >>>> Repository lacks necessary blobs to fall back on 3-way merge. > >>>> Cannot fall back to three-way merge. > >>>> Patch failed at 0001 Allow admins to disable preauth for SPNs. > >>>> """ > >>>> > >>>> It seems that I nedd to apply some of your other patches first (which one?) > >>> > >>> Sorry did not see this question earlier, it requires 556 and 557, I just > >>> bumped that thread. > >>> > >>> Simo. > >>> > >> It seems that I need something else, patch 556-2 applies cleanly, but > >> patch 557-3 fails with http://fpaste.org/296230/89819431/ on both master > >> and 4-2 branch. > >> > > > > Rebased 556,557 in their thread, and here is the rebase for 558 on top > > of them. > > > > Simo. > > > > ACK. I'm afraid that this patch and 556, 557 will require another round > of rebase before pushing, though. Rebased on top of master (not on 556/557) per Petr's request. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-558-3-Allow-admins-to-disable-preauth-for-SPNs.patch Type: text/x-patch Size: 6470 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Mar 8 15:51:55 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 8 Mar 2016 16:51:55 +0100 Subject: [Freeipa-devel] [PATCH 558] Allow disabling requireing preauth by default for Service Principal Names In-Reply-To: <1457452173.8257.197.camel@redhat.com> References: <1448400058.29102.17.camel@redhat.com> <56558064.7010600@redhat.com> <1448908922.3747.94.camel@redhat.com> <565DB5E1.8040500@redhat.com> <1449004137.9040.18.camel@redhat.com> <566193C8.9050609@redhat.com> <1457452173.8257.197.camel@redhat.com> Message-ID: <56DEF51B.5070808@redhat.com> On 03/08/2016 04:49 PM, Simo Sorce wrote: > On Fri, 2015-12-04 at 14:23 +0100, Martin Babinsky wrote: >> On 12/01/2015 10:08 PM, Simo Sorce wrote: >>> On Tue, 2015-12-01 at 15:59 +0100, Martin Babinsky wrote: >>>> On 11/30/2015 07:42 PM, Simo Sorce wrote: >>>>> On Wed, 2015-11-25 at 10:33 +0100, Martin Babinsky wrote: >>>>>> On 11/24/2015 10:20 PM, Simo Sorce wrote: >>>>>>> This addresses #3860, giving admins the option to not require preauth >>>>>>> for Hosts and services. >>>>>>> >>>>>>> I did not add this option by default, although it does reduce the load >>>>>>> on the KDC as well as speed up TGT acquisition for service principal >>>>>>> accounts that acquire TGTs. >>>>>>> >>>>>>> Tested and working as expected (SPNs are not returned PREAUTH_NEEDED >>>>>>> error while normal users are). >>>>>>> >>>>>>> HTH, >>>>>>> Simo. >>>>>>> >>>>>>> >>>>>>> >>>>>> Hi Simo, >>>>>> >>>>>> I was not able to apply the patch on current master branch: >>>>>> >>>>>> """ >>>>>> git am >>>>>> ../review/ssorce/3860/freeipa-simo-558-1-Allow-admins-to-disable-preauth-for-SPNs.patch >>>>>> -3 >>>>>> >>>>>> Applying: Allow admins to disable preauth for SPNs. >>>>>> error: invalid object 100644 a6b4d4349a9ac6de453d9ad3c679ec32add4e43b >>>>>> for 'ipalib/plugins/config.py' >>>>>> fatal: git-write-tree: error building trees >>>>>> Repository lacks necessary blobs to fall back on 3-way merge. >>>>>> Cannot fall back to three-way merge. >>>>>> Patch failed at 0001 Allow admins to disable preauth for SPNs. >>>>>> """ >>>>>> >>>>>> It seems that I nedd to apply some of your other patches first (which one?) >>>>> >>>>> Sorry did not see this question earlier, it requires 556 and 557, I just >>>>> bumped that thread. >>>>> >>>>> Simo. >>>>> >>>> It seems that I need something else, patch 556-2 applies cleanly, but >>>> patch 557-3 fails with http://fpaste.org/296230/89819431/ on both master >>>> and 4-2 branch. >>>> >>> >>> Rebased 556,557 in their thread, and here is the rebase for 558 on top >>> of them. >>> >>> Simo. >>> >> >> ACK. I'm afraid that this patch and 556, 557 will require another round >> of rebase before pushing, though. > > Rebased on top of master (not on 556/557) per Petr's request. > > Simo. > > NACK, if you do API changes please increment API version in VERSION. -- Martin^3 Babinsky From simo at redhat.com Tue Mar 8 16:00:19 2016 From: simo at redhat.com (Simo Sorce) Date: Tue, 08 Mar 2016 11:00:19 -0500 Subject: [Freeipa-devel] [PATCH 558] Allow disabling requireing preauth by default for Service Principal Names In-Reply-To: <56DEF51B.5070808@redhat.com> References: <1448400058.29102.17.camel@redhat.com> <56558064.7010600@redhat.com> <1448908922.3747.94.camel@redhat.com> <565DB5E1.8040500@redhat.com> <1449004137.9040.18.camel@redhat.com> <566193C8.9050609@redhat.com> <1457452173.8257.197.camel@redhat.com> <56DEF51B.5070808@redhat.com> Message-ID: <1457452819.8257.204.camel@redhat.com> On Tue, 2016-03-08 at 16:51 +0100, Martin Babinsky wrote: > On 03/08/2016 04:49 PM, Simo Sorce wrote: > > On Fri, 2015-12-04 at 14:23 +0100, Martin Babinsky wrote: > >> On 12/01/2015 10:08 PM, Simo Sorce wrote: > >>> On Tue, 2015-12-01 at 15:59 +0100, Martin Babinsky wrote: > >>>> On 11/30/2015 07:42 PM, Simo Sorce wrote: > >>>>> On Wed, 2015-11-25 at 10:33 +0100, Martin Babinsky wrote: > >>>>>> On 11/24/2015 10:20 PM, Simo Sorce wrote: > >>>>>>> This addresses #3860, giving admins the option to not require preauth > >>>>>>> for Hosts and services. > >>>>>>> > >>>>>>> I did not add this option by default, although it does reduce the load > >>>>>>> on the KDC as well as speed up TGT acquisition for service principal > >>>>>>> accounts that acquire TGTs. > >>>>>>> > >>>>>>> Tested and working as expected (SPNs are not returned PREAUTH_NEEDED > >>>>>>> error while normal users are). > >>>>>>> > >>>>>>> HTH, > >>>>>>> Simo. > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> Hi Simo, > >>>>>> > >>>>>> I was not able to apply the patch on current master branch: > >>>>>> > >>>>>> """ > >>>>>> git am > >>>>>> ../review/ssorce/3860/freeipa-simo-558-1-Allow-admins-to-disable-preauth-for-SPNs.patch > >>>>>> -3 > >>>>>> > >>>>>> Applying: Allow admins to disable preauth for SPNs. > >>>>>> error: invalid object 100644 a6b4d4349a9ac6de453d9ad3c679ec32add4e43b > >>>>>> for 'ipalib/plugins/config.py' > >>>>>> fatal: git-write-tree: error building trees > >>>>>> Repository lacks necessary blobs to fall back on 3-way merge. > >>>>>> Cannot fall back to three-way merge. > >>>>>> Patch failed at 0001 Allow admins to disable preauth for SPNs. > >>>>>> """ > >>>>>> > >>>>>> It seems that I nedd to apply some of your other patches first (which one?) > >>>>> > >>>>> Sorry did not see this question earlier, it requires 556 and 557, I just > >>>>> bumped that thread. > >>>>> > >>>>> Simo. > >>>>> > >>>> It seems that I need something else, patch 556-2 applies cleanly, but > >>>> patch 557-3 fails with http://fpaste.org/296230/89819431/ on both master > >>>> and 4-2 branch. > >>>> > >>> > >>> Rebased 556,557 in their thread, and here is the rebase for 558 on top > >>> of them. > >>> > >>> Simo. > >>> > >> > >> ACK. I'm afraid that this patch and 556, 557 will require another round > >> of rebase before pushing, though. > > > > Rebased on top of master (not on 556/557) per Petr's request. > > > > Simo. > > > > > > NACK, if you do API changes please increment API version in VERSION. Why wasn't this a problem in the previous ACK ? Simo. -- Simo Sorce * Red Hat, Inc * New York From mbabinsk at redhat.com Tue Mar 8 16:08:54 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 8 Mar 2016 17:08:54 +0100 Subject: [Freeipa-devel] [PATCH 0140] test_cert_plugin: use only first part of the hostname to construct short name Message-ID: <56DEF916.5040603@redhat.com> https://fedorahosted.org/freeipa/ticket/5688 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0140-test_cert_plugin-use-only-first-part-of-the-hostname.patch Type: text/x-patch Size: 1205 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Mar 8 16:20:11 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 8 Mar 2016 17:20:11 +0100 Subject: [Freeipa-devel] [PATCH 558] Allow disabling requireing preauth by default for Service Principal Names In-Reply-To: <1457452819.8257.204.camel@redhat.com> References: <1448400058.29102.17.camel@redhat.com> <56558064.7010600@redhat.com> <1448908922.3747.94.camel@redhat.com> <565DB5E1.8040500@redhat.com> <1449004137.9040.18.camel@redhat.com> <566193C8.9050609@redhat.com> <1457452173.8257.197.camel@redhat.com> <56DEF51B.5070808@redhat.com> <1457452819.8257.204.camel@redhat.com> Message-ID: <56DEFBBB.7020401@redhat.com> On 03/08/2016 05:00 PM, Simo Sorce wrote: > On Tue, 2016-03-08 at 16:51 +0100, Martin Babinsky wrote: >> On 03/08/2016 04:49 PM, Simo Sorce wrote: >>> On Fri, 2015-12-04 at 14:23 +0100, Martin Babinsky wrote: >>>> On 12/01/2015 10:08 PM, Simo Sorce wrote: >>>>> On Tue, 2015-12-01 at 15:59 +0100, Martin Babinsky wrote: >>>>>> On 11/30/2015 07:42 PM, Simo Sorce wrote: >>>>>>> On Wed, 2015-11-25 at 10:33 +0100, Martin Babinsky wrote: >>>>>>>> On 11/24/2015 10:20 PM, Simo Sorce wrote: >>>>>>>>> This addresses #3860, giving admins the option to not require preauth >>>>>>>>> for Hosts and services. >>>>>>>>> >>>>>>>>> I did not add this option by default, although it does reduce the load >>>>>>>>> on the KDC as well as speed up TGT acquisition for service principal >>>>>>>>> accounts that acquire TGTs. >>>>>>>>> >>>>>>>>> Tested and working as expected (SPNs are not returned PREAUTH_NEEDED >>>>>>>>> error while normal users are). >>>>>>>>> >>>>>>>>> HTH, >>>>>>>>> Simo. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> Hi Simo, >>>>>>>> >>>>>>>> I was not able to apply the patch on current master branch: >>>>>>>> >>>>>>>> """ >>>>>>>> git am >>>>>>>> ../review/ssorce/3860/freeipa-simo-558-1-Allow-admins-to-disable-preauth-for-SPNs.patch >>>>>>>> -3 >>>>>>>> >>>>>>>> Applying: Allow admins to disable preauth for SPNs. >>>>>>>> error: invalid object 100644 a6b4d4349a9ac6de453d9ad3c679ec32add4e43b >>>>>>>> for 'ipalib/plugins/config.py' >>>>>>>> fatal: git-write-tree: error building trees >>>>>>>> Repository lacks necessary blobs to fall back on 3-way merge. >>>>>>>> Cannot fall back to three-way merge. >>>>>>>> Patch failed at 0001 Allow admins to disable preauth for SPNs. >>>>>>>> """ >>>>>>>> >>>>>>>> It seems that I nedd to apply some of your other patches first (which one?) >>>>>>> >>>>>>> Sorry did not see this question earlier, it requires 556 and 557, I just >>>>>>> bumped that thread. >>>>>>> >>>>>>> Simo. >>>>>>> >>>>>> It seems that I need something else, patch 556-2 applies cleanly, but >>>>>> patch 557-3 fails with http://fpaste.org/296230/89819431/ on both master >>>>>> and 4-2 branch. >>>>>> >>>>> >>>>> Rebased 556,557 in their thread, and here is the rebase for 558 on top >>>>> of them. >>>>> >>>>> Simo. >>>>> >>>> >>>> ACK. I'm afraid that this patch and 556, 557 will require another round >>>> of rebase before pushing, though. >>> >>> Rebased on top of master (not on 556/557) per Petr's request. >>> >>> Simo. >>> >>> >> >> NACK, if you do API changes please increment API version in VERSION. > > Why wasn't this a problem in the previous ACK ? > > Simo. > Probably because I missed it, sorry. -- Martin^3 Babinsky From jcholast at redhat.com Tue Mar 8 16:35:37 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 8 Mar 2016 17:35:37 +0100 Subject: [Freeipa-devel] [PATCH 0139] otptoken-add: improve the robustness of QR code printing to tty In-Reply-To: <56DEEDEF.6020105@redhat.com> References: <56DEEDEF.6020105@redhat.com> Message-ID: <56DEFF59.7020907@redhat.com> Hi, On 8.3.2016 16:21, Martin Babinsky wrote: > https://fedorahosted.org/freeipa/ticket/5700 1) Instead of checking for utf-8 in particular, I would prefer a more robust approach: try: qr = qrcode.QRCode() qr.add_data('test') qr.make() qr.print_ascii(tty=True) except UnicodeError: # it is not printable else: # it is printable 2) There is no os.isatty() check to see if stdout is actually a tty. Honza -- Jan Cholasta From mbabinsk at redhat.com Tue Mar 8 16:45:52 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 8 Mar 2016 17:45:52 +0100 Subject: [Freeipa-devel] [PATCH 0139] otptoken-add: improve the robustness of QR code printing to tty In-Reply-To: <56DEFF59.7020907@redhat.com> References: <56DEEDEF.6020105@redhat.com> <56DEFF59.7020907@redhat.com> Message-ID: <56DF01C0.2010207@redhat.com> On 03/08/2016 05:35 PM, Jan Cholasta wrote: > Hi, > > On 8.3.2016 16:21, Martin Babinsky wrote: >> https://fedorahosted.org/freeipa/ticket/5700 > > 1) Instead of checking for utf-8 in particular, I would prefer a more > robust approach: > > try: > qr = qrcode.QRCode() > qr.add_data('test') > qr.make() > qr.print_ascii(tty=True) > except UnicodeError: > # it is not printable > else: > # it is printable > Now you mean the check in the _check_qrcode_capability() or the _print_qrcode() method itself? > > 2) There is no os.isatty() check to see if stdout is actually a tty. > This check is performed inside both print_ascii() and print_tty() methods of QRCode object, but you probably mean that I should put the check also into _check_qrcode_capability() method, right? > > Honza > -- Martin^3 Babinsky From simo at redhat.com Tue Mar 8 16:50:25 2016 From: simo at redhat.com (Simo Sorce) Date: Tue, 08 Mar 2016 11:50:25 -0500 Subject: [Freeipa-devel] [PATCH 558] Allow disabling requireing preauth by default for Service Principal Names In-Reply-To: <56DEFBBB.7020401@redhat.com> References: <1448400058.29102.17.camel@redhat.com> <56558064.7010600@redhat.com> <1448908922.3747.94.camel@redhat.com> <565DB5E1.8040500@redhat.com> <1449004137.9040.18.camel@redhat.com> <566193C8.9050609@redhat.com> <1457452173.8257.197.camel@redhat.com> <56DEF51B.5070808@redhat.com> <1457452819.8257.204.camel@redhat.com> <56DEFBBB.7020401@redhat.com> Message-ID: <1457455825.8257.205.camel@redhat.com> On Tue, 2016-03-08 at 17:20 +0100, Martin Babinsky wrote: > On 03/08/2016 05:00 PM, Simo Sorce wrote: > > On Tue, 2016-03-08 at 16:51 +0100, Martin Babinsky wrote: > >> On 03/08/2016 04:49 PM, Simo Sorce wrote: > >>> On Fri, 2015-12-04 at 14:23 +0100, Martin Babinsky wrote: > >>>> On 12/01/2015 10:08 PM, Simo Sorce wrote: > >>>>> On Tue, 2015-12-01 at 15:59 +0100, Martin Babinsky wrote: > >>>>>> On 11/30/2015 07:42 PM, Simo Sorce wrote: > >>>>>>> On Wed, 2015-11-25 at 10:33 +0100, Martin Babinsky wrote: > >>>>>>>> On 11/24/2015 10:20 PM, Simo Sorce wrote: > >>>>>>>>> This addresses #3860, giving admins the option to not require preauth > >>>>>>>>> for Hosts and services. > >>>>>>>>> > >>>>>>>>> I did not add this option by default, although it does reduce the load > >>>>>>>>> on the KDC as well as speed up TGT acquisition for service principal > >>>>>>>>> accounts that acquire TGTs. > >>>>>>>>> > >>>>>>>>> Tested and working as expected (SPNs are not returned PREAUTH_NEEDED > >>>>>>>>> error while normal users are). > >>>>>>>>> > >>>>>>>>> HTH, > >>>>>>>>> Simo. > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> Hi Simo, > >>>>>>>> > >>>>>>>> I was not able to apply the patch on current master branch: > >>>>>>>> > >>>>>>>> """ > >>>>>>>> git am > >>>>>>>> ../review/ssorce/3860/freeipa-simo-558-1-Allow-admins-to-disable-preauth-for-SPNs.patch > >>>>>>>> -3 > >>>>>>>> > >>>>>>>> Applying: Allow admins to disable preauth for SPNs. > >>>>>>>> error: invalid object 100644 a6b4d4349a9ac6de453d9ad3c679ec32add4e43b > >>>>>>>> for 'ipalib/plugins/config.py' > >>>>>>>> fatal: git-write-tree: error building trees > >>>>>>>> Repository lacks necessary blobs to fall back on 3-way merge. > >>>>>>>> Cannot fall back to three-way merge. > >>>>>>>> Patch failed at 0001 Allow admins to disable preauth for SPNs. > >>>>>>>> """ > >>>>>>>> > >>>>>>>> It seems that I nedd to apply some of your other patches first (which one?) > >>>>>>> > >>>>>>> Sorry did not see this question earlier, it requires 556 and 557, I just > >>>>>>> bumped that thread. > >>>>>>> > >>>>>>> Simo. > >>>>>>> > >>>>>> It seems that I need something else, patch 556-2 applies cleanly, but > >>>>>> patch 557-3 fails with http://fpaste.org/296230/89819431/ on both master > >>>>>> and 4-2 branch. > >>>>>> > >>>>> > >>>>> Rebased 556,557 in their thread, and here is the rebase for 558 on top > >>>>> of them. > >>>>> > >>>>> Simo. > >>>>> > >>>> > >>>> ACK. I'm afraid that this patch and 556, 557 will require another round > >>>> of rebase before pushing, though. > >>> > >>> Rebased on top of master (not on 556/557) per Petr's request. > >>> > >>> Simo. > >>> > >>> > >> > >> NACK, if you do API changes please increment API version in VERSION. > > > > Why wasn't this a problem in the previous ACK ? > > > > Simo. > > > > Probably because I missed it, sorry. > Fixed. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-simo-558-4-Allow-admins-to-disable-preauth-for-SPNs.patch Type: text/x-patch Size: 7071 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Mar 8 17:02:51 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 8 Mar 2016 18:02:51 +0100 Subject: [Freeipa-devel] [PATCH 558] Allow disabling requireing preauth by default for Service Principal Names In-Reply-To: <1457455825.8257.205.camel@redhat.com> References: <1448400058.29102.17.camel@redhat.com> <56558064.7010600@redhat.com> <1448908922.3747.94.camel@redhat.com> <565DB5E1.8040500@redhat.com> <1449004137.9040.18.camel@redhat.com> <566193C8.9050609@redhat.com> <1457452173.8257.197.camel@redhat.com> <56DEF51B.5070808@redhat.com> <1457452819.8257.204.camel@redhat.com> <56DEFBBB.7020401@redhat.com> <1457455825.8257.205.camel@redhat.com> Message-ID: <56DF05BB.3010206@redhat.com> On 03/08/2016 05:50 PM, Simo Sorce wrote: > On Tue, 2016-03-08 at 17:20 +0100, Martin Babinsky wrote: >> On 03/08/2016 05:00 PM, Simo Sorce wrote: >>> On Tue, 2016-03-08 at 16:51 +0100, Martin Babinsky wrote: >>>> On 03/08/2016 04:49 PM, Simo Sorce wrote: >>>>> On Fri, 2015-12-04 at 14:23 +0100, Martin Babinsky wrote: >>>>>> On 12/01/2015 10:08 PM, Simo Sorce wrote: >>>>>>> On Tue, 2015-12-01 at 15:59 +0100, Martin Babinsky wrote: >>>>>>>> On 11/30/2015 07:42 PM, Simo Sorce wrote: >>>>>>>>> On Wed, 2015-11-25 at 10:33 +0100, Martin Babinsky wrote: >>>>>>>>>> On 11/24/2015 10:20 PM, Simo Sorce wrote: >>>>>>>>>>> This addresses #3860, giving admins the option to not require preauth >>>>>>>>>>> for Hosts and services. >>>>>>>>>>> >>>>>>>>>>> I did not add this option by default, although it does reduce the load >>>>>>>>>>> on the KDC as well as speed up TGT acquisition for service principal >>>>>>>>>>> accounts that acquire TGTs. >>>>>>>>>>> >>>>>>>>>>> Tested and working as expected (SPNs are not returned PREAUTH_NEEDED >>>>>>>>>>> error while normal users are). >>>>>>>>>>> >>>>>>>>>>> HTH, >>>>>>>>>>> Simo. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> Hi Simo, >>>>>>>>>> >>>>>>>>>> I was not able to apply the patch on current master branch: >>>>>>>>>> >>>>>>>>>> """ >>>>>>>>>> git am >>>>>>>>>> ../review/ssorce/3860/freeipa-simo-558-1-Allow-admins-to-disable-preauth-for-SPNs.patch >>>>>>>>>> -3 >>>>>>>>>> >>>>>>>>>> Applying: Allow admins to disable preauth for SPNs. >>>>>>>>>> error: invalid object 100644 a6b4d4349a9ac6de453d9ad3c679ec32add4e43b >>>>>>>>>> for 'ipalib/plugins/config.py' >>>>>>>>>> fatal: git-write-tree: error building trees >>>>>>>>>> Repository lacks necessary blobs to fall back on 3-way merge. >>>>>>>>>> Cannot fall back to three-way merge. >>>>>>>>>> Patch failed at 0001 Allow admins to disable preauth for SPNs. >>>>>>>>>> """ >>>>>>>>>> >>>>>>>>>> It seems that I nedd to apply some of your other patches first (which one?) >>>>>>>>> >>>>>>>>> Sorry did not see this question earlier, it requires 556 and 557, I just >>>>>>>>> bumped that thread. >>>>>>>>> >>>>>>>>> Simo. >>>>>>>>> >>>>>>>> It seems that I need something else, patch 556-2 applies cleanly, but >>>>>>>> patch 557-3 fails with http://fpaste.org/296230/89819431/ on both master >>>>>>>> and 4-2 branch. >>>>>>>> >>>>>>> >>>>>>> Rebased 556,557 in their thread, and here is the rebase for 558 on top >>>>>>> of them. >>>>>>> >>>>>>> Simo. >>>>>>> >>>>>> >>>>>> ACK. I'm afraid that this patch and 556, 557 will require another round >>>>>> of rebase before pushing, though. >>>>> >>>>> Rebased on top of master (not on 556/557) per Petr's request. >>>>> >>>>> Simo. >>>>> >>>>> >>>> >>>> NACK, if you do API changes please increment API version in VERSION. >>> >>> Why wasn't this a problem in the previous ACK ? >>> >>> Simo. >>> >> >> Probably because I missed it, sorry. >> > > Fixed. > > Simo. > Thanks, ACK. -- Martin^3 Babinsky From mbasti at redhat.com Tue Mar 8 17:24:13 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 8 Mar 2016 18:24:13 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <56DEB998.3070501@redhat.com> References: <5640A90B.6030906@redhat.com> <565862E6.4020100@redhat.com> <56586807.9080805@redhat.com> <565870D6.40908@redhat.com> <56587616.5030609@redhat.com> <565DB7D3.5040500@redhat.com> <565F0BDD.8080206@redhat.com> <565F17EE.3020701@redhat.com> <5666DC18.2040906@redhat.com> <56675E31.3050203@redhat.com> <5667F49B.5020709@redhat.com> <5667FEFB.6090904@redhat.com> <56680C2E.7060805@redhat.com> <56680DDD.2000106@redhat.com> <566FDD80.7030805@redhat.com> <56717785.4020304@redhat.com> <567195B9.9070104@redhat.com> <56727AA7.2030809@redhat.com> <5675E08C.7030109@redhat.com> <56D43687.10502@redhat.com> <56D57DDE.3020306@redhat.com> <56D57F0C.1060103@redhat.com> <56D59F78.1000000@redhat.com> <56D5D9C3.8000102@redhat.com> <56D621DF.406@redhat.com> <56D6ACF5.4070402@redhat.com> <56D6E0E7.8020503@redhat.com> <56D87699.6030305@redhat.com> <56D93B28.2020302@redhat.com> <56D93B98.4090307@redhat.com> <56D9AA4B.103@redhat.com> <56D9B8CB.3040507@redhat.com> <56DEB998.3070501@redhat.com> Message-ID: <56DF0ABD.4040603@redhat.com> On 08.03.2016 12:38, Oleg Fayans wrote: > The patches were rebased against the current master > > On 03/04/2016 05:33 PM, Martin Basti wrote: >> * old messages have been removed * >>>>>> 1) >>>>>> this method is unused please remove it >>>>>> >>>>>> def test_kra_install_master(self): >>> Well, in fact it is used twice: in both domain levels, so I'd better >>> keep it: >>> >>> -bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py >>> --collect-only >>> ==================================================================================== >>> >>> test session starts >>> ===================================================================================== >>> >>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini >>> plugins: sourceorder, multihost >>> collected 8 items >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >> aah my bad, I forgot that pytest executes it when it begins with test_* >> even in parent class >>>>>> 2) >>>>>> Why are these there? I do not see any usage >>>>>> >>>>>> from env_config import get_global_config >>>>>> config = get_global_config() >>> Removed >>> >>>>>> 3) nitpick >>>>>> + num_clients = 0 >>>>>> this is set by default >>> Removed >>> >>>>>> otherwise LGTM >>>>>> >>>>>> Results of testing tomorrow. >>>>>> >>>>>> Martin^2 >>>>>> >>>>> I applied all patches including workarounds, but test failed. >>>>> >>>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>>> >>>>> >>>>> >>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] RUN >>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>> '--setup-ca', '--ip-address', '192.168.144.102', >>>>> '/root/ipatests/replica-info.gpg'] >>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] The host >>>>> replica1.ipa.test already exists on the master server. >>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] You should >>>>> remove it before proceeding: >>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] % ipa >>>>> host-del replica1.ipa.test >>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>> ipa-replica-install command failed. See >>>>> /var/log/ipareplica-install.log for more information >>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] Exit code: 3 >>>>> FAILED >>> this is exactly the error that happens when a workaround for 5627 is not >>> applied. I have re-run the tests with all the patches and everything >>> passed. Could you please double-check, whether patch 0027 was applied >>> correctly? >>> >>> bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py --pdb >>> ==================================================================================== >>> >>> test session starts >>> ===================================================================================== >>> >>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini >>> plugins: sourceorder, multihost >>> collected 8 items >>> >>> test_integration/test_replica_promotion.py ........ >>> >>> ================================================================================ >>> >>> 8 passed in 7561.93 seconds >>> ================================================================================= >>> >>> >> I will >> >>>> And it needs ticket, otherwise it will not be in 4-3 branch. >>> https://fedorahosted.org/freeipa/ticket/5723 NACK 1) ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] [ipa.ipatests.test_integration.host.Host.replica2.cmd65] RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] [ipa.ipatests.test_integration.host.Host.replica2.cmd65] IPA client is already configured on this system, ignoring the --domain, --server, --realm, --hostname, --password and --keytab options. [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Your system may be partly configured. [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Run /usr/sbin/ipa-server-install --uninstall to clean up. [ipa.ipatests.test_integration.host.Host.replica2.cmd65] [ipa.ipatests.test_integration.host.Host.replica2.cmd65] ipa.ipapython.install.cli.install_tool(Replica): ERROR You must provide a file generated by ipa-replica-prepare to create a replica when the domain is at level 0. [ipa.ipatests.test_integration.host.Host.replica2.cmd65] ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Exit code: 1 FAILED 2) ipatests.test_integration.test_replica_promotion.TestKRAInstall [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA client is already configured on this system, ignoring the --domain, --server, --realm, --hostname, --password and --keytab options. [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your system may be partly configured. [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run /usr/sbin/ipa-server-install --uninstall to clean up. [ipa.ipatests.test_integration.host.Host.replica2.cmd22] [ipa.ipatests.test_integration.host.Host.replica2.cmd22] ipa.ipapython.install.cli.install_tool(Replica): ERROR You must provide a file generated by ipa-replica-prepare to create a replica when the domain is at level 0. [ipa.ipatests.test_integration.host.Host.replica2.cmd22] ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit code: 1 FAILED 3) ipatests.test_integration.test_replica_promotion.TestCAInstall [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', '--setup-dns', '--forwarder', '10.34.78.1', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', '--setup-dns', '--forwarder', '10.34.78.1', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA client is already configured on this system, ignoring the --domain, --server, --realm, --hostname, --password and --keytab options. [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your system may be partly configured. [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run /usr/sbin/ipa-server-install --uninstall to clean up. [ipa.ipatests.test_integration.host.Host.replica2.cmd22] [ipa.ipatests.test_integration.host.Host.replica2.cmd22] ipa.ipapython.install.cli.install_tool(Replica): ERROR You must provide a file generated by ipa-replica-prepare to create a replica when the domain is at level 0. [ipa.ipatests.test_integration.host.Host.replica2.cmd22] ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit code: 1 FAILED Reason: def install_replica(master, replica, setup_ca=True, setup_dns=False, - setup_kra=False, extra_args=()): + setup_kra=False, extra_args=(), domain_level=None): + if domain_level is None: + domain_level = domainlevel(master) - if domainlevel(master) == DOMAIN_LEVEL_0: + if domainlevel == DOMAIN_LEVEL_0: domain_level variable is actually unused From mbasti at redhat.com Tue Mar 8 17:49:30 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 8 Mar 2016 18:49:30 +0100 Subject: [Freeipa-devel] [PATCH 558] Allow disabling requireing preauth by default for Service Principal Names In-Reply-To: <56DF05BB.3010206@redhat.com> References: <1448400058.29102.17.camel@redhat.com> <56558064.7010600@redhat.com> <1448908922.3747.94.camel@redhat.com> <565DB5E1.8040500@redhat.com> <1449004137.9040.18.camel@redhat.com> <566193C8.9050609@redhat.com> <1457452173.8257.197.camel@redhat.com> <56DEF51B.5070808@redhat.com> <1457452819.8257.204.camel@redhat.com> <56DEFBBB.7020401@redhat.com> <1457455825.8257.205.camel@redhat.com> <56DF05BB.3010206@redhat.com> Message-ID: <56DF10AA.4010601@redhat.com> On 08.03.2016 18:02, Martin Babinsky wrote: > On 03/08/2016 05:50 PM, Simo Sorce wrote: >> On Tue, 2016-03-08 at 17:20 +0100, Martin Babinsky wrote: >>> On 03/08/2016 05:00 PM, Simo Sorce wrote: >>>> On Tue, 2016-03-08 at 16:51 +0100, Martin Babinsky wrote: >>>>> On 03/08/2016 04:49 PM, Simo Sorce wrote: >>>>>> On Fri, 2015-12-04 at 14:23 +0100, Martin Babinsky wrote: >>>>>>> On 12/01/2015 10:08 PM, Simo Sorce wrote: >>>>>>>> On Tue, 2015-12-01 at 15:59 +0100, Martin Babinsky wrote: >>>>>>>>> On 11/30/2015 07:42 PM, Simo Sorce wrote: >>>>>>>>>> On Wed, 2015-11-25 at 10:33 +0100, Martin Babinsky wrote: >>>>>>>>>>> On 11/24/2015 10:20 PM, Simo Sorce wrote: >>>>>>>>>>>> This addresses #3860, giving admins the option to not >>>>>>>>>>>> require preauth >>>>>>>>>>>> for Hosts and services. >>>>>>>>>>>> >>>>>>>>>>>> I did not add this option by default, although it does >>>>>>>>>>>> reduce the load >>>>>>>>>>>> on the KDC as well as speed up TGT acquisition for service >>>>>>>>>>>> principal >>>>>>>>>>>> accounts that acquire TGTs. >>>>>>>>>>>> >>>>>>>>>>>> Tested and working as expected (SPNs are not returned >>>>>>>>>>>> PREAUTH_NEEDED >>>>>>>>>>>> error while normal users are). >>>>>>>>>>>> >>>>>>>>>>>> HTH, >>>>>>>>>>>> Simo. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> Hi Simo, >>>>>>>>>>> >>>>>>>>>>> I was not able to apply the patch on current master branch: >>>>>>>>>>> >>>>>>>>>>> """ >>>>>>>>>>> git am >>>>>>>>>>> ../review/ssorce/3860/freeipa-simo-558-1-Allow-admins-to-disable-preauth-for-SPNs.patch >>>>>>>>>>> >>>>>>>>>>> -3 >>>>>>>>>>> >>>>>>>>>>> Applying: Allow admins to disable preauth for SPNs. >>>>>>>>>>> error: invalid object 100644 >>>>>>>>>>> a6b4d4349a9ac6de453d9ad3c679ec32add4e43b >>>>>>>>>>> for 'ipalib/plugins/config.py' >>>>>>>>>>> fatal: git-write-tree: error building trees >>>>>>>>>>> Repository lacks necessary blobs to fall back on 3-way merge. >>>>>>>>>>> Cannot fall back to three-way merge. >>>>>>>>>>> Patch failed at 0001 Allow admins to disable preauth for SPNs. >>>>>>>>>>> """ >>>>>>>>>>> >>>>>>>>>>> It seems that I nedd to apply some of your other patches >>>>>>>>>>> first (which one?) >>>>>>>>>> >>>>>>>>>> Sorry did not see this question earlier, it requires 556 and >>>>>>>>>> 557, I just >>>>>>>>>> bumped that thread. >>>>>>>>>> >>>>>>>>>> Simo. >>>>>>>>>> >>>>>>>>> It seems that I need something else, patch 556-2 applies >>>>>>>>> cleanly, but >>>>>>>>> patch 557-3 fails with http://fpaste.org/296230/89819431/ on >>>>>>>>> both master >>>>>>>>> and 4-2 branch. >>>>>>>>> >>>>>>>> >>>>>>>> Rebased 556,557 in their thread, and here is the rebase for 558 >>>>>>>> on top >>>>>>>> of them. >>>>>>>> >>>>>>>> Simo. >>>>>>>> >>>>>>> >>>>>>> ACK. I'm afraid that this patch and 556, 557 will require >>>>>>> another round >>>>>>> of rebase before pushing, though. >>>>>> >>>>>> Rebased on top of master (not on 556/557) per Petr's request. >>>>>> >>>>>> Simo. >>>>>> >>>>>> >>>>> >>>>> NACK, if you do API changes please increment API version in VERSION. >>>> >>>> Why wasn't this a problem in the previous ACK ? >>>> >>>> Simo. >>>> >>> >>> Probably because I missed it, sorry. >>> >> >> Fixed. >> >> Simo. >> > > Thanks, ACK. > Pushed to: master: 3e45c9be0aefb03751665a951f426ac59c50a551 ipa-4-3: 9137ff497be16e1afb4bdac9f58097318ce38953 From mbasti at redhat.com Tue Mar 8 18:07:15 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 8 Mar 2016 19:07:15 +0100 Subject: [Freeipa-devel] [PATCH 0434] log: add timestamp to filename of logs In-Reply-To: <56DEF1B7.40907@redhat.com> References: <56DEF053.4090809@redhat.com> <56DEF1B7.40907@redhat.com> Message-ID: <56DF14D3.5050400@redhat.com> On 08.03.2016 16:37, Martin Basti wrote: > > > On 08.03.2016 16:31, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/4501 >> >> Patch attached. >> >> > Rebased patch attached. > > self-NACK Scripts print to CLI unformatted strings, it should not be so easy. See /var/log/ipaupgrade-{timestamp}.log for more information -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Mar 8 19:04:02 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 8 Mar 2016 20:04:02 +0100 Subject: [Freeipa-devel] [PATCH] CONFIGURE: Replace obsolete macros In-Reply-To: <20160202083637.GA11351@mail.corp.redhat.com> References: <20160202083637.GA11351@mail.corp.redhat.com> Message-ID: <56DF2222.1030605@redhat.com> On 02.02.2016 09:36, Lukas Slebodnik wrote: > ehlo, > > The AC_PROG_LIBTOOL macro is obsoleted by since libtool-2.0 > which is already in rhel6+ > > https://fedorahosted.org/FedoraReview/wiki/AutoTools > > simple patch is attached > > LS > > ACK Pushed to master: ebbb2eba5bdf3eee9eca3e3db2b8964db5d8131f Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Mar 8 19:18:06 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 8 Mar 2016 20:18:06 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <56DF0ABD.4040603@redhat.com> References: <5640A90B.6030906@redhat.com> <56586807.9080805@redhat.com> <565870D6.40908@redhat.com> <56587616.5030609@redhat.com> <565DB7D3.5040500@redhat.com> <565F0BDD.8080206@redhat.com> <565F17EE.3020701@redhat.com> <5666DC18.2040906@redhat.com> <56675E31.3050203@redhat.com> <5667F49B.5020709@redhat.com> <5667FEFB.6090904@redhat.com> <56680C2E.7060805@redhat.com> <56680DDD.2000106@redhat.com> <566FDD80.7030805@redhat.com> <56717785.4020304@redhat.com> <567195B9.9070104@redhat.com> <56727AA7.2030809@redhat.com> <5675E08C.7030109@redhat.com> <56D43687.10502@redhat.com> <56D57DDE.3020306@redhat.com> <56D57F0C.1060103@redhat.com> <56D59F78.1000000@redhat.com> <56D5D9C3.8000102@redhat.com> <56D621DF.406@redhat.com> <56D6ACF5.4070402@redhat.com> <56D6E0E7.8020503@redhat.com> <56D87699.6030305@redhat.com> <56D93B28.2020302@redhat.com> <56D93B98.4090307@redhat.com> <56D9AA4B.103@redhat.com> <56D9B8CB.3040507@redhat.com> <56DEB998.3070501@redhat.com> <56DF0ABD.4040603@redhat.com> Message-ID: <56DF256E.8010000@redhat.com> On 08.03.2016 18:24, Martin Basti wrote: > > > On 08.03.2016 12:38, Oleg Fayans wrote: >> The patches were rebased against the current master >> >> On 03/04/2016 05:33 PM, Martin Basti wrote: >>> * old messages have been removed * >>>>>>> 1) >>>>>>> this method is unused please remove it >>>>>>> >>>>>>> def test_kra_install_master(self): >>>> Well, in fact it is used twice: in both domain levels, so I'd better >>>> keep it: >>>> >>>> -bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py >>>> --collect-only >>>> ==================================================================================== >>>> >>>> >>>> test session starts >>>> ===================================================================================== >>>> >>>> >>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>> pytest.ini >>>> plugins: sourceorder, multihost >>>> collected 8 items >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> aah my bad, I forgot that pytest executes it when it begins with test_* >>> even in parent class >>>>>>> 2) >>>>>>> Why are these there? I do not see any usage >>>>>>> >>>>>>> from env_config import get_global_config >>>>>>> config = get_global_config() >>>> Removed >>>> >>>>>>> 3) nitpick >>>>>>> + num_clients = 0 >>>>>>> this is set by default >>>> Removed >>>> >>>>>>> otherwise LGTM >>>>>>> >>>>>>> Results of testing tomorrow. >>>>>>> >>>>>>> Martin^2 >>>>>>> >>>>>> I applied all patches including workarounds, but test failed. >>>>>> >>>>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] RUN >>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>> '--setup-ca', '--ip-address', '192.168.144.102', >>>>>> '/root/ipatests/replica-info.gpg'] >>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] The host >>>>>> replica1.ipa.test already exists on the master server. >>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] You should >>>>>> remove it before proceeding: >>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] % ipa >>>>>> host-del replica1.ipa.test >>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>> ipa-replica-install command failed. See >>>>>> /var/log/ipareplica-install.log for more information >>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] Exit >>>>>> code: 3 >>>>>> FAILED >>>> this is exactly the error that happens when a workaround for 5627 >>>> is not >>>> applied. I have re-run the tests with all the patches and everything >>>> passed. Could you please double-check, whether patch 0027 was applied >>>> correctly? >>>> >>>> bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py >>>> --pdb >>>> ==================================================================================== >>>> >>>> >>>> test session starts >>>> ===================================================================================== >>>> >>>> >>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>> pytest.ini >>>> plugins: sourceorder, multihost >>>> collected 8 items >>>> >>>> test_integration/test_replica_promotion.py ........ >>>> >>>> ================================================================================ >>>> >>>> >>>> 8 passed in 7561.93 seconds >>>> ================================================================================= >>>> >>>> >>>> >>> I will >>> >>>>> And it needs ticket, otherwise it will not be in 4-3 branch. >>>> https://fedorahosted.org/freeipa/ticket/5723 > NACK > > 1) > ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 > > > [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] > RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', > 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', > 'IPA.TEST'] > [ipa.ipatests.test_integration.host.Host.replica2.cmd65] RUN > ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', > '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] > [ipa.ipatests.test_integration.host.Host.replica2.cmd65] IPA client is > already configured on this system, ignoring the --domain, --server, > --realm, --hostname, --password and --keytab options. > [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Your system > may be partly configured. > [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Run > /usr/sbin/ipa-server-install --uninstall to clean up. > [ipa.ipatests.test_integration.host.Host.replica2.cmd65] > [ipa.ipatests.test_integration.host.Host.replica2.cmd65] > ipa.ipapython.install.cli.install_tool(Replica): ERROR You must > provide a file generated by ipa-replica-prepare to create a replica > when the domain is at level 0. > [ipa.ipatests.test_integration.host.Host.replica2.cmd65] > ipa.ipapython.install.cli.install_tool(Replica): ERROR The > ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information > [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Exit code: 1 > FAILED > > 2) > ipatests.test_integration.test_replica_promotion.TestKRAInstall > > [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] > RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', > 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', > 'IPA.TEST'] > [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN > ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', > '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] > [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA client is > already configured on this system, ignoring the --domain, --server, > --realm, --hostname, --password and --keytab options. > [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your system > may be partly configured. > [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run > /usr/sbin/ipa-server-install --uninstall to clean up. > [ipa.ipatests.test_integration.host.Host.replica2.cmd22] > [ipa.ipatests.test_integration.host.Host.replica2.cmd22] > ipa.ipapython.install.cli.install_tool(Replica): ERROR You must > provide a file generated by ipa-replica-prepare to create a replica > when the domain is at level 0. > [ipa.ipatests.test_integration.host.Host.replica2.cmd22] > ipa.ipapython.install.cli.install_tool(Replica): ERROR The > ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information > [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit code: 1 > FAILED > > > 3) > ipatests.test_integration.test_replica_promotion.TestCAInstall > > [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] > RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', > 'Secret123', '--setup-dns', '--forwarder', '10.34.78.1', > '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] > [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN > ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', > '--setup-dns', '--forwarder', '10.34.78.1', '--ip-address', > '192.168.200.103', '-r', 'IPA.TEST'] > [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA client is > already configured on this system, ignoring the --domain, --server, > --realm, --hostname, --password and --keytab options. > [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your system > may be partly configured. > [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run > /usr/sbin/ipa-server-install --uninstall to clean up. > [ipa.ipatests.test_integration.host.Host.replica2.cmd22] > [ipa.ipatests.test_integration.host.Host.replica2.cmd22] > ipa.ipapython.install.cli.install_tool(Replica): ERROR You must > provide a file generated by ipa-replica-prepare to create a replica > when the domain is at level 0. > [ipa.ipatests.test_integration.host.Host.replica2.cmd22] > ipa.ipapython.install.cli.install_tool(Replica): ERROR The > ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information > [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit code: 1 > FAILED > > > Reason: > > def install_replica(master, replica, setup_ca=True, setup_dns=False, > - setup_kra=False, extra_args=()): > + setup_kra=False, extra_args=(), domain_level=None): > + if domain_level is None: > + domain_level = domainlevel(master) > > - if domainlevel(master) == DOMAIN_LEVEL_0: > + if domainlevel == DOMAIN_LEVEL_0: > > domain_level variable is actually unused > Also with your patch that removes host_prepare, I see many following errors in test debug output [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: line 1: cd: /root/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: line 2: /root/ipatests/env.sh: No such file or directory I do not see these errors in current tests, so the patch does not seem right to me. From mbasti at redhat.com Tue Mar 8 19:24:05 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 8 Mar 2016 20:24:05 +0100 Subject: [Freeipa-devel] [PATCH 0140] test_cert_plugin: use only first part of the hostname to construct short name In-Reply-To: <56DEF916.5040603@redhat.com> References: <56DEF916.5040603@redhat.com> Message-ID: <56DF26D5.4050701@redhat.com> On 08.03.2016 17:08, Martin Babinsky wrote: > https://fedorahosted.org/freeipa/ticket/5688 > > > Pushed to: master: abe3abb46699428038cd77f13b814de69fd7d0a2 ipa-4-3: bbad720138575f7655154dd3ed52c590970d9961 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Mar 8 19:25:54 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 8 Mar 2016 20:25:54 +0100 Subject: [Freeipa-devel] [PATCH 0140] test_cert_plugin: use only first part of the hostname to construct short name In-Reply-To: <56DF26D5.4050701@redhat.com> References: <56DEF916.5040603@redhat.com> <56DF26D5.4050701@redhat.com> Message-ID: <56DF2742.7040208@redhat.com> On 08.03.2016 20:24, Martin Basti wrote: > > > On 08.03.2016 17:08, Martin Babinsky wrote: >> https://fedorahosted.org/freeipa/ticket/5688 >> >> >> > Pushed to: > master: abe3abb46699428038cd77f13b814de69fd7d0a2 > ipa-4-3: bbad720138575f7655154dd3ed52c590970d9961 > > > ACK :-) -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Mar 8 19:34:02 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 8 Mar 2016 20:34:02 +0100 Subject: [Freeipa-devel] [PATCH 0436] krb5.conf: use 'true' instead of 'yes' Message-ID: <56DF292A.7090300@redhat.com> https://fedorahosted.org/freeipa/ticket/5518 Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0436-krb5conf-use-true-instead-of-yes-for-forwardable-opt.patch Type: text/x-patch Size: 2817 bytes Desc: not available URL: From ftweedal at redhat.com Wed Mar 9 03:47:42 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 9 Mar 2016 13:47:42 +1000 Subject: [Freeipa-devel] [PATCH 431] Configure 389ds with default cipher suite In-Reply-To: <56DEACE5.3030807@redhat.com> References: <56DEACE5.3030807@redhat.com> Message-ID: <20160309034742.GX12127@dhcp-40-8.bne.redhat.com> On Tue, Mar 08, 2016 at 11:43:49AM +0100, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5684 > > patch attached I think the comment in install/updates/20-sslciphers.update should be updated. Apart from that, ACK. Cheers, Fraser From jcholast at redhat.com Wed Mar 9 06:06:39 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 9 Mar 2016 07:06:39 +0100 Subject: [Freeipa-devel] [PATCH 0139] otptoken-add: improve the robustness of QR code printing to tty In-Reply-To: <56DF01C0.2010207@redhat.com> References: <56DEEDEF.6020105@redhat.com> <56DEFF59.7020907@redhat.com> <56DF01C0.2010207@redhat.com> Message-ID: <56DFBD6F.8010100@redhat.com> On 8.3.2016 17:45, Martin Babinsky wrote: > On 03/08/2016 05:35 PM, Jan Cholasta wrote: >> Hi, >> >> On 8.3.2016 16:21, Martin Babinsky wrote: >>> https://fedorahosted.org/freeipa/ticket/5700 >> >> 1) Instead of checking for utf-8 in particular, I would prefer a more >> robust approach: >> >> try: >> qr = qrcode.QRCode() >> qr.add_data('test') >> qr.make() >> qr.print_ascii(tty=True) >> except UnicodeError: >> # it is not printable >> else: >> # it is printable >> > Now you mean the check in the _check_qrcode_capability() or the > _print_qrcode() method itself? _check_qrcode_capability() of course. >> >> 2) There is no os.isatty() check to see if stdout is actually a tty. >> > This check is performed inside both print_ascii() and print_tty() > methods of QRCode object, but you probably mean that I should put the > check also into _check_qrcode_capability() method, right? Yes. If stdout is not a tty, we should at least not tty=True in print_ascii(). >> >> Honza >> > > -- Jan Cholasta From mbasti at redhat.com Wed Mar 9 08:53:35 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 9 Mar 2016 09:53:35 +0100 Subject: [Freeipa-devel] [PATCH 431] Configure 389ds with default cipher suite In-Reply-To: <20160309034742.GX12127@dhcp-40-8.bne.redhat.com> References: <56DEACE5.3030807@redhat.com> <20160309034742.GX12127@dhcp-40-8.bne.redhat.com> Message-ID: <56DFE48F.20601@redhat.com> On 09.03.2016 04:47, Fraser Tweedale wrote: > On Tue, Mar 08, 2016 at 11:43:49AM +0100, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5684 >> >> patch attached > I think the comment in install/updates/20-sslciphers.update should > be updated. Apart from that, ACK. > > Cheers, > Fraser Thanks, updated patch attached. Martin^2 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0431.2-Configure-389ds-with-default-cipher-suite.patch Type: text/x-patch Size: 2301 bytes Desc: not available URL: From lslebodn at redhat.com Wed Mar 9 08:59:06 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 9 Mar 2016 09:59:06 +0100 Subject: [Freeipa-devel] [PATCH] SPEC: Remove unused build dependency on libwbclient Message-ID: <20160309085905.GA3115@mail.corp.redhat.com> ehlo, simple patch is attached. LS -------------- next part -------------- >From 3fe91e54c11245c3a773bc2cff5504b7a5f6ad16 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Wed, 9 Mar 2016 09:53:07 +0100 Subject: [PATCH] SPEC: Remove unused build dependency on libwbclient The string "wbclient" is not mentioned anywhere in source code and there isn't any issue with building freeipa packages without this package. --- BUILD.txt | 2 +- freeipa.spec.in | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/BUILD.txt b/BUILD.txt index fb1a7996b6b0c69c5431b180eec65c2549448d91..d9484956dc4449fa43ff0a1146ca9cdf5b3e021e 100644 --- a/BUILD.txt +++ b/BUILD.txt @@ -16,7 +16,7 @@ or This is currently (2015-05-07): yum install rpm-build 389-ds-base-devel svrcore-devel policycoreutils \ -systemd-units samba-devel samba-python libwbclient-devel libtalloc-devel \ +systemd-units samba-devel samba-python libtalloc-devel \ libtevent-devel nspr-devel nss-devel openssl-devel openldap-devel krb5-devel \ krb5-workstation libuuid-devel libcurl-devel xmlrpc-c-devel popt-devel \ autoconf automake m4 libtool gettext python-devel python-ldap \ diff --git a/freeipa.spec.in b/freeipa.spec.in index bc47df4c916bd8f091fc2f70330d95bd116ad187..9e277020d70215e052ab6c905b1c6a29ae6cdd4d 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -48,7 +48,6 @@ BuildRequires: policycoreutils >= 2.1.12-5 BuildRequires: systemd-units BuildRequires: samba-devel >= %{samba_version} BuildRequires: samba-python -BuildRequires: libwbclient-devel BuildRequires: libtalloc-devel BuildRequires: libtevent-devel %endif # ONLY_CLIENT -- 2.7.2 From ftweedal at redhat.com Wed Mar 9 09:04:02 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 9 Mar 2016 19:04:02 +1000 Subject: [Freeipa-devel] [PATCH 431] Configure 389ds with default cipher suite In-Reply-To: <56DFE48F.20601@redhat.com> References: <56DEACE5.3030807@redhat.com> <20160309034742.GX12127@dhcp-40-8.bne.redhat.com> <56DFE48F.20601@redhat.com> Message-ID: <20160309090402.GY12127@dhcp-40-8.bne.redhat.com> On Wed, Mar 09, 2016 at 09:53:35AM +0100, Martin Basti wrote: > > > On 09.03.2016 04:47, Fraser Tweedale wrote: > >On Tue, Mar 08, 2016 at 11:43:49AM +0100, Martin Basti wrote: > >>https://fedorahosted.org/freeipa/ticket/5684 > >> > >>patch attached > >I think the comment in install/updates/20-sslciphers.update should > >be updated. Apart from that, ACK. > > > >Cheers, > >Fraser > Thanks, > > updated patch attached. > > Martin^2 > ACK From mbasti at redhat.com Wed Mar 9 09:06:04 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 9 Mar 2016 10:06:04 +0100 Subject: [Freeipa-devel] [PATCH 431] Configure 389ds with default cipher suite In-Reply-To: <20160309090402.GY12127@dhcp-40-8.bne.redhat.com> References: <56DEACE5.3030807@redhat.com> <20160309034742.GX12127@dhcp-40-8.bne.redhat.com> <56DFE48F.20601@redhat.com> <20160309090402.GY12127@dhcp-40-8.bne.redhat.com> Message-ID: <56DFE77C.1040500@redhat.com> On 09.03.2016 10:04, Fraser Tweedale wrote: > On Wed, Mar 09, 2016 at 09:53:35AM +0100, Martin Basti wrote: >> >> On 09.03.2016 04:47, Fraser Tweedale wrote: >>> On Tue, Mar 08, 2016 at 11:43:49AM +0100, Martin Basti wrote: >>>> https://fedorahosted.org/freeipa/ticket/5684 >>>> >>>> patch attached >>> I think the comment in install/updates/20-sslciphers.update should >>> be updated. Apart from that, ACK. >>> >>> Cheers, >>> Fraser >> Thanks, >> >> updated patch attached. >> >> Martin^2 >> > ACK Pushed to: master: dd86f83c96961390f756e35496447d6aeae64df6 ipa-4-3: 3c4a8c89320e734d11ca2d5adadbbd6485c04722 From lslebodn at redhat.com Wed Mar 9 09:44:00 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 9 Mar 2016 10:44:00 +0100 Subject: [Freeipa-devel] [PATCH] IPA-SAM: Fix build with samba 4.4 In-Reply-To: <20160203133037.GB2962@mail.corp.redhat.com> References: <20160129111218.GD24839@mail.corp.redhat.com> <20160129113147.GF24839@mail.corp.redhat.com> <20160129175913.GC21804@redhat.com> <20160203133037.GB2962@mail.corp.redhat.com> Message-ID: <20160309094359.GC3115@mail.corp.redhat.com> On (03/02/16 14:30), Lukas Slebodnik wrote: >On (29/01/16 19:59), Alexander Bokovoy wrote: >>On Fri, 29 Jan 2016, Lukas Slebodnik wrote: >>>On (29/01/16 12:12), Lukas Slebodnik wrote: >>>>ehlo, >>>> >>>>attached patch shoudl fix build on fedora-24. >>>>It blocks static analysis scan. >>>> >>>>Even though it unblock build on fedora-24 >>>>the solution is not ideal. It's possible that some changes >>>>need to be done in samba side as well. >>>>(missing prototypes for trim_string, smb_xstrdup >>>> >>>>LS >>> >>>BTW there is also another issue in IPA-SAM. >>>The value of macro LDAP_PAGE_SIZE has changed >>>and therefore there is a warning. >>> >>>ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined >>>#define LDAP_PAGE_SIZE 1024 >>>^ >>>In file included from /usr/include/samba-4.0/smbldap.h:24:0, >>> from ipa_sam.c:31: >>>/usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of the previous definition >>>#define LDAP_PAGE_SIZE 1000 >>This is something we should fix. I'll look at it once in Brno. >Here is a related change in samba >https://github.com/samba-team/samba/commit/8c2609f3186d40afb5954737dc174ce190cd368a > Please review attached patch. LS -------------- next part -------------- >From 770577899357a812475d06d1da74254e6f83205d Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Wed, 9 Mar 2016 10:16:58 +0100 Subject: [PATCH] ipa-sam: Change value of LDAP_PAGE_SIZE The value of LDAP_PAGE_SIZE was changed in samba-4.4 and samba commit message says: "This matches Windows' Active Directory maximum page size." https://github.com/samba-team/samba/commit/8c2609f3186d40afb5954737dc174ce190cd368a ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined #define LDAP_PAGE_SIZE 1024 In file included from /usr/include/samba-4.0/smbldap.h:24:0, from ipa_sam.c:31: /usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of the previous definition #define LDAP_PAGE_SIZE 1000 --- daemons/ipa-sam/ipa_sam.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 9216e63587995ef719015e34f96f48262eaf171f..dba7ba2c803ae384bedaed9ae874a6a01232abfb 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -111,7 +111,8 @@ char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in li bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */ -#define LDAP_PAGE_SIZE 1024 +#undef LDAP_PAGE_SIZE +#define LDAP_PAGE_SIZE 1000 #define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs" #define LDAP_OBJ_TRUSTED_DOMAIN "ipaNTTrustedDomain" #define LDAP_OBJ_ID_OBJECT "ipaIDobject" -- 2.7.2 From mbabinsk at redhat.com Wed Mar 9 10:14:08 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 9 Mar 2016 11:14:08 +0100 Subject: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns In-Reply-To: <56DD9E19.6010608@redhat.com> References: <56DD6A4A.4050004@redhat.com> <56DD73B8.3080705@redhat.com> <56DD8D5D.6090301@redhat.com> <56DD9E19.6010608@redhat.com> Message-ID: <56DFF770.1010208@redhat.com> On 03/07/2016 04:28 PM, Martin Kosek wrote: > On 03/07/2016 03:17 PM, Petr Spacek wrote: >> On 7.3.2016 13:27, Jan Cholasta wrote: >>> Hi, >>> >>> On 7.3.2016 12:47, Martin Babinsky wrote: >>>> https://fedorahosted.org/freeipa/ticket/5696 >>> >>> Shouldn't we rather fix IPA to work with bind running in chroot (which is >>> AFAIK considered good security practice)? >> >> I would not invest into it: >> http://www.freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot#NOTE:_Chroot_should_not_be_considered_a_security_feature > > +1 > > Martin > Then the patch should be sufficient, yes? -- Martin^3 Babinsky From sbose at redhat.com Wed Mar 9 10:57:33 2016 From: sbose at redhat.com (Sumit Bose) Date: Wed, 9 Mar 2016 11:57:33 +0100 Subject: [Freeipa-devel] [PATCH] SPEC: Remove unused build dependency on libwbclient In-Reply-To: <20160309085905.GA3115@mail.corp.redhat.com> References: <20160309085905.GA3115@mail.corp.redhat.com> Message-ID: <20160309105733.GW3079@p.redhat.com> On Wed, Mar 09, 2016 at 09:59:06AM +0100, Lukas Slebodnik wrote: > ehlo, > > simple patch is attached. > > LS > >From 3fe91e54c11245c3a773bc2cff5504b7a5f6ad16 Mon Sep 17 00:00:00 2001 > From: Lukas Slebodnik > Date: Wed, 9 Mar 2016 09:53:07 +0100 > Subject: [PATCH] SPEC: Remove unused build dependency on libwbclient > > The string "wbclient" is not mentioned anywhere in > source code and there isn't any issue with building > freeipa packages without this package. ACK This is a left-over form the times where we used winbind to look up AD users. With the ipa server mode of SSSD this is not needed anymore. bye, Sumit > --- > BUILD.txt | 2 +- > freeipa.spec.in | 1 - > 2 files changed, 1 insertion(+), 2 deletions(-) > > diff --git a/BUILD.txt b/BUILD.txt > index fb1a7996b6b0c69c5431b180eec65c2549448d91..d9484956dc4449fa43ff0a1146ca9cdf5b3e021e 100644 > --- a/BUILD.txt > +++ b/BUILD.txt > @@ -16,7 +16,7 @@ or > This is currently (2015-05-07): > > yum install rpm-build 389-ds-base-devel svrcore-devel policycoreutils \ > -systemd-units samba-devel samba-python libwbclient-devel libtalloc-devel \ > +systemd-units samba-devel samba-python libtalloc-devel \ > libtevent-devel nspr-devel nss-devel openssl-devel openldap-devel krb5-devel \ > krb5-workstation libuuid-devel libcurl-devel xmlrpc-c-devel popt-devel \ > autoconf automake m4 libtool gettext python-devel python-ldap \ > diff --git a/freeipa.spec.in b/freeipa.spec.in > index bc47df4c916bd8f091fc2f70330d95bd116ad187..9e277020d70215e052ab6c905b1c6a29ae6cdd4d 100644 > --- a/freeipa.spec.in > +++ b/freeipa.spec.in > @@ -48,7 +48,6 @@ BuildRequires: policycoreutils >= 2.1.12-5 > BuildRequires: systemd-units > BuildRequires: samba-devel >= %{samba_version} > BuildRequires: samba-python > -BuildRequires: libwbclient-devel > BuildRequires: libtalloc-devel > BuildRequires: libtevent-devel > %endif # ONLY_CLIENT > -- > 2.7.2 > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From abokovoy at redhat.com Wed Mar 9 11:33:08 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 9 Mar 2016 13:33:08 +0200 Subject: [Freeipa-devel] [PATCH] IPA-SAM: Fix build with samba 4.4 In-Reply-To: <20160309094359.GC3115@mail.corp.redhat.com> References: <20160129111218.GD24839@mail.corp.redhat.com> <20160129113147.GF24839@mail.corp.redhat.com> <20160129175913.GC21804@redhat.com> <20160203133037.GB2962@mail.corp.redhat.com> <20160309094359.GC3115@mail.corp.redhat.com> Message-ID: <20160309113308.GB4492@redhat.com> On Wed, 09 Mar 2016, Lukas Slebodnik wrote: >On (03/02/16 14:30), Lukas Slebodnik wrote: >>On (29/01/16 19:59), Alexander Bokovoy wrote: >>>On Fri, 29 Jan 2016, Lukas Slebodnik wrote: >>>>On (29/01/16 12:12), Lukas Slebodnik wrote: >>>>>ehlo, >>>>> >>>>>attached patch shoudl fix build on fedora-24. >>>>>It blocks static analysis scan. >>>>> >>>>>Even though it unblock build on fedora-24 >>>>>the solution is not ideal. It's possible that some changes >>>>>need to be done in samba side as well. >>>>>(missing prototypes for trim_string, smb_xstrdup >>>>> >>>>>LS >>>> >>>>BTW there is also another issue in IPA-SAM. >>>>The value of macro LDAP_PAGE_SIZE has changed >>>>and therefore there is a warning. >>>> >>>>ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined >>>>#define LDAP_PAGE_SIZE 1024 >>>>^ >>>>In file included from /usr/include/samba-4.0/smbldap.h:24:0, >>>> from ipa_sam.c:31: >>>>/usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of the previous definition >>>>#define LDAP_PAGE_SIZE 1000 >>>This is something we should fix. I'll look at it once in Brno. >>Here is a related change in samba >>https://github.com/samba-team/samba/commit/8c2609f3186d40afb5954737dc174ce190cd368a >> >Please review attached patch. > >LS >From 770577899357a812475d06d1da74254e6f83205d Mon Sep 17 00:00:00 2001 >From: Lukas Slebodnik >Date: Wed, 9 Mar 2016 10:16:58 +0100 >Subject: [PATCH] ipa-sam: Change value of LDAP_PAGE_SIZE > >The value of LDAP_PAGE_SIZE was changed in samba-4.4 >and samba commit message says: "This matches Windows' Active Directory >maximum page size." >https://github.com/samba-team/samba/commit/8c2609f3186d40afb5954737dc174ce190cd368a > >ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined > #define LDAP_PAGE_SIZE 1024 > >In file included from /usr/include/samba-4.0/smbldap.h:24:0, > from ipa_sam.c:31: >/usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of the previous definition > #define LDAP_PAGE_SIZE 1000 >--- > daemons/ipa-sam/ipa_sam.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > >diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c >index 9216e63587995ef719015e34f96f48262eaf171f..dba7ba2c803ae384bedaed9ae874a6a01232abfb 100644 >--- a/daemons/ipa-sam/ipa_sam.c >+++ b/daemons/ipa-sam/ipa_sam.c >@@ -111,7 +111,8 @@ char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in li > bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */ > void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */ > >-#define LDAP_PAGE_SIZE 1024 >+#undef LDAP_PAGE_SIZE >+#define LDAP_PAGE_SIZE 1000 > #define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs" > #define LDAP_OBJ_TRUSTED_DOMAIN "ipaNTTrustedDomain" > #define LDAP_OBJ_ID_OBJECT "ipaIDobject" >-- >2.7.2 > ACK but I wonder if we should be using the one defined by smbldap.h? -- / Alexander Bokovoy From mbasti at redhat.com Wed Mar 9 12:12:06 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 9 Mar 2016 13:12:06 +0100 Subject: [Freeipa-devel] [PATCH 560] Allow to set allowed krb authz data type per user In-Reply-To: <1892639799.26312584.1449691241103.JavaMail.zimbra@redhat.com> References: <1448406570.29102.26.camel@redhat.com> <56555E8C.5020608@redhat.com> <1448473396.17462.4.camel@redhat.com> <20151201080732.GI9605@redhat.com> <1934255375.26292682.1449688703387.JavaMail.zimbra@redhat.com> <1892639799.26312584.1449691241103.JavaMail.zimbra@redhat.com> Message-ID: <56E01316.40502@redhat.com> bump for review On 09.12.2015 21:00, Simo Sorce wrote: > Sent the wrong patch, attached the one that actually compiles. > > ----- Original Message ----- >> From: "Simo Sorce" >> To: "Alexander Bokovoy" >> Cc: "Simo Sorce" , "Jan Cholasta" , "freeipa-devel" >> Sent: Wednesday, December 9, 2015 2:18:23 PM >> Subject: Re: [Freeipa-devel] [PATCH 560] Allow to set allowed krb authz data type per user >> >> ----- Original Message ----- >>> From: "Alexander Bokovoy" >>> To: "Simo Sorce" >>> Cc: "Jan Cholasta" , "freeipa-devel" >>> >>> Sent: Tuesday, December 1, 2015 3:07:32 AM >>> Subject: Re: [Freeipa-devel] [PATCH 560] Allow to set allowed krb authz >>> data type per user >>> >>> On Wed, 25 Nov 2015, Simo Sorce wrote: >>>> On Wed, 2015-11-25 at 08:09 +0100, Jan Cholasta wrote: >>>>> On 25.11.2015 00:09, Simo Sorce wrote: >>>>>> This patch is untested and mostly an RFC. >>>>>> >>>>>> I think it is all we need to allow to specify authz data types per >>>>>> user >>>>>> and by setting the attribute to NONE preventing a user from getting >>>>>> MS-PAC data in their ticket. >>>>>> >>>>>> Alexander you changed quite a bit the code around here so I'd like to >>>>>> know if you think the change I made in the KDC will cause any issue >>>>>> with >>>>>> the special PACs we generate for master's principals. As far as I can >>>>>> tell it shouldn't. >>>>>> >>>>>> Any opinion is welcome. >>>>> Before your change, the server entry was checked for AS requests, now >>>>> only the client entry is checked for AS requests. I'm not very familiar >>>>> with ipa-kdb, but shouldn't the server entry still be checked as a >>>>> fallback when there is no authorization data in the client entry? >>>> This is partly why I CCed Alexander, the way the get function works is >>>> that it will get policy on the entry itself and if nothing is there it >>>> will try with the global policy, so in both cases the global policy is >>>> sourced as fallback. >>>> >>>> For AS requests though you are generally asking for a TGT so the >>>> "server" is the krbtgt entry that has no policy. It is through though >>>> that a client *can* ask for a ticket directly via an AS request, that is >>>> uncommon and it is unclear to me what we should do in that case if >>>> client and server have incompatible options. >>>> >>>> Well this is why it is a RFC after all :) >>> Can we source global policy for the direct AS request as well? >> I think I would do this in a separate patch. >> >>>>> The attribute is exposed in the service plugin, shouldn't it be exposed >>>>> in the user plugin as well? >>>> I didn't do it on purpose yet but eventually we may want to expose it, >>>> indeed. The reason I didn't is that we may want to use something like >>>> CoS to populate the attribute based on group membership and I am not >>>> sure we want to expose it per user, up top debate. >>> I don't want to expose it in the config too. >> Agreed. >> >> attached find an updated patch as I found a crash bug with the older one in >> some situations. >> >> Simo. >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Wed Mar 9 12:12:26 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 9 Mar 2016 13:12:26 +0100 Subject: [Freeipa-devel] [PATCH] IPA-SAM: Fix build with samba 4.4 In-Reply-To: <20160309113308.GB4492@redhat.com> References: <20160129111218.GD24839@mail.corp.redhat.com> <20160129113147.GF24839@mail.corp.redhat.com> <20160129175913.GC21804@redhat.com> <20160203133037.GB2962@mail.corp.redhat.com> <20160309094359.GC3115@mail.corp.redhat.com> <20160309113308.GB4492@redhat.com> Message-ID: <20160309121225.GD3115@mail.corp.redhat.com> On (09/03/16 13:33), Alexander Bokovoy wrote: >On Wed, 09 Mar 2016, Lukas Slebodnik wrote: >>On (03/02/16 14:30), Lukas Slebodnik wrote: >>>On (29/01/16 19:59), Alexander Bokovoy wrote: >>>>On Fri, 29 Jan 2016, Lukas Slebodnik wrote: >>>>>On (29/01/16 12:12), Lukas Slebodnik wrote: >>>>>>ehlo, >>>>>> >>>>>>attached patch shoudl fix build on fedora-24. >>>>>>It blocks static analysis scan. >>>>>> >>>>>>Even though it unblock build on fedora-24 >>>>>>the solution is not ideal. It's possible that some changes >>>>>>need to be done in samba side as well. >>>>>>(missing prototypes for trim_string, smb_xstrdup >>>>>> >>>>>>LS >>>>> >>>>>BTW there is also another issue in IPA-SAM. >>>>>The value of macro LDAP_PAGE_SIZE has changed >>>>>and therefore there is a warning. >>>>> >>>>>ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined >>>>>#define LDAP_PAGE_SIZE 1024 >>>>>^ >>>>>In file included from /usr/include/samba-4.0/smbldap.h:24:0, >>>>> from ipa_sam.c:31: >>>>>/usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of the previous definition >>>>>#define LDAP_PAGE_SIZE 1000 >>>>This is something we should fix. I'll look at it once in Brno. >>>Here is a related change in samba >>>https://github.com/samba-team/samba/commit/8c2609f3186d40afb5954737dc174ce190cd368a >>> >>Please review attached patch. >> >>LS > >>From 770577899357a812475d06d1da74254e6f83205d Mon Sep 17 00:00:00 2001 >>From: Lukas Slebodnik >>Date: Wed, 9 Mar 2016 10:16:58 +0100 >>Subject: [PATCH] ipa-sam: Change value of LDAP_PAGE_SIZE >> >>The value of LDAP_PAGE_SIZE was changed in samba-4.4 >>and samba commit message says: "This matches Windows' Active Directory >>maximum page size." >>https://github.com/samba-team/samba/commit/8c2609f3186d40afb5954737dc174ce190cd368a >> >>ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined >>#define LDAP_PAGE_SIZE 1024 >> >>In file included from /usr/include/samba-4.0/smbldap.h:24:0, >> from ipa_sam.c:31: >>/usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of the previous definition >>#define LDAP_PAGE_SIZE 1000 >>--- >>daemons/ipa-sam/ipa_sam.c | 3 ++- >>1 file changed, 2 insertions(+), 1 deletion(-) >> >>diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c >>index 9216e63587995ef719015e34f96f48262eaf171f..dba7ba2c803ae384bedaed9ae874a6a01232abfb 100644 >>--- a/daemons/ipa-sam/ipa_sam.c >>+++ b/daemons/ipa-sam/ipa_sam.c >>@@ -111,7 +111,8 @@ char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in li >>bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */ >>void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */ >> >>-#define LDAP_PAGE_SIZE 1024 >>+#undef LDAP_PAGE_SIZE >>+#define LDAP_PAGE_SIZE 1000 >>#define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs" >>#define LDAP_OBJ_TRUSTED_DOMAIN "ipaNTTrustedDomain" >>#define LDAP_OBJ_ID_OBJECT "ipaIDobject" >>-- >>2.7.2 >> >ACK but I wonder if we should be using the one defined by smbldap.h? > It might be better. I will test it and send patch soon. LS From mbasti at redhat.com Wed Mar 9 12:13:36 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 9 Mar 2016 13:13:36 +0100 Subject: [Freeipa-devel] [PATCH 0329] Tests: fix user tracker In-Reply-To: <562E5D60.4040102@redhat.com> References: <5624C63D.5020000@redhat.com> <5624DF10.4060000@redhat.com> <56264753.1000405@redhat.com> <562669F8.3060502@redhat.com> <56271A5E.3010608@redhat.com> <562DDDD9.1060503@redhat.com> <562E5D60.4040102@redhat.com> Message-ID: <56E01370.8070705@redhat.com> On 26.10.2015 18:05, Martin Basti wrote: > > > On 26.10.2015 09:01, Lenka Doudova wrote: >> >> >> On 10/21/2015 06:53 AM, Lenka Doudova wrote: >>> >>> >>> On 10/20/2015 06:21 PM, Martin Basti wrote: >>>> >>>> >>>> On 20.10.2015 15:53, Martin Basti wrote: >>>>> >>>>> >>>>> On 19.10.2015 14:16, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 19.10.2015 12:30, Martin Basti wrote: >>>>>>> Attribute nsaccountlock has not been processed correctly >>>>>>> >>>>>>> Patch attached. >>>>>>> >>>>>>> >>>>>> >>>>>> Self-NACK, more fixes required >>>>>> >>>>>> >>>>>> >>>>> Updated patch attached, but it still needs to improve because >>>>> tests in my patch 331 are still failing. >>>>> >>>> >>>> Eternal self-NACK for this patch >>>> >>>> I'm not able to fix UserTracker, I need help from somebody with >>>> higher view of how this tracker is supposed to work. >>>> Follow my patch 0331 >>> >>> Hi, I'll take a look at it today. >>> Lenka >>> >>> >> Hi, >> >> I fixed the trackers and tests, rebased patch attached. >> Lenka >> >> > > Thank you, > > 1) > ************* Module ipatests.test_xmlrpc.test_stageuser_plugin > ipatests/test_xmlrpc/test_stageuser_plugin.py:938: > [E0102(function-redefined), TestMultipleManagers] class already > defined line 913) > > 2) > Because the patch contains tests too, I suggest to rename patch to > Multiple manager per user tests. > Also you should change commiter of patch to you. > > Martin^2 > > Is this still valid? If yes, then bump for patch. Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Mar 9 12:14:34 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 9 Mar 2016 13:14:34 +0100 Subject: [Freeipa-devel] [PATCH 0329] Tests: fix user tracker In-Reply-To: <56E01370.8070705@redhat.com> References: <5624C63D.5020000@redhat.com> <5624DF10.4060000@redhat.com> <56264753.1000405@redhat.com> <562669F8.3060502@redhat.com> <56271A5E.3010608@redhat.com> <562DDDD9.1060503@redhat.com> <562E5D60.4040102@redhat.com> <56E01370.8070705@redhat.com> Message-ID: <56E013AA.2080909@redhat.com> On 09.03.2016 13:13, Martin Basti wrote: > > > On 26.10.2015 18:05, Martin Basti wrote: >> >> >> On 26.10.2015 09:01, Lenka Doudova wrote: >>> >>> >>> On 10/21/2015 06:53 AM, Lenka Doudova wrote: >>>> >>>> >>>> On 10/20/2015 06:21 PM, Martin Basti wrote: >>>>> >>>>> >>>>> On 20.10.2015 15:53, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 19.10.2015 14:16, Martin Basti wrote: >>>>>>> >>>>>>> >>>>>>> On 19.10.2015 12:30, Martin Basti wrote: >>>>>>>> Attribute nsaccountlock has not been processed correctly >>>>>>>> >>>>>>>> Patch attached. >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> Self-NACK, more fixes required >>>>>>> >>>>>>> >>>>>>> >>>>>> Updated patch attached, but it still needs to improve because >>>>>> tests in my patch 331 are still failing. >>>>>> >>>>> >>>>> Eternal self-NACK for this patch >>>>> >>>>> I'm not able to fix UserTracker, I need help from somebody with >>>>> higher view of how this tracker is supposed to work. >>>>> Follow my patch 0331 >>>> >>>> Hi, I'll take a look at it today. >>>> Lenka >>>> >>>> >>> Hi, >>> >>> I fixed the trackers and tests, rebased patch attached. >>> Lenka >>> >>> >> >> Thank you, >> >> 1) >> ************* Module ipatests.test_xmlrpc.test_stageuser_plugin >> ipatests/test_xmlrpc/test_stageuser_plugin.py:938: >> [E0102(function-redefined), TestMultipleManagers] class already >> defined line 913) >> >> 2) >> Because the patch contains tests too, I suggest to rename patch to >> Multiple manager per user tests. >> Also you should change commiter of patch to you. >> >> Martin^2 >> >> > Is this still valid? If yes, then bump for patch. > Martin^2 > > Sorry, I realized this was fixed in different thread :) -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Mar 9 12:19:18 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 9 Mar 2016 14:19:18 +0200 Subject: [Freeipa-devel] [PATCH 560] Allow to set allowed krb authz data type per user In-Reply-To: <1892639799.26312584.1449691241103.JavaMail.zimbra@redhat.com> References: <1448406570.29102.26.camel@redhat.com> <56555E8C.5020608@redhat.com> <1448473396.17462.4.camel@redhat.com> <20151201080732.GI9605@redhat.com> <1934255375.26292682.1449688703387.JavaMail.zimbra@redhat.com> <1892639799.26312584.1449691241103.JavaMail.zimbra@redhat.com> Message-ID: <20160309121918.GF4492@redhat.com> On Wed, 09 Dec 2015, Simo Sorce wrote: >From f21c88b9f74453c6d6e16fb17d94efa469eed564 Mon Sep 17 00:00:00 2001 >From: Simo Sorce >Date: Tue, 24 Nov 2015 18:01:52 -0500 >Subject: [PATCH] Allow to specify Kerberos authz data type per user > >Like for services setting the ipaKrbAuthzData attribute on a user object will >allow us to control exactly what authz data is allowed for that user. >Setting NONE would allow no authz data, while setting MS-PAC would allow only >Active Directory compatible data. > >Signed-off-by: Simo Sorce > >Ticket: https://fedorahosted.org/freeipa/ticket/2579 ACK for the code as that is obvious but I have question about objectclass replication -- we extend objectclass definition to allow more attributes in MAY. How 389-ds handles replication of such case, will a new definition override the old one without any problem? >@@ -76,7 +76,7 @@ objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn > objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' ) > objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' ) > objectClasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3') >-objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid ) MAY ( userClass ) X-ORIGIN 'IPA v3' ) >+objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid) MAY ( userClass $ ipaKrbAuthzData ) X-ORIGIN 'IPA v3' ) > objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget $ ipaPermTargetTo $ ipaPermTargetFrom ) X-ORIGIN 'IPA v4.0' ) > objectClasses: (2.16.840.1.113730.3.8.12.22 NAME 'ipaAllowedOperations' SUP top AUXILIARY DESC 'Class to apply access controls to arbitrary operations' MAY ( ipaAllowedToPerform $ ipaProtectedOperation ) X-ORIGIN 'IPA v4.0') > objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrapped public keys' SUP top AUXILIARY MUST ( ipaPublicKey ) X-ORIGIN 'IPA v4.1' ) >-- >2.5.0 > -- / Alexander Bokovoy From mbasti at redhat.com Wed Mar 9 12:30:01 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 9 Mar 2016 13:30:01 +0100 Subject: [Freeipa-devel] [PATCH 0437] dogtag: remove redundant parameters from CS.cfg Message-ID: <56E01749.2070609@redhat.com> https://fedorahosted.org/freeipa/ticket/5298 Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0437-Remove-redundant-parameters-from-CS.cfg-in-dogtagins.patch Type: text/x-patch Size: 1820 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Mar 9 12:33:40 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 9 Mar 2016 13:33:40 +0100 Subject: [Freeipa-devel] [PATCH 0436] krb5.conf: use 'true' instead of 'yes' In-Reply-To: <56DF292A.7090300@redhat.com> References: <56DF292A.7090300@redhat.com> Message-ID: <56E01824.1040801@redhat.com> On 03/08/2016 08:34 PM, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5518 > > Patch attached. > > ACK -- Martin^3 Babinsky From mbasti at redhat.com Wed Mar 9 12:34:51 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 9 Mar 2016 13:34:51 +0100 Subject: [Freeipa-devel] [PATCH 560] Allow to set allowed krb authz data type per user In-Reply-To: <20160309121918.GF4492@redhat.com> References: <1448406570.29102.26.camel@redhat.com> <56555E8C.5020608@redhat.com> <1448473396.17462.4.camel@redhat.com> <20151201080732.GI9605@redhat.com> <1934255375.26292682.1449688703387.JavaMail.zimbra@redhat.com> <1892639799.26312584.1449691241103.JavaMail.zimbra@redhat.com> <20160309121918.GF4492@redhat.com> Message-ID: <56E0186B.5060208@redhat.com> On 09.03.2016 13:19, Alexander Bokovoy wrote: > On Wed, 09 Dec 2015, Simo Sorce wrote: >> From f21c88b9f74453c6d6e16fb17d94efa469eed564 Mon Sep 17 00:00:00 2001 >> From: Simo Sorce >> Date: Tue, 24 Nov 2015 18:01:52 -0500 >> Subject: [PATCH] Allow to specify Kerberos authz data type per user >> >> Like for services setting the ipaKrbAuthzData attribute on a user >> object will >> allow us to control exactly what authz data is allowed for that user. >> Setting NONE would allow no authz data, while setting MS-PAC would >> allow only >> Active Directory compatible data. >> >> Signed-off-by: Simo Sorce >> >> Ticket: https://fedorahosted.org/freeipa/ticket/2579 > ACK for the code as that is obvious but I have question about > objectclass replication -- we extend objectclass definition to allow > more attributes in MAY. How 389-ds handles replication of such case, > will a new definition override the old one without any problem? if it will be updated by ipa-server-upgrade, it should be done without any problem. Martin^2 > >> @@ -76,7 +76,7 @@ objectClasses: (2.16.840.1.113730.3.8.12.15 NAME >> 'ipaIDrange' ABSTRACT MUST ( cn >> objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' >> SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $ ipaSecondaryBaseRID ) >> X-ORIGIN 'IPA v3' ) >> objectClasses: (2.16.840.1.113730.3.8.12.17 NAME >> 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID >> $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' ) >> objectClasses: (2.16.840.1.113730.3.8.12.19 NAME >> 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for >> authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA >> v3') >> -objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY >> MUST ( uid ) MAY ( userClass ) X-ORIGIN 'IPA v3' ) >> +objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY >> MUST ( uid) MAY ( userClass $ ipaKrbAuthzData ) X-ORIGIN 'IPA v3' ) >> objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' >> DESC 'IPA Permission objectclass, version 2' SUP ipaPermission >> AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( >> ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $ >> ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget $ ipaPermTargetTo >> $ ipaPermTargetFrom ) X-ORIGIN 'IPA v4.0' ) >> objectClasses: (2.16.840.1.113730.3.8.12.22 NAME >> 'ipaAllowedOperations' SUP top AUXILIARY DESC 'Class to apply access >> controls to arbitrary operations' MAY ( ipaAllowedToPerform $ >> ipaProtectedOperation ) X-ORIGIN 'IPA v4.0') >> objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' >> DESC 'Wrapped public keys' SUP top AUXILIARY MUST ( ipaPublicKey ) >> X-ORIGIN 'IPA v4.1' ) >> -- >> 2.5.0 >> > > From abokovoy at redhat.com Wed Mar 9 12:40:49 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 9 Mar 2016 14:40:49 +0200 Subject: [Freeipa-devel] [PATCH 560] Allow to set allowed krb authz data type per user In-Reply-To: <56E0186B.5060208@redhat.com> References: <1448406570.29102.26.camel@redhat.com> <56555E8C.5020608@redhat.com> <1448473396.17462.4.camel@redhat.com> <20151201080732.GI9605@redhat.com> <1934255375.26292682.1449688703387.JavaMail.zimbra@redhat.com> <1892639799.26312584.1449691241103.JavaMail.zimbra@redhat.com> <20160309121918.GF4492@redhat.com> <56E0186B.5060208@redhat.com> Message-ID: <20160309124049.GH4492@redhat.com> On Wed, 09 Mar 2016, Martin Basti wrote: > > >On 09.03.2016 13:19, Alexander Bokovoy wrote: >>On Wed, 09 Dec 2015, Simo Sorce wrote: >>>From f21c88b9f74453c6d6e16fb17d94efa469eed564 Mon Sep 17 00:00:00 2001 >>>From: Simo Sorce >>>Date: Tue, 24 Nov 2015 18:01:52 -0500 >>>Subject: [PATCH] Allow to specify Kerberos authz data type per user >>> >>>Like for services setting the ipaKrbAuthzData attribute on a user >>>object will >>>allow us to control exactly what authz data is allowed for that user. >>>Setting NONE would allow no authz data, while setting MS-PAC would >>>allow only >>>Active Directory compatible data. >>> >>>Signed-off-by: Simo Sorce >>> >>>Ticket: https://fedorahosted.org/freeipa/ticket/2579 >>ACK for the code as that is obvious but I have question about >>objectclass replication -- we extend objectclass definition to allow >>more attributes in MAY. How 389-ds handles replication of such case, >>will a new definition override the old one without any problem? >if it will be updated by ipa-server-upgrade, it should be done without >any problem. I'm interested in the replication part. -- / Alexander Bokovoy From lslebodn at redhat.com Wed Mar 9 12:43:05 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 9 Mar 2016 13:43:05 +0100 Subject: [Freeipa-devel] [PATCH] IPA-SAM: Fix build with samba 4.4 In-Reply-To: <20160309113308.GB4492@redhat.com> References: <20160129111218.GD24839@mail.corp.redhat.com> <20160129113147.GF24839@mail.corp.redhat.com> <20160129175913.GC21804@redhat.com> <20160203133037.GB2962@mail.corp.redhat.com> <20160309094359.GC3115@mail.corp.redhat.com> <20160309113308.GB4492@redhat.com> Message-ID: <20160309124304.GI3115@mail.corp.redhat.com> On (09/03/16 13:33), Alexander Bokovoy wrote: >On Wed, 09 Mar 2016, Lukas Slebodnik wrote: >>On (03/02/16 14:30), Lukas Slebodnik wrote: >>>On (29/01/16 19:59), Alexander Bokovoy wrote: >>>>On Fri, 29 Jan 2016, Lukas Slebodnik wrote: >>>>>On (29/01/16 12:12), Lukas Slebodnik wrote: >>>>>>ehlo, >>>>>> >>>>>>attached patch shoudl fix build on fedora-24. >>>>>>It blocks static analysis scan. >>>>>> >>>>>>Even though it unblock build on fedora-24 >>>>>>the solution is not ideal. It's possible that some changes >>>>>>need to be done in samba side as well. >>>>>>(missing prototypes for trim_string, smb_xstrdup >>>>>> >>>>>>LS >>>>> >>>>>BTW there is also another issue in IPA-SAM. >>>>>The value of macro LDAP_PAGE_SIZE has changed >>>>>and therefore there is a warning. >>>>> >>>>>ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined >>>>>#define LDAP_PAGE_SIZE 1024 >>>>>^ >>>>>In file included from /usr/include/samba-4.0/smbldap.h:24:0, >>>>> from ipa_sam.c:31: >>>>>/usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of the previous definition >>>>>#define LDAP_PAGE_SIZE 1000 >>>>This is something we should fix. I'll look at it once in Brno. >>>Here is a related change in samba >>>https://github.com/samba-team/samba/commit/8c2609f3186d40afb5954737dc174ce190cd368a >>> >>Please review attached patch. >> >>LS > >>From 770577899357a812475d06d1da74254e6f83205d Mon Sep 17 00:00:00 2001 >>From: Lukas Slebodnik >>Date: Wed, 9 Mar 2016 10:16:58 +0100 >>Subject: [PATCH] ipa-sam: Change value of LDAP_PAGE_SIZE >> >>The value of LDAP_PAGE_SIZE was changed in samba-4.4 >>and samba commit message says: "This matches Windows' Active Directory >>maximum page size." >>https://github.com/samba-team/samba/commit/8c2609f3186d40afb5954737dc174ce190cd368a >> >>ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined >>#define LDAP_PAGE_SIZE 1024 >> >>In file included from /usr/include/samba-4.0/smbldap.h:24:0, >> from ipa_sam.c:31: >>/usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of the previous definition >>#define LDAP_PAGE_SIZE 1000 >>--- >>daemons/ipa-sam/ipa_sam.c | 3 ++- >>1 file changed, 2 insertions(+), 1 deletion(-) >> >>diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c >>index 9216e63587995ef719015e34f96f48262eaf171f..dba7ba2c803ae384bedaed9ae874a6a01232abfb 100644 >>--- a/daemons/ipa-sam/ipa_sam.c >>+++ b/daemons/ipa-sam/ipa_sam.c >>@@ -111,7 +111,8 @@ char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in li >>bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */ >>void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */ >> >>-#define LDAP_PAGE_SIZE 1024 >>+#undef LDAP_PAGE_SIZE >>+#define LDAP_PAGE_SIZE 1000 >>#define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs" >>#define LDAP_OBJ_TRUSTED_DOMAIN "ipaNTTrustedDomain" >>#define LDAP_OBJ_ID_OBJECT "ipaIDobject" >>-- >>2.7.2 >> >ACK but I wonder if we should be using the one defined by smbldap.h? > I checked header file on CentOS 7 and and it will work there as well. Updated patch is attached. LS -------------- next part -------------- >From e80014f6c1d4a4cc19f135a797c3f0823ad388c1 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Wed, 9 Mar 2016 10:16:58 +0100 Subject: [PATCH] ipa-sam: Do not redefine LDAP_PAGE_SIZE The value of LDAP_PAGE_SIZE was changed in samba-4.4 and it caused warning because it's already defined in samba header files ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined #define LDAP_PAGE_SIZE 1024 In file included from /usr/include/samba-4.0/smbldap.h:24:0, from ipa_sam.c:31: /usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of the previous definition #define LDAP_PAGE_SIZE 1000 --- daemons/ipa-sam/ipa_sam.c | 1 - 1 file changed, 1 deletion(-) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 9216e63587995ef719015e34f96f48262eaf171f..4c1fda5f82b43f69929613f9938410b32cff31e7 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -111,7 +111,6 @@ char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in li bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */ -#define LDAP_PAGE_SIZE 1024 #define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs" #define LDAP_OBJ_TRUSTED_DOMAIN "ipaNTTrustedDomain" #define LDAP_OBJ_ID_OBJECT "ipaIDobject" -- 2.7.2 From mbasti at redhat.com Wed Mar 9 12:44:03 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 9 Mar 2016 13:44:03 +0100 Subject: [Freeipa-devel] [PATCH 560] Allow to set allowed krb authz data type per user In-Reply-To: <20160309124049.GH4492@redhat.com> References: <1448406570.29102.26.camel@redhat.com> <56555E8C.5020608@redhat.com> <1448473396.17462.4.camel@redhat.com> <20151201080732.GI9605@redhat.com> <1934255375.26292682.1449688703387.JavaMail.zimbra@redhat.com> <1892639799.26312584.1449691241103.JavaMail.zimbra@redhat.com> <20160309121918.GF4492@redhat.com> <56E0186B.5060208@redhat.com> <20160309124049.GH4492@redhat.com> Message-ID: <56E01A93.6090600@redhat.com> On 09.03.2016 13:40, Alexander Bokovoy wrote: > On Wed, 09 Mar 2016, Martin Basti wrote: >> >> >> On 09.03.2016 13:19, Alexander Bokovoy wrote: >>> On Wed, 09 Dec 2015, Simo Sorce wrote: >>>> From f21c88b9f74453c6d6e16fb17d94efa469eed564 Mon Sep 17 00:00:00 2001 >>>> From: Simo Sorce >>>> Date: Tue, 24 Nov 2015 18:01:52 -0500 >>>> Subject: [PATCH] Allow to specify Kerberos authz data type per user >>>> >>>> Like for services setting the ipaKrbAuthzData attribute on a user >>>> object will >>>> allow us to control exactly what authz data is allowed for that user. >>>> Setting NONE would allow no authz data, while setting MS-PAC would >>>> allow only >>>> Active Directory compatible data. >>>> >>>> Signed-off-by: Simo Sorce >>>> >>>> Ticket: https://fedorahosted.org/freeipa/ticket/2579 >>> ACK for the code as that is obvious but I have question about >>> objectclass replication -- we extend objectclass definition to allow >>> more attributes in MAY. How 389-ds handles replication of such case, >>> will a new definition override the old one without any problem? >> if it will be updated by ipa-server-upgrade, it should be done >> without any problem. > I'm interested in the replication part. > ipa-server-upgrade will cause that schema definition will be replicated. If you put ldif file just to directory and restart DS, then it will not be replicated. Replication requires that schema definitions must be added via ldapadd/mod. Thierry can provide more details. Martin^2 From jpazdziora at redhat.com Wed Mar 9 13:45:13 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Wed, 9 Mar 2016 14:45:13 +0100 Subject: [Freeipa-devel] FreeIPA COPR repos for 4.2.4 and 4.3.1 release candidates In-Reply-To: <56D9B8C4.4070605@redhat.com> References: <56D9B8C4.4070605@redhat.com> Message-ID: <20160309134513.GA27299@redhat.com> On Fri, Mar 04, 2016 at 05:33:08PM +0100, Petr Vobornik wrote: > > COPR repostories for testing of upcoming 4.3.1 and 4.2.4 releases were > created in new @freeipa group: > * @freeipa/freeipa-4-2-rc for f23 > * @freeipa/freeipa-4-3-rc for f23, f24, rawhide > > @freeipa/freeipa-4-2-rc is undergoing pre-release testing. It also means > that there is push freeze in ipa-4-2 branch. > > 4.3.1 is not finished yet, but the COPR repository already contains initial > package matching state of ipa-4-3 branch from today. > > [1] https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-2-rc/ > [2] https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-rc/ Unfortunately, it seems the existing 4.3.0 repo at https://copr.fedorainfracloud.org/coprs/pvoborni/freeipa-4-3/ now contains only mod_auth_gssapi, at least for Fedora 23. That breaks container testing. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From pvoborni at redhat.com Wed Mar 9 13:57:07 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 9 Mar 2016 14:57:07 +0100 Subject: [Freeipa-devel] FreeIPA COPR repos for 4.2.4 and 4.3.1 release candidates In-Reply-To: <20160309134513.GA27299@redhat.com> References: <56D9B8C4.4070605@redhat.com> <20160309134513.GA27299@redhat.com> Message-ID: <56E02BB3.4030505@redhat.com> On 03/09/2016 02:45 PM, Jan Pazdziora wrote: > On Fri, Mar 04, 2016 at 05:33:08PM +0100, Petr Vobornik wrote: >> >> COPR repostories for testing of upcoming 4.3.1 and 4.2.4 releases were >> created in new @freeipa group: >> * @freeipa/freeipa-4-2-rc for f23 >> * @freeipa/freeipa-4-3-rc for f23, f24, rawhide >> >> @freeipa/freeipa-4-2-rc is undergoing pre-release testing. It also means >> that there is push freeze in ipa-4-2 branch. >> >> 4.3.1 is not finished yet, but the COPR repository already contains initial >> package matching state of ipa-4-3 branch from today. >> >> [1] https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-2-rc/ >> [2] https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-rc/ > > Unfortunately, it seems the existing 4.3.0 repo at > > https://copr.fedorainfracloud.org/coprs/pvoborni/freeipa-4-3/ > > now contains only mod_auth_gssapi, at least for Fedora 23. > > That breaks container testing. > I didn't realize that pvoborni/freeipa is still used by somebody and not a personal testing repo - it was created at a time when @freeipa group didn't exist. For testing, please use @freeipa/freeipa-4-3 for stable 4.3 release @freeipa/freeipa-4-3-rc for upcoming versions of 4.3 In a near future @freeipa/freeipa-4-3-centos7 will contain CentOS build of 4.3 Sorry for the inconvenience. -- Petr Vobornik From jpazdziora at redhat.com Wed Mar 9 14:22:18 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Wed, 9 Mar 2016 15:22:18 +0100 Subject: [Freeipa-devel] FreeIPA COPR repos for 4.2.4 and 4.3.1 release candidates In-Reply-To: <56E02BB3.4030505@redhat.com> References: <56D9B8C4.4070605@redhat.com> <20160309134513.GA27299@redhat.com> <56E02BB3.4030505@redhat.com> Message-ID: <20160309142218.GD1689@redhat.com> On Wed, Mar 09, 2016 at 02:57:07PM +0100, Petr Vobornik wrote: > > I didn't realize that pvoborni/freeipa is still used by somebody and not a > personal testing repo - it was created at a time when @freeipa group didn't > exist. > > For testing, please use > @freeipa/freeipa-4-3 for stable 4.3 release Thank you, that works. The only minor drawback is that pvoborni/freeipa-4-3 used to be announced as official repo while this one says This *will* be the official COPR repository suggesting it is not yet considered official. > In a near future > @freeipa/freeipa-4-3-centos7 will contain CentOS build of 4.3 Should I cast some preference, it'd be nice to have the CentOS builds in @freeipa/freeipa-4-3 as well. The copr repo can have multiple releases (there already are Fedora 23, 24, and rawhide) and adding CentOS there instead to separate location could increase visibility and decrease confusion. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From mbasti at redhat.com Wed Mar 9 16:24:24 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 9 Mar 2016 17:24:24 +0100 Subject: [Freeipa-devel] [WIP] Time-Based HBAC Policies In-Reply-To: <56D9935D.9050507@redhat.com> References: <56D9935D.9050507@redhat.com> Message-ID: <56E04E38.8080804@redhat.com> On 04.03.2016 14:53, Stanislav Laznicka wrote: > Hello, > > So in the previous month and a bit I was reworking the time-based > policies according to the changes we agreed on > (http://pad.engineering.redhat.com/ipa-time-based-HBAC-design, line > 83). Let me briefly walk you through what was done (no TLDR, sorry, > but split the text in chapters): > > *Time rule templates* > In the attachment is the proposal how this could be done using > costemplates. Currently, the time rule templates have their own > directory in the realm tree. The idea is that it could be used for > both HBAC and Sudo rules so it needs to be in a location both should > be able to reach. Should we not want them used in Sudo rules, the > template directory could be moved to HBAC directory. There are also > some new permissions for accessing these time rule templates which may > need to be revised if the templates should be used both for sudo and > HBAC rules. > > *iCalendar format validation > *So there is an iCalendar string validation now. During its creation, > I came across several issues with python-icalendar which is basically > why it took me so long to write the validation. I made several fixes > to the python-icalendar library, most of them are already merged in > the repository master (https://github.com/collective/icalendar), one > should be pushed in the next library major release. > > My pull requests: > https://github.com/collective/icalendar/pull/175 > https://github.com/collective/icalendar/pull/179 > https://github.com/collective/icalendar/pull/180 > https://github.com/collective/icalendar/pull/183 > https://github.com/collective/icalendar/pull/189 > > I still have one fix in the making, that one should force the strong > types in iCalendar as these are also missing in python-icalendar but > required by the RFC. > > Also, obviously, if you want to try the patches, you will need the > current python-icalendar implementation from Github. I haven't put > python-icalendar dependency into the .spec file yet for this reason. > * > **Summary > *We are now able to import iCalendar strings from files and more or > less be sure that the parts we need will be consistent with the RFC > 5545 (basically, we are only checking that VEVENT components are > correct, to bring strict checking to python-icalendar would take some > time and I believe I spent way too much time with it already (there is > an issue on their github page, though, it's 4 years old)). > > *TODO now > *0)**Update the design* > *1a) The hbacrule-*-accesstime should probably be split into 2 > commands, one that reads iCalendar strings from files, and one that > creates those strings from "some kind of user input" (similarly for > timeruletemplates). > 1b) Create the format of user input we could expect for the second > kind of command from 1a). We need to be able to convert it to > iCalendar string and back so that we are able to present the data > stored on the server in human readable form. > http://jkbrzt.github.io/rrule/ NL part might be of help although it > aims mostly on RRULE property of VEVENT components, whereas we may > want to use DTEND, EXDATE, RDATE and DURATION as well to be able to > specify events more properly. > 2) Represent the HBAC time rules on SSSD side. I already have a > skeleton of this based on libical > (https://github.com/libical/libical), which hopefully seems to be more > viable than python-icalendar. I do not mean to do the validation of > received iCalendar string on the SSSD side anymore (at least not in an > excessive way), just get the required properties from VEVENT > components and evaluate them accordingly. > > *Discuss > *I would really appreciate your input on these topics:* > *1)**How to represent the iCalendar strings on the client side in CLI > (while thinking about WebUI as well)? > 2a) Do we want to use the time rules for Sudo rules as well? > 2b) If 2a), is the proposed location of time rule templates along with > the privileges ok? > > Standa > > Hello, thank you for the patchset, I have a few comments :) 1) +attributeTypes: (2.16.840.1.113730.3.8.11.72 NAME 'timeruleClass' DESC 'CNs of the timerule classes' OID above is registered as: 2.16.840.1.113730.3.8.11.72 accessTimeExclude Access time - exclude these values 2) please add requires and buildrequires to specfile (python-icalendar) 3) Pylint is running, please wait ... ************* Module ipalib.plugins.hbacrule ipalib/plugins/hbacrule.py:166: [E1101(no-member), validate_icalfile] Instance of 'list' has no 'name' member) ipalib/plugins/hbacrule.py:175: [E1101(no-member), validate_icalfile] Instance of 'list' has no 'subcomponents' member) ipalib/plugins/hbacrule.py:177: [E1601(print-statement), validate_icalfile] print statement used) ipalib/plugins/hbacrule.py:190: [E1601(print-statement), validate_icalfile] print statement used) first two errors must be disabled by # pylint: disable=no-member because it is too complicated for pylint I'm pretty sure that print should not be in plugin implementation 4) PEP8 ./ipalib/plugins/hbacrule.py:255:80: E501 line too long (216 > 79 characters) ./ipalib/plugins/hbacrule.py:262:80: E501 line too long (225 > 79 characters) ./ipalib/plugins/hbacrule.py:270:80: E501 line too long (251 > 79 characters) ./ipalib/plugins/hbacrule.py:456:17: E127 continuation line over-indented for visual indent ./ipalib/plugins/hbacrule.py:646:80: E501 line too long (80 > 79 characters) ./ipalib/plugins/hbacrule.py:657:1: E302 expected 2 blank lines, found 1 ./ipalib/plugins/hbacrule.py:663:1: E302 expected 2 blank lines, found 1 ./ipalib/plugins/hbacrule.py:177:80: E501 line too long (80 > 79 characters) ./ipalib/plugins/hbacrule.py:215:80: E501 line too long (80 > 79 characters) ./ipalib/plugins/hbacrule.py:542:80: E501 line too long (127 > 79 characters) ./ipalib/plugins/hbacrule.py:544:80: E501 line too long (127 > 79 characters) ./ipalib/plugins/hbacrule.py:551:1: E303 too many blank lines (3) 5) Following imports in hbac rule should be before ipalib imports +import icalendar +from datetime import date + 6) + ical_errors = ('{comp}: {err}' + .format(comp=x, err=y) for x, y in comp.errors) it is not clear for me what is x, and y. A component of the component? can you named it better than x,y. We are not limited by length of identifiers in python too much :) 7) ugettext string is wrong (all places) + error=_('There were errors parsing the iCalendar string:\n{errs}' + .format(errs='\n'.join(ical_errors))) it should be error=_('There were errors parsing the iCalendar string:\n{errs}').format(errs='\n'.join(ical_errors)) 8) + # TODO: comp.required might be removed when + # https://github.com/collective/icalendar/pull/183 is merged I'm not fan of TODO's in code, you provides copr repo anyway, so please build package with this merge and remove TODO, we should create workaround when upstream refuse your patches. 9) + if api.env.context == 'cli': + if ics and os.path.exists(ics): + return The param is File class, so this check should eb done automatically 10) + icalstr = ics this statement is useless, please use ics directly 11) +def validate_icalfile(ugettext, ics): This and other similar restriction are required by IPA or it is invalid icalfile? (sorry for question but I'm not familiar with icalendar enough yet) + error=_('A VEVENT component can\'t contain ' + 'subcomponent "{}".'.format(sub.name)) + ) In second case (icalfile is invalid) shouldn't be this validation done in python-icalendar module instead of IPA validators? 12) + if 'DTEND' in comp.keys() and 'DURATION' in comp.keys(): + raise errors.ValidationError( + name=name, + error=_('Both DURATION and DTEND set in a VEVENT.') + ) + + elif 'DTEND' in comp.keys(): + if type(comp['DTSTART'].dt) != type(comp['DTEND'].dt): + raise errors.ValidationError( + name=name, + error=_('Different types of DTSTART and DTEND ' + 'component in VEVENT.') + ) IMO following way is better for readability if 'DTEND' in comp.keys(): if 'DURATION' in comp.keys(): something1 elif type(comp['DTSTART'].dt) != type(comp['DTEND'].dt): something2 13) PATCH: Templating of access time rules for HBAC There is missing upgrade path for: +dn: cn=timeruleTemplates,$SUFFIX +dn: cn=cosTimerulesDef,cn=hbac,$SUFFIX 14) + container_dn = DN(('cn', 'timeruletemplates')) Please define this in constants.py 15) Your managed ACI are completely new, so there should not be 'replaces' definition (several times) + 'replaces': [ + '(target = "ldap:///cn=*,cn=timeruletemplates,$SUFFIX")(version 3.0;acl "permission:Delete Time Rule Template";allow (delete) groupdn = "ldap:///cn=Delete Time Rule Template,cn=permissions,cn=pbac,$SUFFIX";)', + ], 16) + 'System: Read Time Rule Template' should have also 'objectclass' as allowed attribute 17) + File('accesstime', validate_icalfile, + cli_name='time', + label=_('Access time'), + ), I prefer to have file option named like icalfile, instead of accesstime, as you mentioned we may need to add more options to be UX friendly Should we have option, which will take ical string directly from CLI, IMO yes. (this applies for both, hbacrule, and timerule template) 18) IMO timeruletemplate should be in separate module, we may reuse this later, and I don't see why it should be in HBAC module 19) + Str('timeruleclass*', + cli_name='class'), why option --class? it does not look descriptive enough for me. How about --timerule-template. Also timeruletemplate instead of timeruleclass looks better to me. 20) + result = ldap.get_entry(DN(('cn', options['timeruleclass'][0]), + ('cn', 'timeruletemplates'), + api.env.basedn)) Please use constants for container timeruletemplates result is unused var, remove it please. I have to look closer to icalendar and DS templates :) So review is not finished, but feel free to fix issues I listed. Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Wed Mar 9 17:11:11 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 9 Mar 2016 18:11:11 +0100 Subject: [Freeipa-devel] FreeIPA COPR repos for 4.2.4 and 4.3.1 release candidates In-Reply-To: <20160309142218.GD1689@redhat.com> References: <56D9B8C4.4070605@redhat.com> <20160309134513.GA27299@redhat.com> <56E02BB3.4030505@redhat.com> <20160309142218.GD1689@redhat.com> Message-ID: <20160309171110.GM3115@mail.corp.redhat.com> On (09/03/16 15:22), Jan Pazdziora wrote: >On Wed, Mar 09, 2016 at 02:57:07PM +0100, Petr Vobornik wrote: >> >> I didn't realize that pvoborni/freeipa is still used by somebody and not a >> personal testing repo - it was created at a time when @freeipa group didn't >> exist. >> >> For testing, please use >> @freeipa/freeipa-4-3 for stable 4.3 release > >Thank you, that works. The only minor drawback is that >pvoborni/freeipa-4-3 used to be announced as official repo while this >one says > > This *will* be the official COPR repository > >suggesting it is not yet considered official. > >> In a near future >> @freeipa/freeipa-4-3-centos7 will contain CentOS build of 4.3 > >Should I cast some preference, it'd be nice to have the CentOS builds >in @freeipa/freeipa-4-3 as well. The copr repo can have multiple >releases (there already are Fedora 23, 24, and rawhide) and adding >CentOS there instead to separate location could increase visibility >and decrease confusion. > Yes, it can have multiple release but freeipa-4.3 requires many dependencies which are not in CentOS 7 I would prefer if these dependencies were not in @freeipa/freeipa-4-3 but in separate copr repos which can be maintained by domain experts. e.g. we have our sssd repo https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-13/ And it's simpler to describe details of externla repo on front page of @freeipa/freeipa-4-3-centos7 LS From abokovoy at redhat.com Wed Mar 9 17:16:17 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 9 Mar 2016 19:16:17 +0200 Subject: [Freeipa-devel] [PATCH] IPA-SAM: Fix build with samba 4.4 In-Reply-To: <20160309124304.GI3115@mail.corp.redhat.com> References: <20160129111218.GD24839@mail.corp.redhat.com> <20160129113147.GF24839@mail.corp.redhat.com> <20160129175913.GC21804@redhat.com> <20160203133037.GB2962@mail.corp.redhat.com> <20160309094359.GC3115@mail.corp.redhat.com> <20160309113308.GB4492@redhat.com> <20160309124304.GI3115@mail.corp.redhat.com> Message-ID: <20160309171617.GQ4492@redhat.com> On Wed, 09 Mar 2016, Lukas Slebodnik wrote: >On (09/03/16 13:33), Alexander Bokovoy wrote: >>On Wed, 09 Mar 2016, Lukas Slebodnik wrote: >>>On (03/02/16 14:30), Lukas Slebodnik wrote: >>>>On (29/01/16 19:59), Alexander Bokovoy wrote: >>>>>On Fri, 29 Jan 2016, Lukas Slebodnik wrote: >>>>>>On (29/01/16 12:12), Lukas Slebodnik wrote: >>>>>>>ehlo, >>>>>>> >>>>>>>attached patch shoudl fix build on fedora-24. >>>>>>>It blocks static analysis scan. >>>>>>> >>>>>>>Even though it unblock build on fedora-24 >>>>>>>the solution is not ideal. It's possible that some changes >>>>>>>need to be done in samba side as well. >>>>>>>(missing prototypes for trim_string, smb_xstrdup >>>>>>> >>>>>>>LS >>>>>> >>>>>>BTW there is also another issue in IPA-SAM. >>>>>>The value of macro LDAP_PAGE_SIZE has changed >>>>>>and therefore there is a warning. >>>>>> >>>>>>ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined >>>>>>#define LDAP_PAGE_SIZE 1024 >>>>>>^ >>>>>>In file included from /usr/include/samba-4.0/smbldap.h:24:0, >>>>>> from ipa_sam.c:31: >>>>>>/usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of the previous definition >>>>>>#define LDAP_PAGE_SIZE 1000 >>>>>This is something we should fix. I'll look at it once in Brno. >>>>Here is a related change in samba >>>>https://github.com/samba-team/samba/commit/8c2609f3186d40afb5954737dc174ce190cd368a >>>> >>>Please review attached patch. >>> >>>LS >> >>>From 770577899357a812475d06d1da74254e6f83205d Mon Sep 17 00:00:00 2001 >>>From: Lukas Slebodnik >>>Date: Wed, 9 Mar 2016 10:16:58 +0100 >>>Subject: [PATCH] ipa-sam: Change value of LDAP_PAGE_SIZE >>> >>>The value of LDAP_PAGE_SIZE was changed in samba-4.4 >>>and samba commit message says: "This matches Windows' Active Directory >>>maximum page size." >>>https://github.com/samba-team/samba/commit/8c2609f3186d40afb5954737dc174ce190cd368a >>> >>>ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined >>>#define LDAP_PAGE_SIZE 1024 >>> >>>In file included from /usr/include/samba-4.0/smbldap.h:24:0, >>> from ipa_sam.c:31: >>>/usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of the previous definition >>>#define LDAP_PAGE_SIZE 1000 >>>--- >>>daemons/ipa-sam/ipa_sam.c | 3 ++- >>>1 file changed, 2 insertions(+), 1 deletion(-) >>> >>>diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c >>>index 9216e63587995ef719015e34f96f48262eaf171f..dba7ba2c803ae384bedaed9ae874a6a01232abfb 100644 >>>--- a/daemons/ipa-sam/ipa_sam.c >>>+++ b/daemons/ipa-sam/ipa_sam.c >>>@@ -111,7 +111,8 @@ char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in li >>>bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */ >>>void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */ >>> >>>-#define LDAP_PAGE_SIZE 1024 >>>+#undef LDAP_PAGE_SIZE >>>+#define LDAP_PAGE_SIZE 1000 >>>#define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs" >>>#define LDAP_OBJ_TRUSTED_DOMAIN "ipaNTTrustedDomain" >>>#define LDAP_OBJ_ID_OBJECT "ipaIDobject" >>>-- >>>2.7.2 >>> >>ACK but I wonder if we should be using the one defined by smbldap.h? >> >I checked header file on CentOS 7 and and it will work there as well. >Updated patch is attached. ACK. -- / Alexander Bokovoy From pvoborni at redhat.com Wed Mar 9 17:17:58 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 9 Mar 2016 18:17:58 +0100 Subject: [Freeipa-devel] FreeIPA COPR repos for 4.2.4 and 4.3.1 release candidates In-Reply-To: <20160309142218.GD1689@redhat.com> References: <56D9B8C4.4070605@redhat.com> <20160309134513.GA27299@redhat.com> <56E02BB3.4030505@redhat.com> <20160309142218.GD1689@redhat.com> Message-ID: <56E05AC6.9030406@redhat.com> On 03/09/2016 03:22 PM, Jan Pazdziora wrote: > On Wed, Mar 09, 2016 at 02:57:07PM +0100, Petr Vobornik wrote: >> >> I didn't realize that pvoborni/freeipa is still used by somebody and not a >> personal testing repo - it was created at a time when @freeipa group didn't >> exist. >> >> For testing, please use >> @freeipa/freeipa-4-3 for stable 4.3 release > > Thank you, that works. The only minor drawback is that > pvoborni/freeipa-4-3 used to be announced as official repo while this > one says > > This *will* be the official COPR repository > > suggesting it is not yet considered official. pvoborni/freeipa-4-3 was never official it was used for 4-3 pre-release testing. mkosek/freeipa-4.3 is (and other in mkosek namespace). But they are being migrated to @freeipa namespace. The only remaining is @mkosek/freeipa-4-2. It was not officially announced yet. > >> In a near future >> @freeipa/freeipa-4-3-centos7 will contain CentOS build of 4.3 > > Should I cast some preference, it'd be nice to have the CentOS builds > in @freeipa/freeipa-4-3 as well. The copr repo can have multiple > releases (there already are Fedora 23, 24, and rawhide) and adding > CentOS there instead to separate location could increase visibility > and decrease confusion. > The issue is different versions of packages(mostly specs) and dependencies. Of course, it is possible to build certain packages with different srpm only for CentOS but using a different repo is in my opinion more clear. -- Petr Vobornik From mbasti at redhat.com Wed Mar 9 17:59:52 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 9 Mar 2016 18:59:52 +0100 Subject: [Freeipa-devel] [PATCH] IPA-SAM: Fix build with samba 4.4 In-Reply-To: <20160309171617.GQ4492@redhat.com> References: <20160129111218.GD24839@mail.corp.redhat.com> <20160129113147.GF24839@mail.corp.redhat.com> <20160129175913.GC21804@redhat.com> <20160203133037.GB2962@mail.corp.redhat.com> <20160309094359.GC3115@mail.corp.redhat.com> <20160309113308.GB4492@redhat.com> <20160309124304.GI3115@mail.corp.redhat.com> <20160309171617.GQ4492@redhat.com> Message-ID: <56E06498.3050703@redhat.com> On 09.03.2016 18:16, Alexander Bokovoy wrote: > On Wed, 09 Mar 2016, Lukas Slebodnik wrote: >> On (09/03/16 13:33), Alexander Bokovoy wrote: >>> On Wed, 09 Mar 2016, Lukas Slebodnik wrote: >>>> On (03/02/16 14:30), Lukas Slebodnik wrote: >>>>> On (29/01/16 19:59), Alexander Bokovoy wrote: >>>>>> On Fri, 29 Jan 2016, Lukas Slebodnik wrote: >>>>>>> On (29/01/16 12:12), Lukas Slebodnik wrote: >>>>>>>> ehlo, >>>>>>>> >>>>>>>> attached patch shoudl fix build on fedora-24. >>>>>>>> It blocks static analysis scan. >>>>>>>> >>>>>>>> Even though it unblock build on fedora-24 >>>>>>>> the solution is not ideal. It's possible that some changes >>>>>>>> need to be done in samba side as well. >>>>>>>> (missing prototypes for trim_string, smb_xstrdup >>>>>>>> >>>>>>>> LS >>>>>>> >>>>>>> BTW there is also another issue in IPA-SAM. >>>>>>> The value of macro LDAP_PAGE_SIZE has changed >>>>>>> and therefore there is a warning. >>>>>>> >>>>>>> ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined >>>>>>> #define LDAP_PAGE_SIZE 1024 >>>>>>> ^ >>>>>>> In file included from /usr/include/samba-4.0/smbldap.h:24:0, >>>>>>> from ipa_sam.c:31: >>>>>>> /usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the >>>>>>> location of the previous definition >>>>>>> #define LDAP_PAGE_SIZE 1000 >>>>>> This is something we should fix. I'll look at it once in Brno. >>>>> Here is a related change in samba >>>>> https://github.com/samba-team/samba/commit/8c2609f3186d40afb5954737dc174ce190cd368a >>>>> >>>>> >>>> Please review attached patch. >>>> >>>> LS >>> >>>> From 770577899357a812475d06d1da74254e6f83205d Mon Sep 17 00:00:00 2001 >>>> From: Lukas Slebodnik >>>> Date: Wed, 9 Mar 2016 10:16:58 +0100 >>>> Subject: [PATCH] ipa-sam: Change value of LDAP_PAGE_SIZE >>>> >>>> The value of LDAP_PAGE_SIZE was changed in samba-4.4 >>>> and samba commit message says: "This matches Windows' Active Directory >>>> maximum page size." >>>> https://github.com/samba-team/samba/commit/8c2609f3186d40afb5954737dc174ce190cd368a >>>> >>>> >>>> ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined >>>> #define LDAP_PAGE_SIZE 1024 >>>> >>>> In file included from /usr/include/samba-4.0/smbldap.h:24:0, >>>> from ipa_sam.c:31: >>>> /usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location >>>> of the previous definition >>>> #define LDAP_PAGE_SIZE 1000 >>>> --- >>>> daemons/ipa-sam/ipa_sam.c | 3 ++- >>>> 1 file changed, 2 insertions(+), 1 deletion(-) >>>> >>>> diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c >>>> index >>>> 9216e63587995ef719015e34f96f48262eaf171f..dba7ba2c803ae384bedaed9ae874a6a01232abfb >>>> 100644 >>>> --- a/daemons/ipa-sam/ipa_sam.c >>>> +++ b/daemons/ipa-sam/ipa_sam.c >>>> @@ -111,7 +111,8 @@ char *escape_ldap_string(TALLOC_CTX *mem_ctx, >>>> const char *s); /* available in li >>>> bool secrets_store(const char *key, const void *data, size_t size); >>>> /* available in libpdb.so */ >>>> void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct >>>> unixid *unix_id); /* available in libsmbconf.so */ >>>> >>>> -#define LDAP_PAGE_SIZE 1024 >>>> +#undef LDAP_PAGE_SIZE >>>> +#define LDAP_PAGE_SIZE 1000 >>>> #define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs" >>>> #define LDAP_OBJ_TRUSTED_DOMAIN "ipaNTTrustedDomain" >>>> #define LDAP_OBJ_ID_OBJECT "ipaIDobject" >>>> -- >>>> 2.7.2 >>>> >>> ACK but I wonder if we should be using the one defined by smbldap.h? >>> >> I checked header file on CentOS 7 and and it will work there as well. >> Updated patch is attached. > ACK. > Pushed to master: 0906cc28b8387a62945d2531dd19bef60f731364 From mbasti at redhat.com Wed Mar 9 18:02:15 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 9 Mar 2016 19:02:15 +0100 Subject: [Freeipa-devel] [PATCH 560] Allow to set allowed krb authz data type per user In-Reply-To: <56E01A93.6090600@redhat.com> References: <1448406570.29102.26.camel@redhat.com> <56555E8C.5020608@redhat.com> <1448473396.17462.4.camel@redhat.com> <20151201080732.GI9605@redhat.com> <1934255375.26292682.1449688703387.JavaMail.zimbra@redhat.com> <1892639799.26312584.1449691241103.JavaMail.zimbra@redhat.com> <20160309121918.GF4492@redhat.com> <56E0186B.5060208@redhat.com> <20160309124049.GH4492@redhat.com> <56E01A93.6090600@redhat.com> Message-ID: <56E06527.6010102@redhat.com> On 09.03.2016 13:44, Martin Basti wrote: > > > On 09.03.2016 13:40, Alexander Bokovoy wrote: >> On Wed, 09 Mar 2016, Martin Basti wrote: >>> >>> >>> On 09.03.2016 13:19, Alexander Bokovoy wrote: >>>> On Wed, 09 Dec 2015, Simo Sorce wrote: >>>>> From f21c88b9f74453c6d6e16fb17d94efa469eed564 Mon Sep 17 00:00:00 >>>>> 2001 >>>>> From: Simo Sorce >>>>> Date: Tue, 24 Nov 2015 18:01:52 -0500 >>>>> Subject: [PATCH] Allow to specify Kerberos authz data type per user >>>>> >>>>> Like for services setting the ipaKrbAuthzData attribute on a user >>>>> object will >>>>> allow us to control exactly what authz data is allowed for that user. >>>>> Setting NONE would allow no authz data, while setting MS-PAC would >>>>> allow only >>>>> Active Directory compatible data. >>>>> >>>>> Signed-off-by: Simo Sorce >>>>> >>>>> Ticket: https://fedorahosted.org/freeipa/ticket/2579 >>>> ACK for the code as that is obvious but I have question about >>>> objectclass replication -- we extend objectclass definition to allow >>>> more attributes in MAY. How 389-ds handles replication of such case, >>>> will a new definition override the old one without any problem? >>> if it will be updated by ipa-server-upgrade, it should be done >>> without any problem. >> I'm interested in the replication part. >> > ipa-server-upgrade will cause that schema definition will be replicated. > If you put ldif file just to directory and restart DS, then it will > not be replicated. Replication requires that schema definitions must > be added via ldapadd/mod. Thierry can provide more details. > > Martin^2 > Pushed to: master: 7a20fc671b07344b0ee8460bef07398cb3ffaf59 ipa-4-3: 6798ee6d0db1aa5d975b82e156790d81960c8a7a From mbasti at redhat.com Wed Mar 9 18:03:36 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 9 Mar 2016 19:03:36 +0100 Subject: [Freeipa-devel] [PATCH] SPEC: Remove unused build dependency on libwbclient In-Reply-To: <20160309105733.GW3079@p.redhat.com> References: <20160309085905.GA3115@mail.corp.redhat.com> <20160309105733.GW3079@p.redhat.com> Message-ID: <56E06578.8090802@redhat.com> On 09.03.2016 11:57, Sumit Bose wrote: > On Wed, Mar 09, 2016 at 09:59:06AM +0100, Lukas Slebodnik wrote: >> ehlo, >> >> simple patch is attached. >> >> LS >> >From 3fe91e54c11245c3a773bc2cff5504b7a5f6ad16 Mon Sep 17 00:00:00 2001 >> From: Lukas Slebodnik >> Date: Wed, 9 Mar 2016 09:53:07 +0100 >> Subject: [PATCH] SPEC: Remove unused build dependency on libwbclient >> >> The string "wbclient" is not mentioned anywhere in >> source code and there isn't any issue with building >> freeipa packages without this package. > ACK > > This is a left-over form the times where we used winbind to look up AD > users. With the ipa server mode of SSSD this is not needed anymore. > > bye, > Sumit > Pushed to master: 2a61ddb644b4a0bee37c1faf82c461b4cf41bc38 >> --- >> BUILD.txt | 2 +- >> freeipa.spec.in | 1 - >> 2 files changed, 1 insertion(+), 2 deletions(-) >> >> diff --git a/BUILD.txt b/BUILD.txt >> index fb1a7996b6b0c69c5431b180eec65c2549448d91..d9484956dc4449fa43ff0a1146ca9cdf5b3e021e 100644 >> --- a/BUILD.txt >> +++ b/BUILD.txt >> @@ -16,7 +16,7 @@ or >> This is currently (2015-05-07): >> >> yum install rpm-build 389-ds-base-devel svrcore-devel policycoreutils \ >> -systemd-units samba-devel samba-python libwbclient-devel libtalloc-devel \ >> +systemd-units samba-devel samba-python libtalloc-devel \ >> libtevent-devel nspr-devel nss-devel openssl-devel openldap-devel krb5-devel \ >> krb5-workstation libuuid-devel libcurl-devel xmlrpc-c-devel popt-devel \ >> autoconf automake m4 libtool gettext python-devel python-ldap \ >> diff --git a/freeipa.spec.in b/freeipa.spec.in >> index bc47df4c916bd8f091fc2f70330d95bd116ad187..9e277020d70215e052ab6c905b1c6a29ae6cdd4d 100644 >> --- a/freeipa.spec.in >> +++ b/freeipa.spec.in >> @@ -48,7 +48,6 @@ BuildRequires: policycoreutils >= 2.1.12-5 >> BuildRequires: systemd-units >> BuildRequires: samba-devel >= %{samba_version} >> BuildRequires: samba-python >> -BuildRequires: libwbclient-devel >> BuildRequires: libtalloc-devel >> BuildRequires: libtevent-devel >> %endif # ONLY_CLIENT >> -- >> 2.7.2 >> >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From mbasti at redhat.com Wed Mar 9 18:10:16 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 9 Mar 2016 19:10:16 +0100 Subject: [Freeipa-devel] [PATCH 0436] krb5.conf: use 'true' instead of 'yes' In-Reply-To: <56E01824.1040801@redhat.com> References: <56DF292A.7090300@redhat.com> <56E01824.1040801@redhat.com> Message-ID: <56E06708.4040700@redhat.com> On 09.03.2016 13:33, Martin Babinsky wrote: > On 03/08/2016 08:34 PM, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5518 >> >> Patch attached. >> >> > ACK > Pushed to: ipa-4-3: d5ff7bf76adcf6229bb1884c73c4aefac4e9eb25 master: e0b9afded5baab4e6e0cca5dda5554924a59317a From lslebodn at redhat.com Wed Mar 9 18:59:09 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 9 Mar 2016 19:59:09 +0100 Subject: [Freeipa-devel] [PATCH] IPA-SAM: Fix build with samba 4.4 In-Reply-To: <56E06498.3050703@redhat.com> References: <20160129111218.GD24839@mail.corp.redhat.com> <20160129113147.GF24839@mail.corp.redhat.com> <20160129175913.GC21804@redhat.com> <20160203133037.GB2962@mail.corp.redhat.com> <20160309094359.GC3115@mail.corp.redhat.com> <20160309113308.GB4492@redhat.com> <20160309124304.GI3115@mail.corp.redhat.com> <20160309171617.GQ4492@redhat.com> <56E06498.3050703@redhat.com> Message-ID: <20160309185909.GN3115@mail.corp.redhat.com> On (09/03/16 18:59), Martin Basti wrote: >On 09.03.2016 18:16, Alexander Bokovoy wrote: >>On Wed, 09 Mar 2016, Lukas Slebodnik wrote: >>>On (09/03/16 13:33), Alexander Bokovoy wrote: >>>>On Wed, 09 Mar 2016, Lukas Slebodnik wrote: >>>>>On (03/02/16 14:30), Lukas Slebodnik wrote: >>>>>>On (29/01/16 19:59), Alexander Bokovoy wrote: >>>>>>>On Fri, 29 Jan 2016, Lukas Slebodnik wrote: >>>>>>>>On (29/01/16 12:12), Lukas Slebodnik wrote: >>>>>>>>>ehlo, >>>>>>>>> >>>>>>>>>attached patch shoudl fix build on fedora-24. >>>>>>>>>It blocks static analysis scan. >>>>>>>>> >>>>>>>>>Even though it unblock build on fedora-24 >>>>>>>>>the solution is not ideal. It's possible that some changes >>>>>>>>>need to be done in samba side as well. >>>>>>>>>(missing prototypes for trim_string, smb_xstrdup >>>>>>>>> >>>>>>>>>LS >>>>>>>> >>>>>>>>BTW there is also another issue in IPA-SAM. >>>>>>>>The value of macro LDAP_PAGE_SIZE has changed >>>>>>>>and therefore there is a warning. >>>>>>>> >>>>>>>>ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined >>>>>>>>#define LDAP_PAGE_SIZE 1024 >>>>>>>>^ >>>>>>>>In file included from /usr/include/samba-4.0/smbldap.h:24:0, >>>>>>>> from ipa_sam.c:31: >>>>>>>>/usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the >>>>>>>>location of the previous definition >>>>>>>>#define LDAP_PAGE_SIZE 1000 >>>>>>>This is something we should fix. I'll look at it once in Brno. >>>>>>Here is a related change in samba >>>>>>https://github.com/samba-team/samba/commit/8c2609f3186d40afb5954737dc174ce190cd368a >>>>>> >>>>>> >>>>>Please review attached patch. >>>>> >>>>>LS >>>> >>>>>From 770577899357a812475d06d1da74254e6f83205d Mon Sep 17 00:00:00 2001 >>>>>From: Lukas Slebodnik >>>>>Date: Wed, 9 Mar 2016 10:16:58 +0100 >>>>>Subject: [PATCH] ipa-sam: Change value of LDAP_PAGE_SIZE >>>>> >>>>>The value of LDAP_PAGE_SIZE was changed in samba-4.4 >>>>>and samba commit message says: "This matches Windows' Active Directory >>>>>maximum page size." >>>>>https://github.com/samba-team/samba/commit/8c2609f3186d40afb5954737dc174ce190cd368a >>>>> >>>>> >>>>>ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined >>>>>#define LDAP_PAGE_SIZE 1024 >>>>> >>>>>In file included from /usr/include/samba-4.0/smbldap.h:24:0, >>>>> from ipa_sam.c:31: >>>>>/usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of >>>>>the previous definition >>>>>#define LDAP_PAGE_SIZE 1000 >>>>>--- >>>>>daemons/ipa-sam/ipa_sam.c | 3 ++- >>>>>1 file changed, 2 insertions(+), 1 deletion(-) >>>>> >>>>>diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c >>>>>index 9216e63587995ef719015e34f96f48262eaf171f..dba7ba2c803ae384bedaed9ae874a6a01232abfb >>>>>100644 >>>>>--- a/daemons/ipa-sam/ipa_sam.c >>>>>+++ b/daemons/ipa-sam/ipa_sam.c >>>>>@@ -111,7 +111,8 @@ char *escape_ldap_string(TALLOC_CTX *mem_ctx, >>>>>const char *s); /* available in li >>>>>bool secrets_store(const char *key, const void *data, size_t size); >>>>>/* available in libpdb.so */ >>>>>void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct >>>>>unixid *unix_id); /* available in libsmbconf.so */ >>>>> >>>>>-#define LDAP_PAGE_SIZE 1024 >>>>>+#undef LDAP_PAGE_SIZE >>>>>+#define LDAP_PAGE_SIZE 1000 >>>>>#define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs" >>>>>#define LDAP_OBJ_TRUSTED_DOMAIN "ipaNTTrustedDomain" >>>>>#define LDAP_OBJ_ID_OBJECT "ipaIDobject" >>>>>-- >>>>>2.7.2 >>>>> >>>>ACK but I wonder if we should be using the one defined by smbldap.h? >>>> >>>I checked header file on CentOS 7 and and it will work there as well. >>>Updated patch is attached. >>ACK. >> >Pushed to master: 0906cc28b8387a62945d2531dd19bef60f731364 > BTW if you wnat to get rid of warning on fedora 24 (freeipa-4.3) then it might be pushed there as well. But feel free to create ticket for it yourself. I'm happy with fixed warning on master LS From ftweedal at redhat.com Thu Mar 10 02:35:01 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 10 Mar 2016 12:35:01 +1000 Subject: [Freeipa-devel] [PATCH 0437] dogtag: remove redundant parameters from CS.cfg In-Reply-To: <56E01749.2070609@redhat.com> References: <56E01749.2070609@redhat.com> Message-ID: <20160310023501.GA12127@dhcp-40-8.bne.redhat.com> On Wed, Mar 09, 2016 at 01:30:01PM +0100, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5298 > > Patch attached. > ACK Thanks, Fraser From jcholast at redhat.com Thu Mar 10 06:15:59 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 10 Mar 2016 07:15:59 +0100 Subject: [Freeipa-devel] [PATCH 0437] dogtag: remove redundant parameters from CS.cfg In-Reply-To: <20160310023501.GA12127@dhcp-40-8.bne.redhat.com> References: <56E01749.2070609@redhat.com> <20160310023501.GA12127@dhcp-40-8.bne.redhat.com> Message-ID: <56E1111F.8030708@redhat.com> On 10.3.2016 03:35, Fraser Tweedale wrote: > On Wed, Mar 09, 2016 at 01:30:01PM +0100, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5298 >> >> Patch attached. >> > ACK Shouldn't we remove these on upgrade as well? -- Jan Cholasta From ftweedal at redhat.com Thu Mar 10 06:57:58 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 10 Mar 2016 16:57:58 +1000 Subject: [Freeipa-devel] [PATCH 0437] dogtag: remove redundant parameters from CS.cfg In-Reply-To: <56E1111F.8030708@redhat.com> References: <56E01749.2070609@redhat.com> <20160310023501.GA12127@dhcp-40-8.bne.redhat.com> <56E1111F.8030708@redhat.com> Message-ID: <20160310065758.GB12127@dhcp-40-8.bne.redhat.com> On Thu, Mar 10, 2016 at 07:15:59AM +0100, Jan Cholasta wrote: > On 10.3.2016 03:35, Fraser Tweedale wrote: > >On Wed, Mar 09, 2016 at 01:30:01PM +0100, Martin Basti wrote: > >>https://fedorahosted.org/freeipa/ticket/5298 > >> > >>Patch attached. > >> > >ACK > > Shouldn't we remove these on upgrade as well? > The parameters are doing no harm in existing installations, so it is a tradeoff between ensuring consistency between existing and new installations, or adding more steps to upgrade script. What is the guiding principle here? Cheers, Fraser From jcholast at redhat.com Thu Mar 10 07:08:11 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 10 Mar 2016 08:08:11 +0100 Subject: [Freeipa-devel] [PATCH 0437] dogtag: remove redundant parameters from CS.cfg In-Reply-To: <20160310065758.GB12127@dhcp-40-8.bne.redhat.com> References: <56E01749.2070609@redhat.com> <20160310023501.GA12127@dhcp-40-8.bne.redhat.com> <56E1111F.8030708@redhat.com> <20160310065758.GB12127@dhcp-40-8.bne.redhat.com> Message-ID: <56E11D5B.6070603@redhat.com> On 10.3.2016 07:57, Fraser Tweedale wrote: > On Thu, Mar 10, 2016 at 07:15:59AM +0100, Jan Cholasta wrote: >> On 10.3.2016 03:35, Fraser Tweedale wrote: >>> On Wed, Mar 09, 2016 at 01:30:01PM +0100, Martin Basti wrote: >>>> https://fedorahosted.org/freeipa/ticket/5298 >>>> >>>> Patch attached. >>>> >>> ACK >> >> Shouldn't we remove these on upgrade as well? >> > The parameters are doing no harm in existing installations, so it is > a tradeoff between ensuring consistency between existing and new > installations, or adding more steps to upgrade script. What is the > guiding principle here? Install and upgrade should result in the same configuration, but given we have no sane infrastructure for that and the parameters are harmless as you pointed out, I think we are fine here. So ACK. -- Jan Cholasta From lslebodn at redhat.com Thu Mar 10 09:40:14 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 10 Mar 2016 10:40:14 +0100 Subject: [Freeipa-devel] [PATCH] BUILD: Remove detection of libcheck Message-ID: <20160310094012.GC18289@mail.corp.redhat.com> ehlo, simple patch is attached. LS -------------- next part -------------- >From 2b34cdbb3b36dcf95746fdf3d843f66989b0f1c0 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Thu, 10 Mar 2016 10:26:52 +0100 Subject: [PATCH] BUILD: Remove detection of libcheck The unit test framework check has not been used in freeipa for long time (if ever) but there was still conditional check for this framework. It just produced confusing warning: Without the 'CHECK' library, you will be unable to run all tests in the 'make check' suite --- BUILD.txt | 2 +- daemons/configure.ac | 11 ----------- 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/BUILD.txt b/BUILD.txt index d948495..b5660aa 100644 --- a/BUILD.txt +++ b/BUILD.txt @@ -23,7 +23,7 @@ autoconf automake m4 libtool gettext python-devel python-ldap \ python-setuptools python-nss python-netaddr python-gssapi \ python-rhsm pyOpenSSL pylint python-polib libipa_hbac-python python-memcached \ sssd python-lxml python-pyasn1 python-qrcode-core python-dns m2crypto \ -check libsss_idmap-devel libsss_nss_idmap-devel java-headless rhino \ +libsss_idmap-devel libsss_nss_idmap-devel java-headless rhino \ libverto-devel systemd libunistring-devel python-lesscpy python-yubico \ python-backports-ssl_match_hostname softhsm-devel openssl-devel \ p11-kit-devel pki-base python-pytest-multihost python-pytest-sourceorder diff --git a/daemons/configure.ac b/daemons/configure.ac index 2a1f6aa..2906def 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -208,17 +208,6 @@ dnl --------------------------------------------------------------------------- PKG_CHECK_MODULES([LIBVERTO], [libverto]) dnl --------------------------------------------------------------------------- -dnl - Check for check unit test framework http://check.sourceforge.net/ -dnl --------------------------------------------------------------------------- -PKG_CHECK_MODULES([CHECK], [check >= 0.9.5], [have_check=1], [have_check=]) -if test x$have_check = x; then - AC_MSG_WARN([Without the 'CHECK' library, you will be unable to run all tests in the 'make check' suite]) -else - AC_CHECK_HEADERS([check.h],,AC_MSG_ERROR([Could not find CHECK headers])) -fi -AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x]) - -dnl --------------------------------------------------------------------------- dnl - Check for cmocka unit test framework http://cmocka.cryptomilk.org/ dnl --------------------------------------------------------------------------- PKG_CHECK_EXISTS(cmocka, -- 2.7.2 From jpazdziora at redhat.com Thu Mar 10 09:57:15 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Thu, 10 Mar 2016 10:57:15 +0100 Subject: [Freeipa-devel] FreeIPA COPR repos for 4.2.4 and 4.3.1 release candidates In-Reply-To: <56E05AC6.9030406@redhat.com> References: <56D9B8C4.4070605@redhat.com> <20160309134513.GA27299@redhat.com> <56E02BB3.4030505@redhat.com> <20160309142218.GD1689@redhat.com> <56E05AC6.9030406@redhat.com> Message-ID: <20160310095715.GP1689@redhat.com> On Wed, Mar 09, 2016 at 06:17:58PM +0100, Petr Vobornik wrote: > > pvoborni/freeipa-4-3 was never official it was used for 4-3 pre-release > testing. mkosek/freeipa-4.3 is (and other in mkosek namespace). But they are Ah, mean culpa, I've mixed those two. Sorry for the noise. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From pvoborni at redhat.com Thu Mar 10 14:03:48 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 10 Mar 2016 15:03:48 +0100 Subject: [Freeipa-devel] [PATCH] 955 sessions: use unique mod_auth_gssapi ccaches Message-ID: <56E17EC4.4040500@redhat.com> Attaching also mod_auth_gssapi patch. If the approach is good, then I'd send it as a push request to upstream git repo. Copr build of mod_auth_gssapi with the patch: https://copr.fedorainfracloud.org/coprs/pvoborni/freeipa-4-3/build/167157/ IPA patch attached uses the functionality. https://fedorahosted.org/freeipa/ticket/5653 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0955-sessions-use-unique-mod_auth_gssapi-ccaches.patch Type: text/x-patch Size: 1707 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Support-unique-credential-cache-names.patch Type: text/x-patch Size: 6769 bytes Desc: not available URL: From simo at redhat.com Thu Mar 10 14:25:52 2016 From: simo at redhat.com (Simo Sorce) Date: Thu, 10 Mar 2016 09:25:52 -0500 Subject: [Freeipa-devel] [PATCH] 955 sessions: use unique mod_auth_gssapi ccaches In-Reply-To: <56E17EC4.4040500@redhat.com> References: <56E17EC4.4040500@redhat.com> Message-ID: <1457619952.8257.306.camel@redhat.com> On Thu, 2016-03-10 at 15:03 +0100, Petr Vobornik wrote: > Attaching also mod_auth_gssapi patch. If the approach is good, then I'd > send it as a push request to upstream git repo. > > Copr build of mod_auth_gssapi with the patch: > https://copr.fedorainfracloud.org/coprs/pvoborni/freeipa-4-3/build/167157/ > > IPA patch attached uses the functionality. > > https://fedorahosted.org/freeipa/ticket/5653 I think the mod_auth_gssapi patch needs more work. For one you are not storing the generated ccname in the cookie, which means any following request using mod_auth_gssapi sessions will not be able to point to the ccache file. It is also not clear to me why you are using a timestamp and not just call something like mkstemp() with a template, and add an option called GssapiDelegCcacheTemplate instead. The templated part would have to be saved in the session so that following requests can keep using the same ccache file. There are other minor niticks around naming stuff, but those can be handled in the PR. One thing I am still undecided about is deletion of the files, I'd like to have a better option than "application must delete them", I was thinking about keeping a record of the expiration time (not sure where yet), and then provide a cron job or a systemd timer to clean up all expired stuff. Simo. -- Simo Sorce * Red Hat, Inc * New York From redhatrises at gmail.com Thu Mar 10 14:25:56 2016 From: redhatrises at gmail.com (Gabe Alford) Date: Thu, 10 Mar 2016 07:25:56 -0700 Subject: [Freeipa-devel] [PATCH 0067-0069] Various IPA log fixes Message-ID: Hello, Attached patches fix the following tickets related to IPA log files: https://fedorahosted.org/freeipa/ticket/5724 https://fedorahosted.org/freeipa/ticket/5726 https://fedorahosted.org/freeipa/ticket/5727 Patch 0067 should be applied first, and patch 0069 applied last. Thanks, Gabe -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rga-0067-Store-IPA-logs-in-one-directory-var-log-ipa.patch Type: text/x-patch Size: 3710 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rga-0068-Remove-unused-ipareplica-ca-install.log.patch Type: text/x-patch Size: 1689 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-rga-0069-ipa-dns-install-should-log-to-its-own-logfile.patch Type: text/x-patch Size: 1727 bytes Desc: not available URL: From rcritten at redhat.com Thu Mar 10 14:44:07 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 10 Mar 2016 09:44:07 -0500 Subject: [Freeipa-devel] [PATCH 0067-0069] Various IPA log fixes In-Reply-To: References: Message-ID: <56E18837.5000409@redhat.com> Gabe Alford wrote: > Hello, > > Attached patches fix the following tickets related to IPA log files: > > https://fedorahosted.org/freeipa/ticket/5724 > https://fedorahosted.org/freeipa/ticket/5726 > https://fedorahosted.org/freeipa/ticket/5727 > > Patch 0067 should be applied first, and patch 0069 applied last. > NACK. The location is also in the man pages and referenced in at least the server install script. rob From mbasti at redhat.com Thu Mar 10 14:46:52 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 10 Mar 2016 15:46:52 +0100 Subject: [Freeipa-devel] [PATCH 0067-0069] Various IPA log fixes In-Reply-To: <56E18837.5000409@redhat.com> References: <56E18837.5000409@redhat.com> Message-ID: <56E188DC.5040703@redhat.com> On 10.03.2016 15:44, Rob Crittenden wrote: > Gabe Alford wrote: >> Hello, >> >> Attached patches fix the following tickets related to IPA log files: >> >> https://fedorahosted.org/freeipa/ticket/5724 >> https://fedorahosted.org/freeipa/ticket/5726 >> https://fedorahosted.org/freeipa/ticket/5727 >> >> Patch 0067 should be applied first, and patch 0069 applied last. >> > NACK. The location is also in the man pages and referenced in at least > the server install script. > > rob > Hello, please wait with next patches, tickets has not been triaged yet, some of them might be closed as wontfix. Also we might need to add symlinks for several versions of IPA, to be compatible and did not cause headache to users. Martin^2 From mkosek at redhat.com Thu Mar 10 14:57:09 2016 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 10 Mar 2016 15:57:09 +0100 Subject: [Freeipa-devel] [PATCH 0067-0069] Various IPA log fixes In-Reply-To: <56E18837.5000409@redhat.com> References: <56E18837.5000409@redhat.com> Message-ID: <56E18B45.8050802@redhat.com> On 03/10/2016 03:44 PM, Rob Crittenden wrote: > Gabe Alford wrote: >> Hello, >> >> Attached patches fix the following tickets related to IPA log files: >> >> https://fedorahosted.org/freeipa/ticket/5724 >> https://fedorahosted.org/freeipa/ticket/5726 >> https://fedorahosted.org/freeipa/ticket/5727 >> >> Patch 0067 should be applied first, and patch 0069 applied last. >> > > NACK. The location is also in the man pages and referenced in at least > the server install script. Right. Also, before the admins get used to the new locations, we should provide symlinks from current locations to the new log files. If there are log files with timestamp, the symlink can point to the most recent log file. This would prevent admins running currenet Fedora, RHEL, CentOS or other distributions to still access the log files as they are used to. From mbabinsk at redhat.com Thu Mar 10 14:59:20 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 10 Mar 2016 15:59:20 +0100 Subject: [Freeipa-devel] [PATCH 0141] ipa-replica-manage: print traceback on unexpected error when in verbose mode Message-ID: <56E18BC8.1000700@redhat.com> https://fedorahosted.org/freeipa/ticket/5380 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0141-ipa-replica-manage-print-traceback-on-unexpected-err.patch Type: text/x-patch Size: 1952 bytes Desc: not available URL: From pvoborni at redhat.com Thu Mar 10 17:08:23 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 10 Mar 2016 18:08:23 +0100 Subject: [Freeipa-devel] [PATCH] 0005 webui: topology graph: canvas resizes itself according to the window size In-Reply-To: <56CF1498.8080302@redhat.com> References: <56BC7105.3020609@redhat.com> <56BDD5A6.8010108@redhat.com> <56C1ECA4.2070900@redhat.com> <56C4ADF0.4080702@redhat.com> <56CF1498.8080302@redhat.com> Message-ID: <56E1AA07.5040102@redhat.com> On 02/25/2016 03:50 PM, Pavel Vomacka wrote: > > > On 02/17/2016 06:29 PM, Petr Vobornik wrote: >> On 02/15/2016 04:20 PM, Pavel Vomacka wrote: >>> >>> >>> On 02/12/2016 01:52 PM, Pavel Vomacka wrote: >>>> >>>> >>>> On 02/11/2016 12:31 PM, Pavel Vomacka wrote: >>>>> Hello, >>>>> >>>>> The canvas of the graph had static size. This patch fixes this issue >>>>> and from now the graph canvas is resized according to the window size. >>>>> >>>>> Pavel Vomacka >>>>> >>>>> >>>> Because of changes in previous patch I'm sending also this one again. >>>> Plus I fixed some jslint warnings. >>>> >>>> And again a link to the ticket: >>>> https://fedorahosted.org/freeipa/ticket/5647 . >>>> >>>> -- >>>> Pavel^3 Vomacka >>>> >>>> >>> And another change in the code. This patch adds checking whether a svg >>> element even exists. And don't add 'col-sm-12' class to the svg element >>> any more. This class just added useless paddings to the element. >>> >>> -- >>> Pavel^3 Vomacka >>> >> >> Hi, >> >> thanks for the patch. > Hi, > > thank you for reviewing. >> >> 1. I don't like the fact that the resize handler registered in >> initialize method is active forever, even when viewing other facets. > I moved the handler to the topology graph facet. It is also removed > after hide event is emited. >> 2. The code will probably fail if there is other svg element present >> on the page. >> >> $('svg') searches for all svg elements in DOM, such search is usually >> slow and undeterministic. It is better to use a stored reference(if >> possible) or limit the search to some parent element, e.g. TopoGraph >> can store and then use its container. >> >> Would be funny if there were 2 graphs. > Yep, you are right. I avoid using this type of searching in this patch. > >> >> 3. Why is there the toFixed(1) call? Or more specifically on that >> position? It hides the fact that toFixed transforms Number to String >> and then '-' operator with Number on the right casts it back to Number. > The toFixed(1) was used just because we don't need so accurate numbers, > but in this patch this function is not used any more. >> >> 4. width could be just: this._svg.parent().width() > The width is now solved by using this.content.width() in topology graph > facet. I think that the calculating of width and height should be at the > same place. That is why I didn't put calculating of width into the > TopoGraph. >> >> 5. Your approach for bottom padding works well but I don't like that >> the component assumes that there is some col-sm-12 element on a page >> whose right padding is actually equal to space on the left of the svg. > I agree, fixed. >> >> #1 and #5 makes me think that the resize logic should be moved >> topology facet. Something like: >> >> * register resize handler on facet's 'show' event >> * unregister resize handler on facet's 'hide' event (will solve #1) >> * on window resize, compute the size in topology facet, call new >> .resize(width, height) method of TopoGraph >> >> Then, we wouldn't have to search whole DOM for 'svg' elements to check >> if page is visible. The bottom padding can be obtained by: >> parseInt(this.content.css('paddingLeft')) where 'this' is facet. >> > I followed these tips and here is a new patch. > > -- > Pavel^3 Vomacka 1. - width: 960, - height: 500, Graph even without this patch allows to set initial size in a constructor, e.g.: E.g. so he could also use: this.graph = new topology_graph.TopoGraph({ nodes: data.nodes, links: data.links, suffixes: data.suffixes height: height, width: width }); IMO we should leave some default size there, e.g. the old 960x500 so that the graph is shown even without explicit configuration. 2. - update: function() { + update: function(height, width) { Update method should not required size params. E.g. if it should trigger only data update. So it should contain at least a doc string that the values are optional. Maybe it should be a single param. -- Petr Vobornik From pvoborni at redhat.com Thu Mar 10 17:14:33 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 10 Mar 2016 18:14:33 +0100 Subject: [Freeipa-devel] [PATCH] 0004 webui: topology graph: Add pan and zoom functionality In-Reply-To: <56CB3886.1020805@redhat.com> References: <56B2108E.2@redhat.com> <56C5FD80.70007@redhat.com> <56CB3886.1020805@redhat.com> Message-ID: <56E1AB79.2090101@redhat.com> On 02/22/2016 05:34 PM, Pavel Vomacka wrote: > > > On 02/18/2016 06:21 PM, Petr Vobornik wrote: >> On 02/03/2016 03:37 PM, Pavel Vomacka wrote: >>> Hello, >>> >>> I'm sending a patch for review. This patch adds pan and zoom >>> functionality to the topology graph. The page remembers old position and >>> size of the graph. So, it keeps these settings after refreshing the >>> page. >>> >>> The patch is in atachement. >>> >>> Pavel Vomacka >>> >>> >> >> 1. if node.fixed should be number then, we can store number in local >> storage as well(only as string, e.g. num + '') instead of 'true' so >> that we make the logic more straightforward/consistent. >> > Fixed. >> 2. following lines are too long: .attr("transform", "translate(" + >> d3.event.translate + ")scale(" + d3.event.scale + ")"); >> >> .attr('transform', 'translate(' + trans.translate + ')scale(' + >> trans.scale + ')'); >> > These two and one more line are now split into more lines which are > short enough. >> 3. 'svg_' prefix for translate and scale keys is too generic, would >> use e.g. topo_graph >> > 'svg_' prefix is changed to the 'graph' prefix. > > There is also change in using 'this' and 'that' variables. Instead of > declaring 'that' variable there is used the bind() method. > ACK Pushed to: master: 18a4053a687ac51c43cb594debe02409537647cf ipa-4-3: b59e49feb9c3b820256a006f1202e4abd82ed691 -- Petr Vobornik From pvoborni at redhat.com Thu Mar 10 17:24:57 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 10 Mar 2016 18:24:57 +0100 Subject: [Freeipa-devel] [PATCH] 0006 webui: topology graph: Nodes are switched to fixed state after initial animation In-Reply-To: <56C496A8.3000606@redhat.com> References: <56C496A8.3000606@redhat.com> Message-ID: <56E1ADE9.1080600@redhat.com> On 02/17/2016 04:50 PM, Pavel Vomacka wrote: > Hello, > > The position of nodes were different after each reload. The attached > patch changes it. The nodes are set as fixed after initial animation. > Even if someone releases the node by double-clicking then after > animation the node is set as fixed. And the same behavior for new added > nodes to the graph (i.e. new client) - after initial animation, which > allows node to find proper position, the node is set as fixed, too. > > The patch also fixes one minor bug which is, I guess, related to this > bug. In a situation where the node is set as fixed (no matter how - > manually or automatically) then the page is reloaded or refreshed, then > the initial animation runs. If after all these steps someone tries to > release the node by double-clicking the state of the node is set to not > fixed, but a layout animation is not run. This is the reason why there > is layout.resume() in dblclick listener. If you think that there should > be another ticket for this minor bug, let me know. > > -- > Pavel^3 Vomacka > > ACK Pushed to: master: 1cc582e9b8bd28deb70d29412cdaa500d904c8e3 ipa-4-3: 790953d8955c709c45921bff53463065e312dd27 -- Petr Vobornik From pvomacka at redhat.com Thu Mar 10 17:47:05 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 10 Mar 2016 18:47:05 +0100 Subject: [Freeipa-devel] [PATCH] 0008 Add X-Frame-Options and frame-ancestors options Message-ID: <56E1B319.9020204@redhat.com> Hi, These two options allow preventing clickjacking attacks. They don't allow open FreeIPA in frame, iframe or object element. -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0008-Add-X-Frame-Options-and-frame-ancestors-options.patch Type: text/x-patch Size: 1227 bytes Desc: not available URL: From pvoborni at redhat.com Thu Mar 10 17:49:38 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 10 Mar 2016 18:49:38 +0100 Subject: [Freeipa-devel] [PATCH] 0007 webui: Add a field for GID in the user add dialog In-Reply-To: <56DD56DC.2050708@redhat.com> References: <56D58D07.709@redhat.com> <56D9CDFF.9090406@redhat.com> <56DD56DC.2050708@redhat.com> Message-ID: <56E1B3B2.9080808@redhat.com> On 03/07/2016 11:24 AM, Pavel Vomacka wrote: > > > On 03/04/2016 07:03 PM, Petr Vobornik wrote: >> On 03/01/2016 01:37 PM, Pavel Vomacka wrote: >>> Hi, >>> >>> The patch adds new field in user add dialog. This combo box lists GIDs >>> of posix groups >>> so user can choose one. It is also possible to fill a GID number >>> which is not in the list. >>> >>> Link to the ticket: https://fedorahosted.org/freeipa/ticket/5505 >>> >>> -- >>> Pavel^3 Vomacka >>> >> >> 1. We can keep default label 'GID' by removing 'label' from spec, >> which is also used on details page. No need to add a new string. >> >> 2. It is hard to pick a group from a list because the only thing >> administrator see are GID numbers, e.g.,: >> * 330800000 >> * 330800002 >> >> It would be good to show a group name there or group name + GID >> * admins >> * editors >> >> Reasoning: >> a) If admin wants to set arbitrary GID number not manage in IPA, he >> already knows it and can enter it directly. >> b) If he want's to set a specific group then he will search for it by >> name. >> >> Such change will require a change in combobox widget so that we can >> specify a label field and a value field. E.g. list will operate with >> e.g.: >> [ >> { label: 'admins', value: 330800000 }, >> { label: 'editors', value: 330800000 } >> ] >> >> and not [ 330800000, 330800000 ] >> >> I tried if it is possible to do easily and yes. See attached wippatch. >> Would be good to check if it breaks anything. If not then we can merge >> it into your patch. > Hi, > > thank you for your patch. It's definitely better to see names of groups > instead of numbers. Your solution works well. > > I merged your patch with mine and the result is attached. I also removed > definitions of new string (was used as label) from my first patch . > > Pavel^3 Vomacka > > ACK Pushed to: master: f7429a2dec96eec302629b0b792e785ba832d5ef ipa-4-3: 934babc8ae216b60628ffdce0325498e541cf543 FYI: I also opened https://fedorahosted.org/freeipa/ticket/5731 -- Petr Vobornik From pvoborni at redhat.com Thu Mar 10 17:58:36 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 10 Mar 2016 18:58:36 +0100 Subject: [Freeipa-devel] [TESTS][PATCH 0011] WebUI: Creating user without private group In-Reply-To: <56DEC2DF.3000801@redhat.com> References: <56CF0AD6.4060505@redhat.com> <56DD9E73.1020609@redhat.com> <56DEBE89.70808@redhat.com> <56DEC2DF.3000801@redhat.com> Message-ID: <56E1B5CC.7070208@redhat.com> On 03/08/2016 01:17 PM, Lenka Doudova wrote: > > > On 03/08/2016 12:59 PM, Petr Vobornik wrote: >> On 03/07/2016 04:29 PM, Pavel Vomacka wrote: >>> >>> >>> On 02/25/2016 03:08 PM, Lenka Doudova wrote: >>>> Hi, >>>> >>>> here's a patch for webUI tests that provides test for creating user >>>> without private group. >>>> Related to ticket https://fedorahosted.org/freeipa/ticket/4986 >>>> >>>> Since the option to specify GID when creating a user is not available >>>> https://fedorahosted.org/freeipa/ticket/5505 the test creates a new >>>> posix group, makes it a default user group instead of 'ipausers' and >>>> then attemps to create the user without private group. Returning >>>> default user group value to 'ipausers' is provided even for cases when >>>> the test fails so it would not block other tests from performing >>>> properly. >>>> >>>> Lenka >>>> >>>> >>> Hi, >>> >>> ACK, works well. >>> >>> Pavel^3 Vomacka >>> >> >> NACK, don't use naked except, specify at least 'Exception' >> + except: >> > > Thanks, patch fixed according to Petr's review attached. > > Lenka Ticket 5505 was pushed. So the workaround can be removed. Do you prefer to do it in this patch? Also, maybe it would be good to test both cases and check if the error is actually the right one. -- Petr Vobornik From simo at redhat.com Thu Mar 10 18:02:23 2016 From: simo at redhat.com (Simo Sorce) Date: Thu, 10 Mar 2016 13:02:23 -0500 Subject: [Freeipa-devel] [PATCH] 0008 Add X-Frame-Options and frame-ancestors options In-Reply-To: <56E1B319.9020204@redhat.com> References: <56E1B319.9020204@redhat.com> Message-ID: <1457632943.8257.335.camel@redhat.com> On Thu, 2016-03-10 at 18:47 +0100, Pavel Vomacka wrote: > Hi, > > These two options allow preventing clickjacking attacks. They don't > allow open FreeIPA in frame, iframe or object element. Will these apply to the whole server or just to /ipa ? Simo. -- Simo Sorce * Red Hat, Inc * New York From mbasti at redhat.com Thu Mar 10 18:04:44 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 10 Mar 2016 19:04:44 +0100 Subject: [Freeipa-devel] [PATCH 0435] client: enable ChallengeResponseAuthentication in sshd_config Message-ID: <56E1B73C.2050805@redhat.com> https://fedorahosted.org/freeipa/ticket/5703 Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0435-client-enable-ChallengeResponseAuthentication-in-ssh.patch Type: text/x-patch Size: 1232 bytes Desc: not available URL: From pvomacka at redhat.com Thu Mar 10 18:20:26 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 10 Mar 2016 19:20:26 +0100 Subject: [Freeipa-devel] [PATCH] 0008 Add X-Frame-Options and frame-ancestors options In-Reply-To: <1457632943.8257.335.camel@redhat.com> References: <56E1B319.9020204@redhat.com> <1457632943.8257.335.camel@redhat.com> Message-ID: <56E1BAEA.805@redhat.com> On 03/10/2016 07:02 PM, Simo Sorce wrote: > On Thu, 2016-03-10 at 18:47 +0100, Pavel Vomacka wrote: >> Hi, >> >> These two options allow preventing clickjacking attacks. They don't >> allow open FreeIPA in frame, iframe or object element. > Will these apply to the whole server or just to /ipa ? > Yes, you are right, these apply to whole server. In this new patch they are applied only on /ipa. -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0008-2-Add-X-Frame-Options-and-frame-ancestors-options.patch Type: text/x-patch Size: 1002 bytes Desc: not available URL: From simo at redhat.com Thu Mar 10 18:22:55 2016 From: simo at redhat.com (Simo Sorce) Date: Thu, 10 Mar 2016 13:22:55 -0500 Subject: [Freeipa-devel] [PATCH] 0008 Add X-Frame-Options and frame-ancestors options In-Reply-To: <56E1BAEA.805@redhat.com> References: <56E1B319.9020204@redhat.com> <1457632943.8257.335.camel@redhat.com> <56E1BAEA.805@redhat.com> Message-ID: <1457634175.8257.336.camel@redhat.com> On Thu, 2016-03-10 at 19:20 +0100, Pavel Vomacka wrote: > > On 03/10/2016 07:02 PM, Simo Sorce wrote: > > On Thu, 2016-03-10 at 18:47 +0100, Pavel Vomacka wrote: > >> Hi, > >> > >> These two options allow preventing clickjacking attacks. They don't > >> allow open FreeIPA in frame, iframe or object element. > > Will these apply to the whole server or just to /ipa ? > > > Yes, you are right, these apply to whole server. In this new patch they > are applied only on /ipa. > > -- > Pavel^3 Vomacka Thanks, LGTM Simo. -- Simo Sorce * Red Hat, Inc * New York From mbasti at redhat.com Thu Mar 10 18:25:24 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 10 Mar 2016 19:25:24 +0100 Subject: [Freeipa-devel] [PATCH] 0193 fix Coverity issue in extdom plugin In-Reply-To: <55ACF8E0.70805@redhat.com> References: <20150720132306.GG21928@redhat.com> <55ACF8E0.70805@redhat.com> Message-ID: <56E1BC14.1030603@redhat.com> On 20.07.2015 15:34, Christian Heimes wrote: > On 2015-07-20 15:23, Alexander Bokovoy wrote: >> Hi, >> >> this patch fixes Coverity CID 13130. The bug turned out to be impossible >> to cause crash in 389-ds externally because all conditions that could >> cause not to properly allocate req could not be influenced via extended >> operation (req could be NULL only if calloc() in parse_request_data() >> failed). >> >> The finding is still correct as calloc() indeed could fail. > ACK > > Coverity is really good in finding this kind of bugs. Over the last > years I've fixed several similar issue in Python. > > Christian > > > > Pushed to master: 3208a093847098c481f0f385fd7c8941eba5a2e2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Thu Mar 10 21:14:27 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 10 Mar 2016 22:14:27 +0100 Subject: [Freeipa-devel] [PATCH 0088-0095] Add --forward-policy option into installers Message-ID: <56E1E3B2.3070907@redhat.com> Hello, I forgot to send a patches before I leave, so here it is: Auto-detect default value for --forward-policy option in installers See https://fedorahosted.org/freeipa/ticket/5710 commit messages, and design page https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/AutomaticEmptyZones I did not have time to test it thoroughly but it LGTM :-D Please note that this is first part, it does not solve upgrade (yet) and warnings in forwardzone-* interface. This can be solved in another patch set, this can be pushed if it passes review. Enjoy. -- Petr^2 Spacek From pspacek at redhat.com Thu Mar 10 21:16:35 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 10 Mar 2016 22:16:35 +0100 Subject: [Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN In-Reply-To: <561D3ED1.3030700@redhat.com> References: <5617B56E.7000807@redhat.com> <20151012010036.GI13048@dhcp-40-8.bne.redhat.com> <561BD90A.9080000@redhat.com> <561D3ED1.3030700@redhat.com> Message-ID: <56E1E433.2060603@redhat.com> On 13.10.2015 19:26, Rob Crittenden wrote: > Jan Orel wrote: >>> The restriction was there so that hosts had limited visibility. This >>> applies that limitation to all users. I think the host check needs to be >>> re-added. >> >> I am confused, correct me if I am wrong, but the "if hostname:" check >> seems always redundat because it would raise exception before >> either here: >> >> 615 if not bind_principal.startswith('host/'): >> 616 raise acierr >> >> or in validate_principal() > > Anything bound to IPA can potentially retrieve a certificate. This code > adds special handling for hosts and probably should cover services as > well now that I think about it. I don't think services could be included > in ACIs when this was originally written. > > The idea was that hosts have no need to be able to query random serial > numbers so it should be limited to viewing its own. Removing the if > hostname: applies this logic to ALL retrieval which is by far overkill > and limits all non-admin entries to only be able to view certs they own > (or can write) which sort of kills the reason for the 'retrieve > certificate' permission. > >> >>> Also, every host is not guaranteed to have a krbPrincipalAux (it can be >>> unenrolled). I assume you used this to cover managed services as well, >>> that's why the broad search base? >> >> Checking it, even host which is not enrolled have objectClass: krbprincipalaux, >> but advise me if different search should be used. > > If a host is added with a password (random or otherwise) it won't have > this objectclass. I'd make the search filter something like > (|(objectclass=ipahost)(objectclass=ipaservice)). > > rob > Rob, could you or Honza (or somebody else) hand-hold Jan Orel a little bit? I was talking with boss of the guy and they are still interested in getting the patch in IPA but need more guidance and patience from us :-) -- Petr^2 Spacek From lslebodn at redhat.com Thu Mar 10 21:17:45 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 10 Mar 2016 22:17:45 +0100 Subject: [Freeipa-devel] [PATCH 0088-0095] Add --forward-policy option into installers In-Reply-To: <56E1E3B2.3070907@redhat.com> References: <56E1E3B2.3070907@redhat.com> Message-ID: <20160310211744.GD32482@mail.corp.redhat.com> On (10/03/16 22:14), Petr Spacek wrote: >Hello, > >I forgot to send a patches before I leave, so here it is: > >Auto-detect default value for --forward-policy option in installers > >See >https://fedorahosted.org/freeipa/ticket/5710 >commit messages, and design page >https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/AutomaticEmptyZones > > >I did not have time to test it thoroughly but it LGTM :-D > >Please note that this is first part, it does not solve upgrade (yet) and >warnings in forwardzone-* interface. > >This can be solved in another patch set, this can be pushed if it passes review. > ENOPATH :-) LS From ofayans at redhat.com Thu Mar 10 22:09:33 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 10 Mar 2016 23:09:33 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <56DF256E.8010000@redhat.com> References: <5640A90B.6030906@redhat.com> <565870D6.40908@redhat.com> <56587616.5030609@redhat.com> <565DB7D3.5040500@redhat.com> <565F0BDD.8080206@redhat.com> <565F17EE.3020701@redhat.com> <5666DC18.2040906@redhat.com> <56675E31.3050203@redhat.com> <5667F49B.5020709@redhat.com> <5667FEFB.6090904@redhat.com> <56680C2E.7060805@redhat.com> <56680DDD.2000106@redhat.com> <566FDD80.7030805@redhat.com> <56717785.4020304@redhat.com> <567195B9.9070104@redhat.com> <56727AA7.2030809@redhat.com> <5675E08C.7030109@redhat.com> <56D43687.10502@redhat.com> <56D57DDE.3020306@redhat.com> <56D57F0C.1060103@redhat.com> <56D59F78.1000000@redhat.com> <56D5D9C3.8000102@redhat.com> <56D621DF.406@redhat.com> <56D6ACF5.4070402@redhat.com> <56D6E0E7.8020503@redhat.com> <56D87699.6030305@redhat.com> <56D93B28.2020302@redhat.com> <56D93B98.4090307@redhat.com> <56D9AA4B.103@redhat.com> <56D9B8CB.3040507@redhat.com> <56DEB998.3070501@redhat.com> <56DF0ABD.4040603@redhat.com> <56DF256E.8010000@redhat.com> Message-ID: <56E1F09D.10405@redhat.com> Hi Martin, On 03/08/2016 08:18 PM, Martin Basti wrote: > > > On 08.03.2016 18:24, Martin Basti wrote: >> >> >> On 08.03.2016 12:38, Oleg Fayans wrote: >>> The patches were rebased against the current master >>> >>> On 03/04/2016 05:33 PM, Martin Basti wrote: >>>> * old messages have been removed * >>>>>>>> 1) >>>>>>>> this method is unused please remove it >>>>>>>> >>>>>>>> def test_kra_install_master(self): >>>>> Well, in fact it is used twice: in both domain levels, so I'd better >>>>> keep it: >>>>> >>>>> -bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py >>>>> --collect-only >>>>> ==================================================================================== >>>>> >>>>> >>>>> test session starts >>>>> ===================================================================================== >>>>> >>>>> >>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>> pytest.ini >>>>> plugins: sourceorder, multihost >>>>> collected 8 items >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> aah my bad, I forgot that pytest executes it when it begins with test_* >>>> even in parent class >>>>>>>> 2) >>>>>>>> Why are these there? I do not see any usage >>>>>>>> >>>>>>>> from env_config import get_global_config >>>>>>>> config = get_global_config() >>>>> Removed >>>>> >>>>>>>> 3) nitpick >>>>>>>> + num_clients = 0 >>>>>>>> this is set by default >>>>> Removed >>>>> >>>>>>>> otherwise LGTM >>>>>>>> >>>>>>>> Results of testing tomorrow. >>>>>>>> >>>>>>>> Martin^2 >>>>>>>> >>>>>>> I applied all patches including workarounds, but test failed. >>>>>>> >>>>>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] RUN >>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>>> '--setup-ca', '--ip-address', '192.168.144.102', >>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] The host >>>>>>> replica1.ipa.test already exists on the master server. >>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] You should >>>>>>> remove it before proceeding: >>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] % ipa >>>>>>> host-del replica1.ipa.test >>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>> ipa-replica-install command failed. See >>>>>>> /var/log/ipareplica-install.log for more information >>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] Exit >>>>>>> code: 3 >>>>>>> FAILED >>>>> this is exactly the error that happens when a workaround for 5627 >>>>> is not >>>>> applied. I have re-run the tests with all the patches and everything >>>>> passed. Could you please double-check, whether patch 0027 was applied >>>>> correctly? >>>>> >>>>> bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py >>>>> --pdb >>>>> ==================================================================================== >>>>> >>>>> >>>>> test session starts >>>>> ===================================================================================== >>>>> >>>>> >>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>> pytest.ini >>>>> plugins: sourceorder, multihost >>>>> collected 8 items >>>>> >>>>> test_integration/test_replica_promotion.py ........ >>>>> >>>>> ================================================================================ >>>>> >>>>> >>>>> 8 passed in 7561.93 seconds >>>>> ================================================================================= >>>>> >>>>> >>>>> >>>> I will >>>> >>>>>> And it needs ticket, otherwise it will not be in 4-3 branch. >>>>> https://fedorahosted.org/freeipa/ticket/5723 >> NACK >> >> 1) >> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >> >> >> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', >> 'IPA.TEST'] >> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] RUN >> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >> '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] IPA client is >> already configured on this system, ignoring the --domain, --server, >> --realm, --hostname, --password and --keytab options. >> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Your system >> may be partly configured. >> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Run >> /usr/sbin/ipa-server-install --uninstall to clean up. >> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >> provide a file generated by ipa-replica-prepare to create a replica >> when the domain is at level 0. >> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >> ipa-replica-install command failed. See >> /var/log/ipareplica-install.log for more information >> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Exit code: 1 >> FAILED >> >> 2) >> ipatests.test_integration.test_replica_promotion.TestKRAInstall >> >> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', >> 'IPA.TEST'] >> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >> '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA client is >> already configured on this system, ignoring the --domain, --server, >> --realm, --hostname, --password and --keytab options. >> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your system >> may be partly configured. >> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >> /usr/sbin/ipa-server-install --uninstall to clean up. >> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >> provide a file generated by ipa-replica-prepare to create a replica >> when the domain is at level 0. >> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >> ipa-replica-install command failed. See >> /var/log/ipareplica-install.log for more information >> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit code: 1 >> FAILED >> >> >> 3) >> ipatests.test_integration.test_replica_promotion.TestCAInstall >> >> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >> 'Secret123', '--setup-dns', '--forwarder', '10.34.78.1', >> '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >> '--setup-dns', '--forwarder', '10.34.78.1', '--ip-address', >> '192.168.200.103', '-r', 'IPA.TEST'] >> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA client is >> already configured on this system, ignoring the --domain, --server, >> --realm, --hostname, --password and --keytab options. >> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your system >> may be partly configured. >> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >> /usr/sbin/ipa-server-install --uninstall to clean up. >> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >> provide a file generated by ipa-replica-prepare to create a replica >> when the domain is at level 0. >> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >> ipa-replica-install command failed. See >> /var/log/ipareplica-install.log for more information >> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit code: 1 >> FAILED >> >> >> Reason: >> >> def install_replica(master, replica, setup_ca=True, setup_dns=False, >> - setup_kra=False, extra_args=()): >> + setup_kra=False, extra_args=(), domain_level=None): >> + if domain_level is None: >> + domain_level = domainlevel(master) Oops. Sorry, must have been a result of inaccurate rebase. Fixed The successful run is attached >> >> - if domainlevel(master) == DOMAIN_LEVEL_0: >> + if domainlevel == DOMAIN_LEVEL_0: >> >> domain_level variable is actually unused >> > Also with your patch that removes host_prepare, I see many following > errors in test debug output > > [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: line 1: > cd: /root/ipatests: No such file or directory > [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: line 2: > /root/ipatests/env.sh: No such file or directory > > > I do not see these errors in current tests, so the patch does not seem > right to me. http://jenkins.idm.lab.eng.brq.redhat.com:8080/job/freeipa-integration-f23master-customized_ds_config_install-domlevel-1/23/consoleFull I've been experimenting a lot to find get rid of it but was unsuccessful. Seemingly it does not affect the tests. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- ============================= test session starts ============================== platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: multihost, sourceorder collected 8 items test_integration/test_replica_promotion.py [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/ipaserver-install.log to list of logs to collect [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/ipaclient-install.log to list of logs to collect [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/dirsrv/slapd-DOM-058-115-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM/errors to list of logs to collect [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/dirsrv/slapd-DOM-058-115-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM/access to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] Authenticating with private RSA key using user root [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd1] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd1] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd1] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/home/ofayans/ipatests/env.sh to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] MKDIR /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] WRITE /home/ofayans/ipatests/env.sh [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] MKDIR /home/ofayans/ipatests/file_backup [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] MKDIR /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd2] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd2] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] READ /etc/hosts [ipa.ipatests.test_integration.tasks] Writing the following to /etc/hosts: 10.34.78.1 hector.abc.idm.lab.eng.brq.redhat.com localmirror 2620:52:0:224e:21a:4aff:fe23:1238 hector.abc.idm.lab.eng.brq.redhat.com localmirror 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.34.48.31 rhev-01.eng.brq.redhat.com 2620:52:0:227f:21e:4fff:fe28:7da8 rhev-01.eng.brq.redhat.com 10.34.58.118 vm-058-118.abc.idm.lab.eng.brq.redhat.com vm-058-118 10.34.58.115 vm-058-115.abc.idm.lab.eng.brq.redhat.com vm-058-115 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] WRITE /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd3] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd3] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] WRITE /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['hostname', 'vm-058-115.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd4] RUN ['hostname', 'vm-058-115.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd4] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd5] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd5] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd6] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd6] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd7] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd7] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-server-install', '-U', '-n', 'dom-058-115.abc.idm.lab.eng.brq.redhat.com', '-r', 'DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM', '-p', 'x2k1j5tdsl', '-a', 'x2k1j5tdsl', '--domain-level=0', '--setup-dns', '--forwarder', '10.38.5.26', '--auto-reverse'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] RUN ['ipa-server-install', '-U', '-n', 'dom-058-115.abc.idm.lab.eng.brq.redhat.com', '-r', 'DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM', '-p', 'x2k1j5tdsl', '-a', 'x2k1j5tdsl', '--domain-level=0', '--setup-dns', '--forwarder', '10.38.5.26', '--auto-reverse'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Checking DNS domain dom-058-115.abc.idm.lab.eng.brq.redhat.com, please wait ... [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] The log file for this installation can be found in /var/log/ipaserver-install.log [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] ============================================================================== [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] This program will set up the FreeIPA Server. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] This includes: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Configure a stand-alone CA (dogtag) for certificate management [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Configure the Network Time Daemon (ntpd) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Create and configure an instance of Directory Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Create and configure a Kerberos Key Distribution Center (KDC) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Configure Apache (httpd) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Configure DNS (bind) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Warning: skipping DNS resolution of host vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Checking DNS domain dom-058-115.abc.idm.lab.eng.brq.redhat.com., please wait ... [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Checking DNS forwarders, please wait ... [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] The IPA Master Server will be configured with: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Hostname: vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] IP address(es): 10.34.58.115 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Domain name: dom-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Realm name: DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] BIND DNS server will be configured to serve IPA domain with: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Forwarders: 10.38.5.26 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Reverse zone(s): No reverse zone [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring NTP daemon (ntpd) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/4]: stopping ntpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/4]: writing configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/4]: configuring ntpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/4]: starting ntpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring NTP daemon (ntpd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring directory server (dirsrv). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/46]: creating directory server user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/46]: creating directory server instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/46]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/46]: adding default schema [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/46]: enabling memberof plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/46]: enabling winsync plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/46]: configuring replication version plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/46]: enabling IPA enrollment plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/46]: enabling ldapi [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [10/46]: configuring uniqueness plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [11/46]: configuring uuid plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [12/46]: configuring modrdn plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [13/46]: configuring DNS plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [14/46]: enabling entryUSN plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [15/46]: configuring lockout plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [16/46]: configuring topology plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [17/46]: creating indices [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [18/46]: enabling referential integrity plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [19/46]: configuring certmap.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [20/46]: configure autobind for root [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [21/46]: configure new location for managed entries [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [22/46]: configure dirsrv ccache [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [23/46]: enabling SASL mapping fallback [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [24/46]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [25/46]: adding sasl mappings to the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [26/46]: adding default layout [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [27/46]: adding delegation layout [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [28/46]: creating container for managed entries [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [29/46]: configuring user private groups [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [30/46]: configuring netgroups from hostgroups [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [31/46]: creating default Sudo bind user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [32/46]: creating default Auto Member layout [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [33/46]: adding range check plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [34/46]: creating default HBAC rule allow_all [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [35/46]: adding sasl mappings to the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [36/46]: adding entries for topology management [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [37/46]: initializing group membership [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [38/46]: adding master entry [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [39/46]: initializing domain level [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [40/46]: configuring Posix uid/gid generation [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [41/46]: adding replication acis [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [42/46]: enabling compatibility plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [43/46]: activating sidgen plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [44/46]: activating extdom plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [45/46]: tuning directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [46/46]: configuring directory to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring directory server (dirsrv). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/28]: creating certificate server user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/28]: configuring certificate server instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/28]: stopping certificate server instance to update CS.cfg [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/28]: backing up CS.cfg [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/28]: disabling nonces [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/28]: set up CRL publishing [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/28]: enable PKIX certificate path discovery and validation [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/28]: starting certificate server instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/28]: creating RA agent certificate database [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [10/28]: importing CA chain to RA certificate database [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [11/28]: fixing RA database permissions [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [12/28]: setting up signing cert profile [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [13/28]: setting audit signing renewal to 2 years [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [14/28]: restarting certificate server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [15/28]: requesting RA certificate from CA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [16/28]: issuing RA agent certificate [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [17/28]: adding RA agent as a trusted user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [18/28]: authorizing RA to modify profiles [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [19/28]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [20/28]: configure certificate renewals [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [21/28]: configure RA certificate renewal [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [22/28]: configure Server-Cert certificate renewal [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [23/28]: Configure HTTP to proxy connections [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [24/28]: restarting certificate server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [25/28]: migrating certificate profiles to LDAP [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [26/28]: importing IPA certificate profiles [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [27/28]: adding default CA ACL [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [28/28]: updating IPA configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring certificate server (pki-tomcatd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring directory server (dirsrv). Estimated time: 10 seconds [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/3]: configuring ssl for ds instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/3]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/3]: adding CA certificate entry [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring directory server (dirsrv). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/9]: adding kerberos container to the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/9]: configuring KDC [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/9]: initialize kerberos container [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/9]: adding default ACIs [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/9]: creating a keytab for the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/9]: creating a keytab for the machine [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/9]: adding the password extension to the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/9]: starting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/9]: configuring KDC to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring Kerberos KDC (krb5kdc). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/2]: starting kadmin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/2]: configuring kadmin to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring kadmin. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/2]: starting ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/2]: configuring ipa_memcached to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring ipa_memcached. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/2]: starting ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/2]: configuring ipa-otpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring ipa-otpd. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/5]: Generating ipa-custodia config file [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/5]: Making sure custodia container exists [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/5]: Generating ipa-custodia keys [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/5]: starting ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/5]: configuring ipa-custodia to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring ipa-custodia. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring the web interface (httpd). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/21]: setting mod_nss port to 443 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/21]: setting mod_nss cipher suite [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/21]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/21]: setting mod_nss password file [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/21]: enabling mod_nss renegotiate [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/21]: adding URL rewriting rules [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/21]: configuring httpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/21]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/21]: setting up httpd keytab [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [10/21]: setting up ssl [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [11/21]: importing CA certificates from LDAP [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [12/21]: setting up browser autoconfig [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [13/21]: publish CA cert [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [14/21]: clean up any existing httpd ccache [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [15/21]: configuring SELinux for httpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [16/21]: create KDC proxy user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [17/21]: create KDC proxy config [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [18/21]: enable KDC proxy [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [19/21]: restarting httpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [20/21]: configuring httpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [21/21]: enabling oddjobd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring the web interface (httpd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Applying LDAP updates [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Upgrading IPA: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/9]: saving configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/9]: disabling listeners [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/9]: enabling DS global lock [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/9]: upgrading server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/9]: restoring configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting the directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring DNS (named) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/11]: generating rndc key file [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/11]: adding DNS container [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/11]: setting up our zone [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/11]: setting up our own record [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/11]: setting up records for other masters [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/11]: adding NS record to the zones [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/11]: setting up CA record [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/11]: setting up kerberos principal [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/11]: setting up named.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [10/11]: configuring named to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [11/11]: changing resolv.conf to point to ourselves [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring DNS (named). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring DNS key synchronization service (ipa-dnskeysyncd) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/7]: checking status [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/7]: setting up bind-dyndb-ldap working directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/7]: setting up kerberos principal [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/7]: setting up SoftHSM [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/7]: adding DNSSEC containers [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/7]: creating replica keys [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/7]: configuring ipa-dnskeysyncd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring DNS key synchronization service (ipa-dnskeysyncd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting ipa-dnskeysyncd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting named [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting the web server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring client side components [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Using existing certificate '/etc/ipa/ca.crt'. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Client hostname: vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Realm: DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] DNS Domain: dom-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] IPA Server: vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] BaseDN: dc=dom-058-115,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Skipping synchronizing time with NTP server. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] New SSSD config will be created [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured sudoers in /etc/nsswitch.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured /etc/sssd/sssd.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] trying https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Forwarding 'ping' to json server 'https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Forwarding 'ca_is_enabled' to json server 'https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Forwarding 'host_mod' to json server 'https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Could not update DNS SSHFP records. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] SSSD enabled [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured /etc/openldap/ldap.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured /etc/ssh/ssh_config [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured /etc/ssh/sshd_config [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring dom-058-115.abc.idm.lab.eng.brq.redhat.com as NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Client configuration complete. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] ============================================================================== [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Setup complete [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Next steps: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] 1. You must make sure these network ports are open: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] TCP Ports: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 80, 443: HTTP/HTTPS [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 389, 636: LDAP/LDAPS [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 88, 464: kerberos [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 53: bind [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] UDP Ports: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 88, 464: kerberos [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 53: bind [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 123: ntp [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] 2. You can now obtain a kerberos ticket using the command: 'kinit admin' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] This ticket will allow you to use the IPA tools (e.g., ipa user-add) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] and the web user interface. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Be sure to back up the CA certificates stored in /root/cacert.p12 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] These files are required to create replicas. The password for these [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] files is the Directory Manager password [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Exit code: 0 [ipa.ipatests.test_integration.tasks] Enable LDAP replication logging [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd9] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd9] modifying entry "cn=config" [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd9] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd9] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd10] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd10] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd11] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd11] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/sssd/* to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd12] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd12] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] removed ?/var/lib/sss/db/config.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] removed ?/var/lib/sss/db/sssd.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] removed ?/var/lib/sss/db/cache_dom-058-115.abc.idm.lab.eng.brq.redhat.com.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd14] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd14] removed ?/var/lib/sss/mc/group? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd14] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd15] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd15] removed ?/var/lib/sss/mc/passwd? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd15] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd16] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd16] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd17] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd17] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd17] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] Current domain level: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-kra-install', '-U', '-p', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] RUN ['ipa-kra-install', '-U', '-p', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] =================================================================== [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] This program will setup Dogtag KRA for the FreeIPA Server. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [1/8]: configuring KRA instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [2/8]: create KRA agent [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [3/8]: restarting KRA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [4/8]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [5/8]: configure certificate renewals [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [6/8]: configure HTTP to proxy connections [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [7/8]: add vault container [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [8/8]: apply LDAP updates [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] Done configuring KRA server (pki-tomcatd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] Restarting the directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] The ipa-kra-install command was successful [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd20] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd20] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd20] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'vault-find'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] RUN ['ipa', 'vault-find'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] ---------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] 0 vaults matched [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] ---------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] ---------------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] Number of entries returned 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] ---------------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] Exit code: 1 .[ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-replica-manage', 'del', '--force', '-p', 'x2k1j5tdsl', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] RUN ['ipa-replica-manage', 'del', '--force', '-p', 'x2k1j5tdsl', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] 'vm-058-115.abc.idm.lab.eng.brq.redhat.com' has no replication agreement for 'vm-058-114.abc.idm.lab.eng.brq.redhat.com' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] Exit code: 1 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/ipaserver-uninstall.log to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] Authenticating with private RSA key using user root [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd1] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd1] ipa: ERROR: Client is not configured. Run ipa-client-install. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd1] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-server-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] RUN ['ipa-server-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] WARNING: [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] IPA server is not configured on this system. If you want to install the [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] IPA server, please install it using 'ipa-server-install'. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] WARNING: Failed to connect to Directory Server to find information about [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] replication agreements. Uninstallation will continue despite the possible [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] existing replication agreements. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] If this server is the last instance of CA, [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] KRA, or DNSSEC master, uninstallation may result in data loss. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] Shutting down all IPA services [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] Configuring certmonger to stop tracking system certificates for KRA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] Configuring certmonger to stop tracking system certificates for CA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] IPA client is not configured on this system. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] Removing IPA client configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd3] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd3] ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd3] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd3] Exit code: 255 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd4] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd4] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd5] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd5] ?/home/ofayans/ipatests/file_backup/etc/hosts? -> ?/etc/hosts? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd5] ?/home/ofayans/ipatests/file_backup/etc/hostname? -> ?/etc/hostname? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd5] /sbin/restorecon reset /etc context system_u:object_r:nfs_t:s0->system_u:object_r:etc_t:s0 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd5] /sbin/restorecon reset /etc/hosts context system_u:object_r:nfs_t:s0->system_u:object_r:net_conf_t:s0 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd5] /sbin/restorecon reset /etc/hostname context system_u:object_r:nfs_t:s0->system_u:object_r:hostname_etc_t:s0 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd5] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd6] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd6] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd6] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd7] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd7] removed ?/home/ofayans/ipatests/file_backup/etc/hosts? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd7] removed ?/home/ofayans/ipatests/file_backup/etc/hostname? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd7] removed directory: ?/home/ofayans/ipatests/file_backup/etc? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd7] removed directory: ?/home/ofayans/ipatests/file_backup? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd7] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['hostname', 'vm-058-115.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] RUN ['hostname', 'vm-058-115.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '/home/ofayans/ipatests/backup_hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd9] RUN ['rm', '/home/ofayans/ipatests/backup_hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd9] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd10] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd10] removed ?/home/ofayans/ipatests/env.sh? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd10] removed directory: ?/home/ofayans/ipatests? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd10] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/ipaclient-uninstall.log to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-client-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd11] RUN ['ipa-client-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd11] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd11] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd11] IPA client is not configured on this system. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd11] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd12] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd12] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd12] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd12] find: ?/home/ofayans/ipatests/file_backup?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd12] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd14] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd14] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd14] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd14] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.tasks] No hostname backed up on vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd15] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd15] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd15] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd15] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'host-del', '--updatedns', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd23] RUN ['ipa', 'host-del', '--updatedns', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd23] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd23] shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd23] ipa: ERROR: vm-058-114.abc.idm.lab.eng.brq.redhat.com: host not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd23] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'host-del', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] RUN ['ipa', 'host-del', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] ipa: ERROR: vm-058-114.abc.idm.lab.eng.brq.redhat.com: host not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Exit code: 2 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/ipaclient-install.log to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd16] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd16] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd16] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/home/ofayans/ipatests/env.sh to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /home/ofayans [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] MKDIR /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] WRITE /home/ofayans/ipatests/env.sh [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] MKDIR /home/ofayans/ipatests/file_backup [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] MKDIR /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] READ /etc/hosts [ipa.ipatests.test_integration.tasks] Writing the following to /etc/hosts: 10.34.78.1 hector.abc.idm.lab.eng.brq.redhat.com localmirror 2620:52:0:224e:21a:4aff:fe23:1238 hector.abc.idm.lab.eng.brq.redhat.com localmirror 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.34.48.31 rhev-01.eng.brq.redhat.com 2620:52:0:227f:21e:4fff:fe28:7da8 rhev-01.eng.brq.redhat.com 10.34.58.118 vm-058-118.abc.idm.lab.eng.brq.redhat.com vm-058-118 10.34.58.114 vm-058-114.abc.idm.lab.eng.brq.redhat.com vm-058-114 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] WRITE /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] WRITE /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['hostname', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] RUN ['hostname', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnsconfig-mod', '--allow-sync-ptr=true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] RUN ['ipa', 'dnsconfig-mod', '--allow-sync-ptr=true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] Allow PTR sync: TRUE [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-add', '58.34.10.in-addr.arpa.'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] RUN ['ipa', 'dnszone-add', '58.34.10.in-addr.arpa.'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] Zone name: 58.34.10.in-addr.arpa. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] Active zone: TRUE [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] Authoritative nameserver: vm-058-115.abc.idm.lab.eng.brq.redhat.com. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] Administrator e-mail address: hostmaster [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] SOA serial: 1457525515 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] SOA refresh: 3600 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] SOA retry: 900 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] SOA expire: 1209600 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] SOA minimum: 3600 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] BIND update policy: grant DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM krb5-subdomain 58.34.10.in-addr.arpa. PTR; [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] Dynamic update: FALSE [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] Allow query: any; [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] Allow transfer: none; [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-mod', '58.34.10.in-addr.arpa.', '--dynamic-update=TRUE'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] RUN ['ipa', 'dnszone-mod', '58.34.10.in-addr.arpa.', '--dynamic-update=TRUE'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] Zone name: 58.34.10.in-addr.arpa. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] Active zone: TRUE [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] Authoritative nameserver: vm-058-115.abc.idm.lab.eng.brq.redhat.com. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] Administrator e-mail address: hostmaster [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] SOA serial: 1457525516 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] SOA refresh: 3600 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] SOA retry: 900 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] SOA expire: 1209600 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] SOA minimum: 3600 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] Dynamic update: TRUE [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] Allow query: any; [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] Allow transfer: none; [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-client-install', '-U', '--domain', 'dom-058-115.abc.idm.lab.eng.brq.redhat.com', '--realm', 'DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM', '-p', 'admin', '-w', 'x2k1j5tdsl', '--server', 'vm-058-115.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] RUN ['ipa-client-install', '-U', '--domain', 'dom-058-115.abc.idm.lab.eng.brq.redhat.com', '--realm', 'DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM', '-p', 'admin', '-w', 'x2k1j5tdsl', '--server', 'vm-058-115.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Client hostname: vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Realm: DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] DNS Domain: dom-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] IPA Server: vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] BaseDN: dc=dom-058-115,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Synchronizing time with KDC... [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Attempting to sync time using ntpd. Will timeout after 15 seconds [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Attempting to sync time using ntpd. Will timeout after 15 seconds [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Successfully retrieved CA cert [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Subject: CN=Certificate Authority,O=DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Issuer: CN=Certificate Authority,O=DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Valid From: Wed Mar 09 12:01:39 2016 UTC [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Valid Until: Sun Mar 09 12:01:39 2036 UTC [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Enrolled in IPA realm DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Created /etc/ipa/default.conf [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] New SSSD config will be created [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Configured sudoers in /etc/nsswitch.conf [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Configured /etc/sssd/sssd.conf [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Configured /etc/krb5.conf for IPA realm DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] trying https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Forwarding 'ping' to json server 'https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Forwarding 'ca_is_enabled' to json server 'https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Forwarding 'host_mod' to json server 'https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Could not update DNS SSHFP records. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] SSSD enabled [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Configured /etc/openldap/ldap.conf [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] NTP enabled [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Configured /etc/ssh/ssh_config [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Configured /etc/ssh/sshd_config [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Configuring dom-058-115.abc.idm.lab.eng.brq.redhat.com as NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Client configuration complete. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd23] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd23] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/sssd/* to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd24] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd24] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] removed ?/var/lib/sss/db/config.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] removed ?/var/lib/sss/db/sssd.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] removed ?/var/lib/sss/db/cache_dom-058-115.abc.idm.lab.eng.brq.redhat.com.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd26] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd26] removed ?/var/lib/sss/mc/group? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd26] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd27] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd27] removed ?/var/lib/sss/mc/passwd? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd27] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd28] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd28] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd29] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd29] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd29] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-replica-install', '-U', '-p', 'x2k1j5tdsl', '-w', 'x2k1j5tdsl', '--ip-address', '10.34.58.114'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] RUN ['ipa-replica-install', '-U', '-p', 'x2k1j5tdsl', '-w', 'x2k1j5tdsl', '--ip-address', '10.34.58.114'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] ipa.ipapython.install.cli.install_tool(Replica): ERROR You must provide a file generated by ipa-replica-prepare to create a replica when the domain is at level 0. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] IPA client is already configured on this system, ignoring the --domain, --server, --realm, --hostname, --password and --keytab options. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] Your system may be partly configured. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] Run /usr/sbin/ipa-server-install --uninstall to clean up. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] Exit code: 1 .[ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-replica-manage', 'del', '--force', '-p', 'x2k1j5tdsl', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] RUN ['ipa-replica-manage', 'del', '--force', '-p', 'x2k1j5tdsl', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] 'vm-058-115.abc.idm.lab.eng.brq.redhat.com' has no replication agreement for 'vm-058-114.abc.idm.lab.eng.brq.redhat.com' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] Exit code: 1 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/ipaserver-uninstall.log to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd31] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd31] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd31] Current domain level: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd31] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd31] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-server-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] RUN ['ipa-server-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] WARNING: [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] IPA server is not configured on this system. If you want to install the [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] IPA server, please install it using 'ipa-server-install'. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] WARNING: Failed to connect to Directory Server to find information about [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] replication agreements. Uninstallation will continue despite the possible [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] existing replication agreements. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] If this server is the last instance of CA, [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] KRA, or DNSSEC master, uninstallation may result in data loss. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] Shutting down all IPA services [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] Configuring certmonger to stop tracking system certificates for KRA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] Configuring certmonger to stop tracking system certificates for CA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] Removing Kerberos service principals from /etc/krb5.keytab [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] Disabling client Kerberos and LDAP configurations [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] Restoring client configuration files [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] Unconfiguring the NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] nscd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] nslcd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] Client uninstall complete. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] Removing IPA client configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd33] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd33] ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd33] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd33] Exit code: 255 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd34] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd34] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd35] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd35] ?/home/ofayans/ipatests/file_backup/etc/hosts? -> ?/etc/hosts? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd35] ?/home/ofayans/ipatests/file_backup/etc/hostname? -> ?/etc/hostname? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd35] /sbin/restorecon reset /etc context system_u:object_r:nfs_t:s0->system_u:object_r:etc_t:s0 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd35] /sbin/restorecon reset /etc/hosts context system_u:object_r:nfs_t:s0->system_u:object_r:net_conf_t:s0 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd35] /sbin/restorecon reset /etc/hostname context system_u:object_r:nfs_t:s0->system_u:object_r:hostname_etc_t:s0 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd35] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd36] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd36] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd36] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd37] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd37] removed ?/home/ofayans/ipatests/file_backup/etc/hosts? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd37] removed ?/home/ofayans/ipatests/file_backup/etc/hostname? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd37] removed directory: ?/home/ofayans/ipatests/file_backup/etc? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd37] removed directory: ?/home/ofayans/ipatests/file_backup? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd37] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['hostname', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd38] RUN ['hostname', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd38] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '/home/ofayans/ipatests/backup_hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd39] RUN ['rm', '/home/ofayans/ipatests/backup_hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd39] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd40] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd40] removed ?/home/ofayans/ipatests/env.sh? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd40] removed directory: ?/home/ofayans/ipatests? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd40] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/ipaclient-uninstall.log to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-client-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd41] RUN ['ipa-client-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd41] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd41] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd41] IPA client is not configured on this system. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd41] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd42] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd42] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd42] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd42] find: ?/home/ofayans/ipatests/file_backup?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd42] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd43] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd43] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd43] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd43] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd43] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd44] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd44] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd44] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd44] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.tasks] No hostname backed up on vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd45] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd45] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd45] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd45] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'host-del', '--updatedns', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] RUN ['ipa', 'host-del', '--updatedns', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] ipa: ERROR: vm-058-114.abc.idm.lab.eng.brq.redhat.com: host not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'host-del', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] RUN ['ipa', 'host-del', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] -------------------------------------------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Deleted host "vm-058-114.abc.idm.lab.eng.brq.redhat.com" [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] -------------------------------------------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] Current domain level: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd46] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd46] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd46] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/home/ofayans/ipatests/env.sh to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /home/ofayans [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] MKDIR /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] WRITE /home/ofayans/ipatests/env.sh [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] MKDIR /home/ofayans/ipatests/file_backup [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] MKDIR /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd47] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd47] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] READ /etc/hosts [ipa.ipatests.test_integration.tasks] Writing the following to /etc/hosts: 10.34.78.1 hector.abc.idm.lab.eng.brq.redhat.com localmirror 2620:52:0:224e:21a:4aff:fe23:1238 hector.abc.idm.lab.eng.brq.redhat.com localmirror 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.34.48.31 rhev-01.eng.brq.redhat.com 2620:52:0:227f:21e:4fff:fe28:7da8 rhev-01.eng.brq.redhat.com 10.34.58.118 vm-058-118.abc.idm.lab.eng.brq.redhat.com vm-058-118 10.34.58.114 vm-058-114.abc.idm.lab.eng.brq.redhat.com vm-058-114 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] WRITE /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd48] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd48] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] WRITE /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['hostname', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd49] RUN ['hostname', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd49] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd50] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd50] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/ipareplica-install.log to list of logs to collect [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/ipareplica-conncheck.log to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnsconfig-mod', '--allow-sync-ptr=true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] RUN ['ipa', 'dnsconfig-mod', '--allow-sync-ptr=true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] ipa: ERROR: no modifications to be performed [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd35] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd35] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd35] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd35] ipa: ERROR: abc.idm.lab.eng.brq.redhat.com.: DNS zone not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd35] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd51] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd51] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd52] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd52] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-add', '58.34.10.in-addr.arpa.'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd36] RUN ['ipa', 'dnszone-add', '58.34.10.in-addr.arpa.'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd36] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd36] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd36] ipa: ERROR: DNS zone with name "58.34.10.in-addr.arpa." already exists [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd36] Exit code: 1 [ipa.ipatests.test_integration.tasks] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory ipa: ERROR: DNS zone with name "58.34.10.in-addr.arpa." already exists [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] ipa: ERROR: abc.idm.lab.eng.brq.redhat.com.: DNS zone not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-replica-prepare', '-p', 'x2k1j5tdsl', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] RUN ['ipa-replica-prepare', '-p', 'x2k1j5tdsl', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] Unable to resolve the IP address 10.34.58.114 to a host name, check /etc/hosts and DNS name resolution [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] Preparing replica for vm-058-114.abc.idm.lab.eng.brq.redhat.com from vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] Creating SSL certificate for the Directory Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] Creating SSL certificate for the dogtag Directory Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] Saving dogtag Directory Server port [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] Creating SSL certificate for the Web Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] Exporting RA certificate [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] Copying additional files [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] Finalizing configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] Packaging replica information into /var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] The ipa-replica-prepare command was successful [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] READ /var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] WRITE /home/ofayans/ipatests/replica-info.gpg [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-replica-install', '-U', '-p', 'x2k1j5tdsl', '-w', 'x2k1j5tdsl', '--setup-ca', '/home/ofayans/ipatests/replica-info.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] RUN ['ipa-replica-install', '-U', '-p', 'x2k1j5tdsl', '-w', 'x2k1j5tdsl', '--setup-ca', '/home/ofayans/ipatests/replica-info.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] ipa : ERROR Reverse DNS resolution of address 10.34.58.115 (vm-058-115.abc.idm.lab.eng.brq.redhat.com) failed. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Run connection check to master [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Connection check OK [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Configuring NTP daemon (ntpd) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [1/4]: stopping ntpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [2/4]: writing configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [3/4]: configuring ntpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [4/4]: starting ntpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Done configuring NTP daemon (ntpd). [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Configuring directory server (dirsrv). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [1/41]: creating directory server user [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [2/41]: creating directory server instance [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [3/41]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [4/41]: adding default schema [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [5/41]: enabling memberof plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [6/41]: enabling winsync plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [7/41]: configuring replication version plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [8/41]: enabling IPA enrollment plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [9/41]: enabling ldapi [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [10/41]: configuring uniqueness plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [11/41]: configuring uuid plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [12/41]: configuring modrdn plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [13/41]: configuring DNS plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [14/41]: enabling entryUSN plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [15/41]: configuring lockout plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [16/41]: configuring topology plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [17/41]: creating indices [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [18/41]: enabling referential integrity plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [19/41]: configuring ssl for ds instance [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [20/41]: configuring certmap.conf [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [21/41]: configure autobind for root [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [22/41]: configure new location for managed entries [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [23/41]: configure dirsrv ccache [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [24/41]: enabling SASL mapping fallback [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [25/41]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [26/41]: setting up initial replication [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Starting replication, please wait until this has completed. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Update in progress, 1 seconds elapsed Update in progress, 2 seconds elapsed Update in progress, 3 seconds elapsed Update in progress, 4 seconds elapsed [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Update succeeded [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [27/41]: adding sasl mappings to the directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [28/41]: updating schema [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [29/41]: setting Auto Member configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [30/41]: enabling S4U2Proxy delegation [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [31/41]: importing CA certificates from LDAP [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [32/41]: initializing group membership [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [33/41]: adding master entry [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [34/41]: initializing domain level [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [35/41]: configuring Posix uid/gid generation [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [36/41]: adding replication acis [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [37/41]: enabling compatibility plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [38/41]: activating sidgen plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [39/41]: activating extdom plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [40/41]: tuning directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [41/41]: configuring directory to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Done configuring directory server (dirsrv). [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [1/24]: creating certificate server user [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [2/24]: configuring certificate server instance [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [3/24]: stopping certificate server instance to update CS.cfg [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [4/24]: backing up CS.cfg [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [5/24]: disabling nonces [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [6/24]: set up CRL publishing [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [7/24]: enable PKIX certificate path discovery and validation [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [8/24]: starting certificate server instance [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [9/24]: creating RA agent certificate database [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [10/24]: importing CA chain to RA certificate database [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [11/24]: fixing RA database permissions [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [12/24]: setting up signing cert profile [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [13/24]: setting audit signing renewal to 2 years [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [14/24]: importing RA certificate from PKCS #12 file [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [15/24]: authorizing RA to modify profiles [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [16/24]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [17/24]: configure certificate renewals [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [18/24]: configure Server-Cert certificate renewal [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [19/24]: Configure HTTP to proxy connections [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [20/24]: restarting certificate server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [21/24]: migrating certificate profiles to LDAP [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [22/24]: importing IPA certificate profiles [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [23/24]: adding default CA ACL [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [24/24]: updating IPA configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Done configuring certificate server (pki-tomcatd). [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Restarting the directory and certificate servers [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [1/7]: configuring KDC [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [2/7]: creating a keytab for the directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [3/7]: creating a keytab for the machine [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [4/7]: adding the password extension to the directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [5/7]: enable GSSAPI for replication [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [6/7]: starting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [7/7]: configuring KDC to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Done configuring Kerberos KDC (krb5kdc). [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Configuring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [1/2]: starting kadmin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [2/2]: configuring kadmin to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Done configuring kadmin. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Configuring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [1/2]: starting ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [2/2]: configuring ipa_memcached to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Done configuring ipa_memcached. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Configuring the web interface (httpd). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [1/20]: setting mod_nss port to 443 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [2/20]: setting mod_nss cipher suite [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [3/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [4/20]: setting mod_nss password file [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [5/20]: enabling mod_nss renegotiate [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [6/20]: adding URL rewriting rules [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [7/20]: configuring httpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [8/20]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [9/20]: setting up httpd keytab [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [10/20]: setting up ssl [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [11/20]: importing CA certificates from LDAP [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [12/20]: publish CA cert [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [13/20]: clean up any existing httpd ccache [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [14/20]: configuring SELinux for httpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [15/20]: create KDC proxy user [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [16/20]: create KDC proxy config [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [17/20]: enable KDC proxy [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [18/20]: restarting httpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [19/20]: configuring httpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [20/20]: enabling oddjobd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Done configuring the web interface (httpd). [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Configuring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [1/2]: starting ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [2/2]: configuring ipa-otpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Done configuring ipa-otpd. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Configuring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [1/5]: Generating ipa-custodia config file [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [2/5]: Making sure custodia container exists [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [3/5]: Generating ipa-custodia keys [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [4/5]: starting ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [5/5]: configuring ipa-custodia to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Done configuring ipa-custodia. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Applying LDAP updates [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Upgrading IPA: [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [1/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [2/9]: saving configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [3/9]: disabling listeners [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [4/9]: enabling DS global lock [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [5/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [6/9]: upgrading server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [7/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [8/9]: restoring configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [9/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Done. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Restarting the directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Restarting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Restarting the web server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Configuring client side components [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Using existing certificate '/etc/ipa/ca.crt'. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Client hostname: vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Realm: DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] DNS Domain: dom-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] IPA Server: vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] BaseDN: dc=dom-058-115,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Skipping synchronizing time with NTP server. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] New SSSD config will be created [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Configured sudoers in /etc/nsswitch.conf [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Configured /etc/sssd/sssd.conf [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] trying https://vm-058-114.abc.idm.lab.eng.brq.redhat.com/ipa/json [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Forwarding 'ping' to json server 'https://vm-058-114.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Forwarding 'ca_is_enabled' to json server 'https://vm-058-114.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Forwarding 'host_mod' to json server 'https://vm-058-114.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Could not update DNS SSHFP records. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] SSSD enabled [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Configured /etc/openldap/ldap.conf [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Configured /etc/ssh/ssh_config [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Configured /etc/ssh/sshd_config [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Configuring dom-058-115.abc.idm.lab.eng.brq.redhat.com as NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Client configuration complete. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd53] Exit code: 0 [ipa.ipatests.test_integration.tasks] Enable LDAP replication logging [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd54] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd54] modifying entry "cn=config" [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd54] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd54] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd55] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd55] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd56] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd56] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/sssd/* to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd57] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd57] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd58] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd58] removed ?/var/lib/sss/db/config.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd58] removed ?/var/lib/sss/db/sssd.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd58] removed ?/var/lib/sss/db/cache_dom-058-115.abc.idm.lab.eng.brq.redhat.com.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd58] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd59] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd59] removed ?/var/lib/sss/mc/group? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd59] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd60] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd60] removed ?/var/lib/sss/mc/passwd? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd60] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd61] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd61] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd62] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd62] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd62] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-backup'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] RUN ['ipa-backup'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Preparing backup on vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Stopping IPA services [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Backing up ipaca in DOM-058-115-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM to LDIF [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Backing up userRoot in DOM-058-115-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM to LDIF [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Backing up DOM-058-115-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Backing up files [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Backed up to /var/lib/ipa/backup/ipa-full-2016-03-09-13-22-04 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Starting IPA service [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] The ipa-backup command was successful [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'domainlevel-set', '1'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] RUN ['ipa', 'domainlevel-set', '1'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Current domain level: 1 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'topologysegment-find', 'domain'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd41] RUN ['ipa', 'topologysegment-find', 'domain'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd41] ----------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd41] 1 segment matched [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd41] ----------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd41] Segment name: vm-058-114.abc.idm.lab.eng.brq.redhat.com-to-vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd41] Left node: vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd41] Right node: vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd41] Connectivity: both [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd41] ---------------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd41] Number of entries returned 1 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd41] ---------------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd41] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-restore', '-U', '-p', 'x2k1j5tdsl', '/var/lib/ipa/backup/ipa-full-2016-03-09-13-22-04'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] RUN ['ipa-restore', '-U', '-p', 'x2k1j5tdsl', '/var/lib/ipa/backup/ipa-full-2016-03-09-13-22-04'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] Preparing restore from /var/lib/ipa/backup/ipa-full-2016-03-09-13-22-04 on vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] Performing FULL restore from FULL backup [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] Each master will individually need to be re-initialized or [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] re-created from this one. The replication agreements on [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] masters running IPA 3.1 or earlier will need to be manually [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] re-enabled. See the man page for details. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] Disabling all replication. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] Disabling replication agreement on vm-058-114.abc.idm.lab.eng.brq.redhat.com to vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] Disabling CA replication agreement on vm-058-114.abc.idm.lab.eng.brq.redhat.com to vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] Stopping IPA services [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] Configuring certmonger to stop tracking system certificates for CA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] Restoring files [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] Restoring from userRoot in DOM-058-115-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] Restoring from ipaca in DOM-058-115-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] Starting IPA services [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] Restarting SSSD [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] The ipa-restore command was successful [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'topologysegment-find', 'domain'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd43] RUN ['ipa', 'topologysegment-find', 'domain'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd43] ------------------ [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd43] 0 segments matched [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd43] ------------------ [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd43] ---------------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd43] Number of entries returned 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd43] ---------------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd43] Exit code: 1 .[ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-replica-manage', 'del', '--force', '-p', 'x2k1j5tdsl', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd44] RUN ['ipa-replica-manage', 'del', '--force', '-p', 'x2k1j5tdsl', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd44] ipa: INFO: Setting agreement cn=meTovm-058-115.abc.idm.lab.eng.brq.redhat.com,cn=replica,cn=dc\=dom-058-115\,dc\=abc\,dc\=idm\,dc\=lab\,dc\=eng\,dc\=brq\,dc\=redhat\,dc\=com,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd44] ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meTovm-058-115.abc.idm.lab.eng.brq.redhat.com,cn=replica,cn=dc\=dom-058-115\,dc\=abc\,dc\=idm\,dc\=lab\,dc\=eng\,dc\=brq\,dc\=redhat\,dc\=com,cn=mapping tree,cn=config [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd44] ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: agreement disabled: start: 0: end: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd44] Deleting replication agreements between vm-058-114.abc.idm.lab.eng.brq.redhat.com and vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd44] Unable to remove agreement on vm-058-114.abc.idm.lab.eng.brq.redhat.com: Server is unwilling to perform: Entry is managed by topology plugin.Deletion not allowed. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd44] Forcing removal on 'vm-058-115.abc.idm.lab.eng.brq.redhat.com' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd44] Any DNA range on 'vm-058-114.abc.idm.lab.eng.brq.redhat.com' will be lost [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd44] Deleted replication agreement from 'vm-058-115.abc.idm.lab.eng.brq.redhat.com' to 'vm-058-114.abc.idm.lab.eng.brq.redhat.com' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd44] Failed to cleanup vm-058-114.abc.idm.lab.eng.brq.redhat.com DNS entries: abc.idm.lab.eng.brq.redhat.com.: DNS zone not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd44] You may need to manually remove them from the tree [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd44] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/ipaserver-uninstall.log to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd63] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd63] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd63] Current domain level: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd63] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd63] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Shutting down all IPA services [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Unconfiguring ntpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Configuring certmonger to stop tracking system certificates for KRA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Configuring certmonger to stop tracking system certificates for CA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Unconfiguring CA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Unconfiguring named [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Unconfiguring web server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Unconfiguring krb5kdc [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Unconfiguring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Unconfiguring directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Unconfiguring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Unconfiguring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Unconfiguring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Removing Kerberos service principals from /etc/krb5.keytab [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM' returned non-zero exit status 5 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Disabling client Kerberos and LDAP configurations [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Restoring client configuration files [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Unconfiguring the NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] nscd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] nslcd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Client uninstall complete. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Removing IPA client configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd64] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd65] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd65] ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd65] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd65] Exit code: 255 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd66] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd66] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd67] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd67] ?/home/ofayans/ipatests/file_backup/etc/hosts? -> ?/etc/hosts? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd67] ?/home/ofayans/ipatests/file_backup/etc/hostname? -> ?/etc/hostname? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd67] /sbin/restorecon reset /etc context system_u:object_r:nfs_t:s0->system_u:object_r:etc_t:s0 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd67] /sbin/restorecon reset /etc/hosts context system_u:object_r:nfs_t:s0->system_u:object_r:net_conf_t:s0 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd67] /sbin/restorecon reset /etc/hostname context system_u:object_r:nfs_t:s0->system_u:object_r:hostname_etc_t:s0 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd67] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd68] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd68] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd68] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd69] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd69] removed ?/home/ofayans/ipatests/file_backup/etc/hosts? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd69] removed ?/home/ofayans/ipatests/file_backup/etc/hostname? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd69] removed directory: ?/home/ofayans/ipatests/file_backup/etc? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd69] removed directory: ?/home/ofayans/ipatests/file_backup? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd69] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['hostname', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd70] RUN ['hostname', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd70] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '/home/ofayans/ipatests/backup_hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd71] RUN ['rm', '/home/ofayans/ipatests/backup_hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd71] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd72] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd72] removed ?/home/ofayans/ipatests/env.sh? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd72] removed ?/home/ofayans/ipatests/replica-info.gpg? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd72] removed directory: ?/home/ofayans/ipatests? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd72] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/ipaclient-uninstall.log to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-client-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd73] RUN ['ipa-client-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd73] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd73] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd73] IPA client is not configured on this system. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd73] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd74] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd74] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd74] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd74] find: ?/home/ofayans/ipatests/file_backup?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd74] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd75] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd75] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd75] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd75] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd75] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd76] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd76] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd76] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd76] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.tasks] No hostname backed up on vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd77] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd77] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd77] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd77] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'host-del', '--updatedns', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd45] RUN ['ipa', 'host-del', '--updatedns', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd45] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd45] shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd45] ipa: ERROR: vm-058-114.abc.idm.lab.eng.brq.redhat.com: host not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd45] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'host-del', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd46] RUN ['ipa', 'host-del', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd46] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd46] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd46] ipa: ERROR: vm-058-114.abc.idm.lab.eng.brq.redhat.com: host not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd46] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd47] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd47] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd47] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd47] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd47] Current domain level: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd47] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd47] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-server-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] RUN ['ipa-server-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Shutting down all IPA services [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Unconfiguring ntpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Configuring certmonger to stop tracking system certificates for KRA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Unconfiguring KRA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Configuring certmonger to stop tracking system certificates for CA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Unconfiguring CA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Unconfiguring named [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Unconfiguring ipa-dnskeysyncd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Unconfiguring web server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Unconfiguring krb5kdc [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Unconfiguring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Unconfiguring directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Unconfiguring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Unconfiguring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Unconfiguring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Removing Kerberos service principals from /etc/krb5.keytab [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM' returned non-zero exit status 5 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Disabling client Kerberos and LDAP configurations [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Restoring client configuration files [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Unconfiguring the NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] nscd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] nslcd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Client uninstall complete. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Removing IPA client configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd49] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd49] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd49] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd49] ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd49] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd49] Exit code: 255 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-115.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd50] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-115.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd50] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd50] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd50] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd51] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd51] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd51] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd51] find: ?/home/ofayans/ipatests/file_backup?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd51] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd52] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd52] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd52] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd52] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd52] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd53] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd53] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd53] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd53] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.tasks] No hostname backed up on vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd54] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd54] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd54] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd54] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd78] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd78] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd78] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd78] ipa: ERROR: Client is not configured. Run ipa-client-install. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd78] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-server-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd79] RUN ['ipa-server-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd79] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd79] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd79] WARNING: [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd79] IPA server is not configured on this system. If you want to install the [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd79] IPA server, please install it using 'ipa-server-install'. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd79] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd79] WARNING: Failed to connect to Directory Server to find information about [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd79] replication agreements. Uninstallation will continue despite the possible [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd79] existing replication agreements. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd79] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd79] If this server is the last instance of CA, [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd79] KRA, or DNSSEC master, uninstallation may result in data loss. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd79] Shutting down all IPA services [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd79] Configuring certmonger to stop tracking system certificates for KRA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd79] Configuring certmonger to stop tracking system certificates for CA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd79] IPA client is not configured on this system. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd79] Removing IPA client configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd79] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd80] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd80] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd80] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd80] ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd80] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd80] Exit code: 255 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd81] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd81] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd81] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd81] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd82] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd82] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd82] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd82] find: ?/home/ofayans/ipatests/file_backup?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd82] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd83] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd83] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd83] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd83] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd83] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd84] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd84] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd84] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd84] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.tasks] No hostname backed up on vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd85] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd85] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd85] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd85] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/ipaserver-install.log to list of logs to collect [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/ipaclient-install.log to list of logs to collect [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/dirsrv/slapd-DOM-058-115-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM/errors to list of logs to collect [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/dirsrv/slapd-DOM-058-115-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM/access to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] Authenticating with private RSA key using user root [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd1] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd1] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd1] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/home/ofayans/ipatests/env.sh to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] MKDIR /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] WRITE /home/ofayans/ipatests/env.sh [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] MKDIR /home/ofayans/ipatests/file_backup [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] MKDIR /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd2] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd2] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] READ /etc/hosts [ipa.ipatests.test_integration.tasks] Writing the following to /etc/hosts: 10.34.78.1 hector.abc.idm.lab.eng.brq.redhat.com localmirror 2620:52:0:224e:21a:4aff:fe23:1238 hector.abc.idm.lab.eng.brq.redhat.com localmirror 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.34.48.31 rhev-01.eng.brq.redhat.com 2620:52:0:227f:21e:4fff:fe28:7da8 rhev-01.eng.brq.redhat.com 10.34.58.118 vm-058-118.abc.idm.lab.eng.brq.redhat.com vm-058-118 10.34.58.115 vm-058-115.abc.idm.lab.eng.brq.redhat.com vm-058-115 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] WRITE /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd3] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd3] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] WRITE /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['hostname', 'vm-058-115.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd4] RUN ['hostname', 'vm-058-115.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd4] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd5] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd5] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd6] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd6] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd7] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd7] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-server-install', '-U', '-n', 'dom-058-115.abc.idm.lab.eng.brq.redhat.com', '-r', 'DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM', '-p', 'x2k1j5tdsl', '-a', 'x2k1j5tdsl', '--domain-level=0', '--setup-dns', '--forwarder', '10.38.5.26', '--auto-reverse'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] RUN ['ipa-server-install', '-U', '-n', 'dom-058-115.abc.idm.lab.eng.brq.redhat.com', '-r', 'DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM', '-p', 'x2k1j5tdsl', '-a', 'x2k1j5tdsl', '--domain-level=0', '--setup-dns', '--forwarder', '10.38.5.26', '--auto-reverse'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Checking DNS domain dom-058-115.abc.idm.lab.eng.brq.redhat.com, please wait ... [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] The log file for this installation can be found in /var/log/ipaserver-install.log [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] ============================================================================== [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] This program will set up the FreeIPA Server. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] This includes: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Configure a stand-alone CA (dogtag) for certificate management [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Configure the Network Time Daemon (ntpd) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Create and configure an instance of Directory Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Create and configure a Kerberos Key Distribution Center (KDC) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Configure Apache (httpd) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Configure DNS (bind) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Warning: skipping DNS resolution of host vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Checking DNS domain dom-058-115.abc.idm.lab.eng.brq.redhat.com., please wait ... [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Checking DNS forwarders, please wait ... [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] The IPA Master Server will be configured with: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Hostname: vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] IP address(es): 10.34.58.115 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Domain name: dom-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Realm name: DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] BIND DNS server will be configured to serve IPA domain with: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Forwarders: 10.38.5.26 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Reverse zone(s): No reverse zone [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring NTP daemon (ntpd) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/4]: stopping ntpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/4]: writing configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/4]: configuring ntpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/4]: starting ntpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring NTP daemon (ntpd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring directory server (dirsrv). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/46]: creating directory server user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/46]: creating directory server instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/46]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/46]: adding default schema [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/46]: enabling memberof plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/46]: enabling winsync plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/46]: configuring replication version plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/46]: enabling IPA enrollment plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/46]: enabling ldapi [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [10/46]: configuring uniqueness plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [11/46]: configuring uuid plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [12/46]: configuring modrdn plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [13/46]: configuring DNS plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [14/46]: enabling entryUSN plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [15/46]: configuring lockout plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [16/46]: configuring topology plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [17/46]: creating indices [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [18/46]: enabling referential integrity plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [19/46]: configuring certmap.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [20/46]: configure autobind for root [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [21/46]: configure new location for managed entries [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [22/46]: configure dirsrv ccache [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [23/46]: enabling SASL mapping fallback [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [24/46]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [25/46]: adding sasl mappings to the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [26/46]: adding default layout [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [27/46]: adding delegation layout [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [28/46]: creating container for managed entries [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [29/46]: configuring user private groups [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [30/46]: configuring netgroups from hostgroups [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [31/46]: creating default Sudo bind user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [32/46]: creating default Auto Member layout [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [33/46]: adding range check plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [34/46]: creating default HBAC rule allow_all [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [35/46]: adding sasl mappings to the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [36/46]: adding entries for topology management [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [37/46]: initializing group membership [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [38/46]: adding master entry [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [39/46]: initializing domain level [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [40/46]: configuring Posix uid/gid generation [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [41/46]: adding replication acis [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [42/46]: enabling compatibility plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [43/46]: activating sidgen plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [44/46]: activating extdom plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [45/46]: tuning directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [46/46]: configuring directory to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring directory server (dirsrv). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/28]: creating certificate server user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/28]: configuring certificate server instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/28]: stopping certificate server instance to update CS.cfg [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/28]: backing up CS.cfg [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/28]: disabling nonces [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/28]: set up CRL publishing [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/28]: enable PKIX certificate path discovery and validation [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/28]: starting certificate server instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/28]: creating RA agent certificate database [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [10/28]: importing CA chain to RA certificate database [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [11/28]: fixing RA database permissions [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [12/28]: setting up signing cert profile [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [13/28]: setting audit signing renewal to 2 years [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [14/28]: restarting certificate server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [15/28]: requesting RA certificate from CA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [16/28]: issuing RA agent certificate [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [17/28]: adding RA agent as a trusted user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [18/28]: authorizing RA to modify profiles [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [19/28]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [20/28]: configure certificate renewals [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [21/28]: configure RA certificate renewal [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [22/28]: configure Server-Cert certificate renewal [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [23/28]: Configure HTTP to proxy connections [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [24/28]: restarting certificate server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [25/28]: migrating certificate profiles to LDAP [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [26/28]: importing IPA certificate profiles [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [27/28]: adding default CA ACL [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [28/28]: updating IPA configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring certificate server (pki-tomcatd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring directory server (dirsrv). Estimated time: 10 seconds [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/3]: configuring ssl for ds instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/3]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/3]: adding CA certificate entry [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring directory server (dirsrv). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/9]: adding kerberos container to the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/9]: configuring KDC [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/9]: initialize kerberos container [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/9]: adding default ACIs [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/9]: creating a keytab for the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/9]: creating a keytab for the machine [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/9]: adding the password extension to the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/9]: starting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/9]: configuring KDC to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring Kerberos KDC (krb5kdc). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/2]: starting kadmin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/2]: configuring kadmin to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring kadmin. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/2]: starting ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/2]: configuring ipa_memcached to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring ipa_memcached. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/2]: starting ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/2]: configuring ipa-otpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring ipa-otpd. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/5]: Generating ipa-custodia config file [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/5]: Making sure custodia container exists [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/5]: Generating ipa-custodia keys [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/5]: starting ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/5]: configuring ipa-custodia to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring ipa-custodia. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring the web interface (httpd). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/21]: setting mod_nss port to 443 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/21]: setting mod_nss cipher suite [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/21]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/21]: setting mod_nss password file [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/21]: enabling mod_nss renegotiate [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/21]: adding URL rewriting rules [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/21]: configuring httpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/21]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/21]: setting up httpd keytab [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [10/21]: setting up ssl [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [11/21]: importing CA certificates from LDAP [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [12/21]: setting up browser autoconfig [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [13/21]: publish CA cert [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [14/21]: clean up any existing httpd ccache [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [15/21]: configuring SELinux for httpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [16/21]: create KDC proxy user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [17/21]: create KDC proxy config [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [18/21]: enable KDC proxy [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [19/21]: restarting httpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [20/21]: configuring httpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [21/21]: enabling oddjobd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring the web interface (httpd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Applying LDAP updates [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Upgrading IPA: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/9]: saving configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/9]: disabling listeners [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/9]: enabling DS global lock [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/9]: upgrading server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/9]: restoring configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting the directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring DNS (named) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/11]: generating rndc key file [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/11]: adding DNS container [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/11]: setting up our zone [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/11]: setting up our own record [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/11]: setting up records for other masters [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/11]: adding NS record to the zones [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/11]: setting up CA record [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/11]: setting up kerberos principal [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/11]: setting up named.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [10/11]: configuring named to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [11/11]: changing resolv.conf to point to ourselves [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring DNS (named). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring DNS key synchronization service (ipa-dnskeysyncd) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/7]: checking status [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/7]: setting up bind-dyndb-ldap working directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/7]: setting up kerberos principal [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/7]: setting up SoftHSM [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/7]: adding DNSSEC containers [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/7]: creating replica keys [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/7]: configuring ipa-dnskeysyncd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring DNS key synchronization service (ipa-dnskeysyncd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting ipa-dnskeysyncd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting named [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting the web server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring client side components [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Using existing certificate '/etc/ipa/ca.crt'. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Client hostname: vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Realm: DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] DNS Domain: dom-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] IPA Server: vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] BaseDN: dc=dom-058-115,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Skipping synchronizing time with NTP server. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] New SSSD config will be created [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured sudoers in /etc/nsswitch.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured /etc/sssd/sssd.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] trying https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Forwarding 'ping' to json server 'https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Forwarding 'ca_is_enabled' to json server 'https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Forwarding 'host_mod' to json server 'https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Could not update DNS SSHFP records. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] SSSD enabled [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured /etc/openldap/ldap.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured /etc/ssh/ssh_config [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured /etc/ssh/sshd_config [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring dom-058-115.abc.idm.lab.eng.brq.redhat.com as NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Client configuration complete. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] ============================================================================== [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Setup complete [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Next steps: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] 1. You must make sure these network ports are open: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] TCP Ports: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 80, 443: HTTP/HTTPS [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 389, 636: LDAP/LDAPS [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 88, 464: kerberos [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 53: bind [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] UDP Ports: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 88, 464: kerberos [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 53: bind [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 123: ntp [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] 2. You can now obtain a kerberos ticket using the command: 'kinit admin' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] This ticket will allow you to use the IPA tools (e.g., ipa user-add) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] and the web user interface. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Be sure to back up the CA certificates stored in /root/cacert.p12 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] These files are required to create replicas. The password for these [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] files is the Directory Manager password [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Exit code: 0 [ipa.ipatests.test_integration.tasks] Enable LDAP replication logging [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd9] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd9] modifying entry "cn=config" [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd9] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd9] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd10] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd10] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd11] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd11] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/sssd/* to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd12] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd12] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] removed ?/var/lib/sss/db/config.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] removed ?/var/lib/sss/db/sssd.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] removed ?/var/lib/sss/db/cache_dom-058-115.abc.idm.lab.eng.brq.redhat.com.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd14] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd14] removed ?/var/lib/sss/mc/group? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd14] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd15] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd15] removed ?/var/lib/sss/mc/passwd? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd15] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd16] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd16] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd17] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd17] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd17] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] Current domain level: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-kra-install', '-U', '-p', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] RUN ['ipa-kra-install', '-U', '-p', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] =================================================================== [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] This program will setup Dogtag KRA for the FreeIPA Server. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [1/8]: configuring KRA instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [2/8]: create KRA agent [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [3/8]: restarting KRA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [4/8]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [5/8]: configure certificate renewals [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [6/8]: configure HTTP to proxy connections [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [7/8]: add vault container [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [8/8]: apply LDAP updates [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] Done configuring KRA server (pki-tomcatd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] Restarting the directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] The ipa-kra-install command was successful [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd20] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd20] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd20] Current domain level: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd20] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd20] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] Authenticating with private RSA key using user root [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd1] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd1] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/home/ofayans/ipatests/env.sh to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] WRITE /home/ofayans/ipatests/env.sh [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] READ /etc/hosts [ipa.ipatests.test_integration.tasks] Writing the following to /etc/hosts: 10.34.78.1 hector.abc.idm.lab.eng.brq.redhat.com localmirror 2620:52:0:224e:21a:4aff:fe23:1238 hector.abc.idm.lab.eng.brq.redhat.com localmirror 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.34.48.31 rhev-01.eng.brq.redhat.com 2620:52:0:227f:21e:4fff:fe28:7da8 rhev-01.eng.brq.redhat.com 10.34.58.118 vm-058-118.abc.idm.lab.eng.brq.redhat.com vm-058-118 10.34.58.114 vm-058-114.abc.idm.lab.eng.brq.redhat.com vm-058-114 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] WRITE /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd3] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd3] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] WRITE /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['hostname', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd4] RUN ['hostname', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd4] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd5] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd5] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/ipareplica-install.log to list of logs to collect [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/ipareplica-conncheck.log to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnsconfig-mod', '--allow-sync-ptr=true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] RUN ['ipa', 'dnsconfig-mod', '--allow-sync-ptr=true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] Allow PTR sync: TRUE [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd23] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd23] ipa: ERROR: abc.idm.lab.eng.brq.redhat.com.: DNS zone not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd23] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd6] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd6] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd7] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd7] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-add', '58.34.10.in-addr.arpa.'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] RUN ['ipa', 'dnszone-add', '58.34.10.in-addr.arpa.'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Zone name: 58.34.10.in-addr.arpa. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Active zone: TRUE [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Authoritative nameserver: vm-058-115.abc.idm.lab.eng.brq.redhat.com. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Administrator e-mail address: hostmaster [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] SOA serial: 1457527124 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] SOA refresh: 3600 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] SOA retry: 900 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] SOA expire: 1209600 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] SOA minimum: 3600 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] BIND update policy: grant DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM krb5-subdomain 58.34.10.in-addr.arpa. PTR; [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Dynamic update: FALSE [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Allow query: any; [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Allow transfer: none; [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] ipa: ERROR: abc.idm.lab.eng.brq.redhat.com.: DNS zone not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-replica-prepare', '-p', 'x2k1j5tdsl', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] RUN ['ipa-replica-prepare', '-p', 'x2k1j5tdsl', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] Unable to resolve the IP address 10.34.58.114 to a host name, check /etc/hosts and DNS name resolution [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] Preparing replica for vm-058-114.abc.idm.lab.eng.brq.redhat.com from vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] Creating SSL certificate for the Directory Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] Creating SSL certificate for the dogtag Directory Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] Saving dogtag Directory Server port [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] Creating SSL certificate for the Web Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] Exporting RA certificate [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] Copying additional files [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] Finalizing configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] Packaging replica information into /var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] The ipa-replica-prepare command was successful [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] READ /var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] WRITE /home/ofayans/ipatests/replica-info.gpg [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-replica-install', '-U', '-p', 'x2k1j5tdsl', '-w', 'x2k1j5tdsl', '--setup-ca', '/home/ofayans/ipatests/replica-info.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] RUN ['ipa-replica-install', '-U', '-p', 'x2k1j5tdsl', '-w', 'x2k1j5tdsl', '--setup-ca', '/home/ofayans/ipatests/replica-info.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] ipa : ERROR Reverse DNS resolution of address 10.34.58.115 (vm-058-115.abc.idm.lab.eng.brq.redhat.com) failed. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Run connection check to master [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Connection check OK [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring NTP daemon (ntpd) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/4]: stopping ntpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/4]: writing configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [3/4]: configuring ntpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [4/4]: starting ntpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring NTP daemon (ntpd). [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring directory server (dirsrv). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/41]: creating directory server user [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/41]: creating directory server instance [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [3/41]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [4/41]: adding default schema [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [5/41]: enabling memberof plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [6/41]: enabling winsync plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [7/41]: configuring replication version plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [8/41]: enabling IPA enrollment plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [9/41]: enabling ldapi [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [10/41]: configuring uniqueness plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [11/41]: configuring uuid plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [12/41]: configuring modrdn plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [13/41]: configuring DNS plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [14/41]: enabling entryUSN plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [15/41]: configuring lockout plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [16/41]: configuring topology plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [17/41]: creating indices [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [18/41]: enabling referential integrity plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [19/41]: configuring ssl for ds instance [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [20/41]: configuring certmap.conf [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [21/41]: configure autobind for root [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [22/41]: configure new location for managed entries [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [23/41]: configure dirsrv ccache [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [24/41]: enabling SASL mapping fallback [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [25/41]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [26/41]: setting up initial replication [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Starting replication, please wait until this has completed. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Update in progress, 1 seconds elapsed Update in progress, 2 seconds elapsed Update in progress, 3 seconds elapsed Update in progress, 4 seconds elapsed [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Update succeeded [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [27/41]: adding sasl mappings to the directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [28/41]: updating schema [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [29/41]: setting Auto Member configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [30/41]: enabling S4U2Proxy delegation [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [31/41]: importing CA certificates from LDAP [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [32/41]: initializing group membership [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [33/41]: adding master entry [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [34/41]: initializing domain level [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [35/41]: configuring Posix uid/gid generation [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [36/41]: adding replication acis [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [37/41]: enabling compatibility plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [38/41]: activating sidgen plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [39/41]: activating extdom plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [40/41]: tuning directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [41/41]: configuring directory to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring directory server (dirsrv). [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/24]: creating certificate server user [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/24]: configuring certificate server instance [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [3/24]: stopping certificate server instance to update CS.cfg [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [4/24]: backing up CS.cfg [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [5/24]: disabling nonces [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [6/24]: set up CRL publishing [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [7/24]: enable PKIX certificate path discovery and validation [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [8/24]: starting certificate server instance [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [9/24]: creating RA agent certificate database [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [10/24]: importing CA chain to RA certificate database [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [11/24]: fixing RA database permissions [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [12/24]: setting up signing cert profile [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [13/24]: setting audit signing renewal to 2 years [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [14/24]: importing RA certificate from PKCS #12 file [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [15/24]: authorizing RA to modify profiles [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [16/24]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [17/24]: configure certificate renewals [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [18/24]: configure Server-Cert certificate renewal [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [19/24]: Configure HTTP to proxy connections [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [20/24]: restarting certificate server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [21/24]: migrating certificate profiles to LDAP [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [22/24]: importing IPA certificate profiles [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [23/24]: adding default CA ACL [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [24/24]: updating IPA configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring certificate server (pki-tomcatd). [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Restarting the directory and certificate servers [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/7]: configuring KDC [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/7]: creating a keytab for the directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [3/7]: creating a keytab for the machine [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [4/7]: adding the password extension to the directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [5/7]: enable GSSAPI for replication [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [6/7]: starting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [7/7]: configuring KDC to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring Kerberos KDC (krb5kdc). [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/2]: starting kadmin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/2]: configuring kadmin to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring kadmin. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/2]: starting ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/2]: configuring ipa_memcached to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring ipa_memcached. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring the web interface (httpd). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/20]: setting mod_nss port to 443 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/20]: setting mod_nss cipher suite [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [3/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [4/20]: setting mod_nss password file [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [5/20]: enabling mod_nss renegotiate [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [6/20]: adding URL rewriting rules [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [7/20]: configuring httpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [8/20]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [9/20]: setting up httpd keytab [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [10/20]: setting up ssl [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [11/20]: importing CA certificates from LDAP [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [12/20]: publish CA cert [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [13/20]: clean up any existing httpd ccache [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [14/20]: configuring SELinux for httpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [15/20]: create KDC proxy user [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [16/20]: create KDC proxy config [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [17/20]: enable KDC proxy [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [18/20]: restarting httpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [19/20]: configuring httpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [20/20]: enabling oddjobd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring the web interface (httpd). [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/2]: starting ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/2]: configuring ipa-otpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring ipa-otpd. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/5]: Generating ipa-custodia config file [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/5]: Making sure custodia container exists [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [3/5]: Generating ipa-custodia keys [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [4/5]: starting ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [5/5]: configuring ipa-custodia to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring ipa-custodia. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Applying LDAP updates [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Upgrading IPA: [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/9]: saving configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [3/9]: disabling listeners [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [4/9]: enabling DS global lock [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [5/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [6/9]: upgrading server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [7/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [8/9]: restoring configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [9/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Restarting the directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Restarting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Restarting the web server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring client side components [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Using existing certificate '/etc/ipa/ca.crt'. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Client hostname: vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Realm: DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] DNS Domain: dom-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] IPA Server: vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] BaseDN: dc=dom-058-115,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Skipping synchronizing time with NTP server. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] New SSSD config will be created [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configured sudoers in /etc/nsswitch.conf [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configured /etc/sssd/sssd.conf [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] trying https://vm-058-114.abc.idm.lab.eng.brq.redhat.com/ipa/json [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Forwarding 'ping' to json server 'https://vm-058-114.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Forwarding 'ca_is_enabled' to json server 'https://vm-058-114.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Forwarding 'host_mod' to json server 'https://vm-058-114.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Could not update DNS SSHFP records. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] SSSD enabled [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configured /etc/openldap/ldap.conf [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configured /etc/ssh/ssh_config [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configured /etc/ssh/sshd_config [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring dom-058-115.abc.idm.lab.eng.brq.redhat.com as NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Client configuration complete. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Exit code: 0 [ipa.ipatests.test_integration.tasks] Enable LDAP replication logging [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd9] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd9] modifying entry "cn=config" [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd9] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd9] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd10] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd10] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd11] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd11] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/sssd/* to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd12] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd12] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] removed ?/var/lib/sss/db/config.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] removed ?/var/lib/sss/db/sssd.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] removed ?/var/lib/sss/db/cache_dom-058-115.abc.idm.lab.eng.brq.redhat.com.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd14] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd14] removed ?/var/lib/sss/mc/group? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd14] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd15] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd15] removed ?/var/lib/sss/mc/passwd? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd15] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd16] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd16] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-kra-install', '-U', '-p', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] RUN ['ipa-kra-install', '-U', '-p', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] A replica file is required. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-kra-install', '-U', '-p', 'x2k1j5tdsl', '/home/ofayans/ipatests/replica-info.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] RUN ['ipa-kra-install', '-U', '-p', 'x2k1j5tdsl', '/home/ofayans/ipatests/replica-info.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] =================================================================== [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] This program will setup Dogtag KRA for the FreeIPA Server. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] [1/7]: configuring KRA instance [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] [2/7]: restarting KRA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] [3/7]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] [4/7]: configure certificate renewals [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] [5/7]: configure HTTP to proxy connections [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] [6/7]: add vault container [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] [7/7]: apply LDAP updates [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Done configuring KRA server (pki-tomcatd). [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Restarting the directory and KRA servers [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Restarting the directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] The ipa-kra-install command was successful [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] Authenticating with private RSA key using user root [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd1] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd1] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd2] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd2] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-add', '58.34.10.in-addr.arpa.'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] RUN ['ipa', 'dnszone-add', '58.34.10.in-addr.arpa.'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] ipa: ERROR: DNS zone with name "58.34.10.in-addr.arpa." already exists [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] Exit code: 1 [ipa.ipatests.test_integration.tasks] ipa: ERROR: DNS zone with name "58.34.10.in-addr.arpa." already exists [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] ipa: ERROR: abc.idm.lab.eng.brq.redhat.com.: DNS zone not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-replica-prepare', '-p', 'x2k1j5tdsl', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] RUN ['ipa-replica-prepare', '-p', 'x2k1j5tdsl', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] Preparing replica for vm-058-118.abc.idm.lab.eng.brq.redhat.com from vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] Creating SSL certificate for the Directory Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] Creating SSL certificate for the dogtag Directory Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] Saving dogtag Directory Server port [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] Creating SSL certificate for the Web Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] Exporting RA certificate [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] Copying additional files [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] Finalizing configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] Packaging replica information into /var/lib/ipa/replica-info-vm-058-118.abc.idm.lab.eng.brq.redhat.com.gpg [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] The ipa-replica-prepare command was successful [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] READ /var/lib/ipa/replica-info-vm-058-118.abc.idm.lab.eng.brq.redhat.com.gpg [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] WRITE /home/ofayans/ipatests/replica-info.gpg [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'domainlevel-set', '1'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] RUN ['ipa', 'domainlevel-set', '1'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Current domain level: 1 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Current domain level: 1 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd3] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd3] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-118.abc.idm.lab.eng.brq.redhat.com:/home/ofayans/ipatests/env.sh to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] WRITE /home/ofayans/ipatests/env.sh [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd4] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd4] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] READ /etc/hosts [ipa.ipatests.test_integration.tasks] Writing the following to /etc/hosts: 10.34.78.1 hector.abc.idm.lab.eng.brq.redhat.com localmirror 2620:52:0:224e:21a:4aff:fe23:1238 hector.abc.idm.lab.eng.brq.redhat.com localmirror 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.34.48.31 rhev-01.eng.brq.redhat.com 2620:52:0:227f:21e:4fff:fe28:7da8 rhev-01.eng.brq.redhat.com 10.34.58.118 vm-058-118.abc.idm.lab.eng.brq.redhat.com vm-058-118 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] WRITE /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd5] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd5] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] WRITE /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['hostname', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd6] RUN ['hostname', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd6] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd7] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd7] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-118.abc.idm.lab.eng.brq.redhat.com:/var/log/ipareplica-install.log to list of logs to collect [ipa.ipatests.pytest_plugins.integration] Adding vm-058-118.abc.idm.lab.eng.brq.redhat.com:/var/log/ipareplica-conncheck.log to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnsconfig-mod', '--allow-sync-ptr=true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] RUN ['ipa', 'dnsconfig-mod', '--allow-sync-ptr=true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] ipa: ERROR: no modifications to be performed [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] ipa: ERROR: abc.idm.lab.eng.brq.redhat.com.: DNS zone not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Exit code: 2 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-118.abc.idm.lab.eng.brq.redhat.com:/var/log/ipaclient-install.log to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-118.abc.idm.lab.eng.brq.redhat.com:/home/ofayans/ipatests/env.sh to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] WRITE /home/ofayans/ipatests/env.sh [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd9] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd9] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] READ /etc/hosts [ipa.ipatests.test_integration.tasks] Writing the following to /etc/hosts: 10.34.78.1 hector.abc.idm.lab.eng.brq.redhat.com localmirror 2620:52:0:224e:21a:4aff:fe23:1238 hector.abc.idm.lab.eng.brq.redhat.com localmirror 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.34.48.31 rhev-01.eng.brq.redhat.com 2620:52:0:227f:21e:4fff:fe28:7da8 rhev-01.eng.brq.redhat.com 10.34.58.118 vm-058-118.abc.idm.lab.eng.brq.redhat.com vm-058-118 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] WRITE /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd10] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd10] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] WRITE /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['hostname', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd11] RUN ['hostname', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd11] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd12] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd12] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd35] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd35] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd35] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnsconfig-mod', '--allow-sync-ptr=true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd36] RUN ['ipa', 'dnsconfig-mod', '--allow-sync-ptr=true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd36] ipa: ERROR: no modifications to be performed [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd36] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-add', '58.34.10.in-addr.arpa.'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] RUN ['ipa', 'dnszone-add', '58.34.10.in-addr.arpa.'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] ipa: ERROR: DNS zone with name "58.34.10.in-addr.arpa." already exists [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] Exit code: 1 [ipa.ipatests.test_integration.tasks] ipa: ERROR: DNS zone with name "58.34.10.in-addr.arpa." already exists [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['ipa-client-install', '-U', '--domain', 'dom-058-115.abc.idm.lab.eng.brq.redhat.com', '--realm', 'DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM', '-p', 'admin', '-w', 'x2k1j5tdsl', '--server', 'vm-058-115.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] RUN ['ipa-client-install', '-U', '--domain', 'dom-058-115.abc.idm.lab.eng.brq.redhat.com', '--realm', 'DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM', '-p', 'admin', '-w', 'x2k1j5tdsl', '--server', 'vm-058-115.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Client hostname: vm-058-118.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Realm: DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] DNS Domain: dom-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] IPA Server: vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] BaseDN: dc=dom-058-115,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Synchronizing time with KDC... [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Attempting to sync time using ntpd. Will timeout after 15 seconds [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Attempting to sync time using ntpd. Will timeout after 15 seconds [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Attempting to sync time using ntpd. Will timeout after 15 seconds [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Successfully retrieved CA cert [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Subject: CN=Certificate Authority,O=DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Issuer: CN=Certificate Authority,O=DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Valid From: Wed Mar 09 12:28:49 2016 UTC [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Valid Until: Sun Mar 09 12:28:49 2036 UTC [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Enrolled in IPA realm DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Created /etc/ipa/default.conf [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] New SSSD config will be created [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Configured sudoers in /etc/nsswitch.conf [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Configured /etc/sssd/sssd.conf [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Configured /etc/krb5.conf for IPA realm DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] trying https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Forwarding 'ping' to json server 'https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Forwarding 'ca_is_enabled' to json server 'https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Forwarding 'host_mod' to json server 'https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Could not update DNS SSHFP records. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] SSSD enabled [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Configured /etc/openldap/ldap.conf [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] NTP enabled [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Configured /etc/ssh/ssh_config [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Configured /etc/ssh/sshd_config [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Configuring dom-058-115.abc.idm.lab.eng.brq.redhat.com as NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Client configuration complete. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd14] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd14] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd15] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd15] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-118.abc.idm.lab.eng.brq.redhat.com:/var/log/sssd/* to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd16] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd16] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd17] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd17] removed ?/var/lib/sss/db/config.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd17] removed ?/var/lib/sss/db/sssd.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd17] removed ?/var/lib/sss/db/cache_dom-058-115.abc.idm.lab.eng.brq.redhat.com.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd17] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd18] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd18] removed ?/var/lib/sss/mc/group? [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd18] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] removed ?/var/lib/sss/mc/passwd? [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd20] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd20] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd22] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd22] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd23] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd23] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['ipa-replica-install', '-U', '-p', 'x2k1j5tdsl', '-w', 'x2k1j5tdsl', '--setup-ca', '-r', 'DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] RUN ['ipa-replica-install', '-U', '-p', 'x2k1j5tdsl', '-w', 'x2k1j5tdsl', '--setup-ca', '-r', 'DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] ipa : ERROR Reverse DNS resolution of address 10.34.58.115 (vm-058-115.abc.idm.lab.eng.brq.redhat.com) failed. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] IPA client is already configured on this system, ignoring the --domain, --server, --realm, --hostname, --password and --keytab options. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Run connection check to master [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Connection check OK [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Configuring NTP daemon (ntpd) [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [1/4]: stopping ntpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [2/4]: writing configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [3/4]: configuring ntpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [4/4]: starting ntpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Done configuring NTP daemon (ntpd). [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Configuring directory server (dirsrv). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [1/43]: creating directory server user [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [2/43]: creating directory server instance [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [3/43]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [4/43]: adding default schema [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [5/43]: enabling memberof plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [6/43]: enabling winsync plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [7/43]: configuring replication version plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [8/43]: enabling IPA enrollment plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [9/43]: enabling ldapi [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [10/43]: configuring uniqueness plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [11/43]: configuring uuid plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [12/43]: configuring modrdn plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [13/43]: configuring DNS plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [14/43]: enabling entryUSN plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [15/43]: configuring lockout plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [16/43]: configuring topology plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [17/43]: creating indices [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [18/43]: enabling referential integrity plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [19/43]: configuring certmap.conf [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [20/43]: configure autobind for root [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [21/43]: configure new location for managed entries [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [22/43]: configure dirsrv ccache [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [23/43]: enabling SASL mapping fallback [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [24/43]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [25/43]: creating DS keytab [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [26/43]: retrieving DS Certificate [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [27/43]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [28/43]: setting up initial replication [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Starting replication, please wait until this has completed. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Update in progress, 1 seconds elapsed Update in progress, 2 seconds elapsed Update in progress, 3 seconds elapsed [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Update succeeded [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [29/43]: adding sasl mappings to the directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [30/43]: updating schema [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [31/43]: setting Auto Member configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [32/43]: enabling S4U2Proxy delegation [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [33/43]: importing CA certificates from LDAP [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [34/43]: initializing group membership [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [35/43]: adding master entry [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [36/43]: initializing domain level [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [37/43]: configuring Posix uid/gid generation [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [38/43]: adding replication acis [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [39/43]: enabling compatibility plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [40/43]: activating sidgen plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [41/43]: activating extdom plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [42/43]: tuning directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [43/43]: configuring directory to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Done configuring directory server (dirsrv). [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Configuring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [1/5]: Generating ipa-custodia config file [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [2/5]: Generating ipa-custodia keys [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [3/5]: Importing RA Key [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [4/5]: starting ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [5/5]: configuring ipa-custodia to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Done configuring ipa-custodia. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [1/4]: configuring KDC [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [2/4]: adding the password extension to the directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [3/4]: starting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [4/4]: configuring KDC to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Done configuring Kerberos KDC (krb5kdc). [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Configuring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [1/2]: starting kadmin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [2/2]: configuring kadmin to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Done configuring kadmin. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Configuring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [1/2]: starting ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [2/2]: configuring ipa_memcached to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Done configuring ipa_memcached. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Configuring the web interface (httpd). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [1/19]: setting mod_nss port to 443 [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [2/19]: setting mod_nss cipher suite [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [3/19]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [4/19]: setting mod_nss password file [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [5/19]: enabling mod_nss renegotiate [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [6/19]: adding URL rewriting rules [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [7/19]: configuring httpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [8/19]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [9/19]: setting up httpd keytab [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [10/19]: setting up ssl [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [11/19]: importing CA certificates from LDAP [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [12/19]: clean up any existing httpd ccache [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [13/19]: configuring SELinux for httpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [14/19]: create KDC proxy user [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [15/19]: create KDC proxy config [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [16/19]: enable KDC proxy [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [17/19]: restarting httpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [18/19]: configuring httpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [19/19]: enabling oddjobd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Done configuring the web interface (httpd). [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Applying LDAP updates [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Upgrading IPA: [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [1/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [2/9]: saving configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [3/9]: disabling listeners [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [4/9]: enabling DS global lock [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [5/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [6/9]: upgrading server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [7/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [8/9]: restoring configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [9/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Done. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Configuring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [1/2]: starting ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [2/2]: configuring ipa-otpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Done configuring ipa-otpd. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [1/23]: creating certificate server user [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [2/23]: creating certificate server db [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [3/23]: setting up initial replication [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Starting replication, please wait until this has completed. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Update in progress, 1 seconds elapsed Update in progress, 2 seconds elapsed Update in progress, 3 seconds elapsed [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Update succeeded [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [4/23]: creating installation admin user [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [5/23]: setting up certificate server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [6/23]: stopping instance to update CS.cfg [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [7/23]: backing up CS.cfg [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [8/23]: disabling nonces [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [9/23]: set up CRL publishing [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [10/23]: enable PKIX certificate path discovery and validation [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [11/23]: set up client auth to db [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [12/23]: destroying installation admin user [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [13/23]: starting instance [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [14/23]: importing CA chain to RA certificate database [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [15/23]: fixing RA database permissions [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [16/23]: setting up signing cert profile [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [17/23]: setting audit signing renewal to 2 years [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [18/23]: configure certificate renewals [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [19/23]: configure Server-Cert certificate renewal [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [20/23]: Configure HTTP to proxy connections [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [21/23]: updating IPA configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [22/23]: Restart HTTP server to pick up changes [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] [23/23]: enabling CA instance [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Done configuring certificate server (pki-tomcatd). [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Exit code: 0 [ipa.ipatests.test_integration.tasks] Enable LDAP replication logging [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd25] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd25] modifying entry "cn=config" [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd25] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd25] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd26] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd26] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd27] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd27] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-118.abc.idm.lab.eng.brq.redhat.com:/var/log/sssd/* to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd28] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd28] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd29] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd29] removed ?/var/lib/sss/db/config.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd29] removed ?/var/lib/sss/db/sssd.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd29] removed ?/var/lib/sss/db/cache_dom-058-115.abc.idm.lab.eng.brq.redhat.com.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd29] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd30] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd30] removed ?/var/lib/sss/mc/group? [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd30] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd31] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd31] removed ?/var/lib/sss/mc/passwd? [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd31] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd32] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd32] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd33] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd33] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd33] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['ipa-kra-install', '-U', '-p', 'x2k1j5tdsl', '/home/ofayans/ipatests/replica-info.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd34] RUN ['ipa-kra-install', '-U', '-p', 'x2k1j5tdsl', '/home/ofayans/ipatests/replica-info.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd34] Too many parameters provided. No replica file is required. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd34] The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd34] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd35] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd35] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd35] Current domain level: 1 [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd35] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd35] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['ipa-kra-install', '-U', '-p', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd36] RUN ['ipa-kra-install', '-U', '-p', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd36] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd36] =================================================================== [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd36] This program will setup Dogtag KRA for the FreeIPA Server. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd36] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd36] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd36] Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd36] [1/8]: creating installation admin user [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd36] [2/8]: configuring KRA instance [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd36] [3/8]: destroying installation admin user [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd36] [4/8]: restarting KRA [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd36] [5/8]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd36] [6/8]: configure certificate renewals [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd36] [7/8]: add vault container [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd36] [8/8]: enabling KRA instance [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd36] Done configuring KRA server (pki-tomcatd). [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd36] The ipa-kra-install command was successful [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd36] Exit code: 0 .[ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] Current domain level: 1 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] WARNING: This IPA master is still a part of the replication topology. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] To properly remove the master entry and clean up related segments, run: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] $ ipa-replica-manage del vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Ignoring topology errors and forcing uninstall [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Shutting down all IPA services [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Unconfiguring ntpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Configuring certmonger to stop tracking system certificates for KRA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Unconfiguring KRA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Configuring certmonger to stop tracking system certificates for CA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Unconfiguring CA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Unconfiguring named [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Unconfiguring ipa-dnskeysyncd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Unconfiguring web server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Unconfiguring krb5kdc [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Unconfiguring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Unconfiguring directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Unconfiguring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Unconfiguring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Unconfiguring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Removing Kerberos service principals from /etc/krb5.keytab [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM' returned non-zero exit status 5 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Disabling client Kerberos and LDAP configurations [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Restoring client configuration files [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Unconfiguring the NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] nscd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] nslcd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Client uninstall complete. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Removing IPA client configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Exit code: 255 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-115.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd41] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-115.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd41] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] ?/home/ofayans/ipatests/file_backup/etc/hosts? -> ?/etc/hosts? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] ?/home/ofayans/ipatests/file_backup/etc/hostname? -> ?/etc/hostname? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] /sbin/restorecon reset /etc context system_u:object_r:nfs_t:s0->system_u:object_r:etc_t:s0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] /sbin/restorecon reset /etc/hosts context system_u:object_r:nfs_t:s0->system_u:object_r:net_conf_t:s0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] /sbin/restorecon reset /etc/hostname context system_u:object_r:nfs_t:s0->system_u:object_r:hostname_etc_t:s0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd43] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd43] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd43] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd44] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd44] removed ?/home/ofayans/ipatests/file_backup/etc/hosts? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd44] removed ?/home/ofayans/ipatests/file_backup/etc/hostname? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd44] removed directory: ?/home/ofayans/ipatests/file_backup/etc? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd44] removed directory: ?/home/ofayans/ipatests/file_backup? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd44] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['hostname', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd45] RUN ['hostname', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd45] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '/home/ofayans/ipatests/backup_hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd46] RUN ['rm', '/home/ofayans/ipatests/backup_hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd46] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd47] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd47] removed ?/home/ofayans/ipatests/env.sh? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd47] removed ?/home/ofayans/ipatests/replica-info.gpg? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd47] removed directory: ?/home/ofayans/ipatests? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd47] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] Current domain level: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] WARNING: This IPA master is still a part of the replication topology. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] To properly remove the master entry and clean up related segments, run: [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] $ ipa-replica-manage del vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Ignoring topology errors and forcing uninstall [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Shutting down all IPA services [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring ntpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Configuring certmonger to stop tracking system certificates for KRA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring KRA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Configuring certmonger to stop tracking system certificates for CA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring CA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring named [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring web server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring krb5kdc [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Removing Kerberos service principals from /etc/krb5.keytab [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM' returned non-zero exit status 5 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Disabling client Kerberos and LDAP configurations [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Restoring client configuration files [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring the NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] nscd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] nslcd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Client uninstall complete. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Removing IPA client configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] Exit code: 255 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd23] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd23] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd23] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd23] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd24] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd24] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd24] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd24] find: ?/home/ofayans/ipatests/file_backup?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd24] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd26] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd26] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd26] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd26] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.tasks] No hostname backed up on vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd27] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd27] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd27] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd27] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd37] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd37] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd37] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd37] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd37] Current domain level: 1 [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd37] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd37] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] WARNING: Failed to determine whether the IPA master was already removed from topology. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] WARNING: This IPA master is still a part of the replication topology. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] To properly remove the master entry and clean up related segments, run: [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] $ ipa-replica-manage del vm-058-118.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Ignoring topology errors and forcing uninstall [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Shutting down all IPA services [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Unconfiguring ntpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Configuring certmonger to stop tracking system certificates for KRA [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Unconfiguring KRA [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Configuring certmonger to stop tracking system certificates for CA [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Unconfiguring CA [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Unconfiguring web server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Unconfiguring krb5kdc [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Unconfiguring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Unconfiguring directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Unconfiguring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Unconfiguring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Unconfiguring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Removing Kerberos service principals from /etc/krb5.keytab [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Disabling client Kerberos and LDAP configurations [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Restoring client configuration files [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Unconfiguring the NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] nscd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] nslcd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Client uninstall complete. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Removing IPA client configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd38] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd39] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd39] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd39] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd39] ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd39] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd39] Exit code: 255 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-118.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd40] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-118.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd40] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd40] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd40] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd41] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd41] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd41] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd41] find: ?/home/ofayans/ipatests/file_backup?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd41] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd42] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd42] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd42] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd42] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd42] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd43] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd43] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd43] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd43] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.tasks] No hostname backed up on vm-058-118.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd44] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd44] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd44] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd44] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/ipaserver-install.log to list of logs to collect [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/ipaclient-install.log to list of logs to collect [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/dirsrv/slapd-DOM-058-115-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM/errors to list of logs to collect [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/dirsrv/slapd-DOM-058-115-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM/access to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] Authenticating with private RSA key using user root [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd1] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd1] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd1] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/home/ofayans/ipatests/env.sh to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] MKDIR /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] WRITE /home/ofayans/ipatests/env.sh [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] MKDIR /home/ofayans/ipatests/file_backup [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] MKDIR /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd2] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd2] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] READ /etc/hosts [ipa.ipatests.test_integration.tasks] Writing the following to /etc/hosts: 10.34.78.1 hector.abc.idm.lab.eng.brq.redhat.com localmirror 2620:52:0:224e:21a:4aff:fe23:1238 hector.abc.idm.lab.eng.brq.redhat.com localmirror 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.34.48.31 rhev-01.eng.brq.redhat.com 2620:52:0:227f:21e:4fff:fe28:7da8 rhev-01.eng.brq.redhat.com 10.34.58.118 vm-058-118.abc.idm.lab.eng.brq.redhat.com vm-058-118 10.34.58.115 vm-058-115.abc.idm.lab.eng.brq.redhat.com vm-058-115 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] WRITE /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd3] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd3] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] WRITE /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['hostname', 'vm-058-115.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd4] RUN ['hostname', 'vm-058-115.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd4] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd5] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd5] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd6] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd6] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd7] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd7] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-server-install', '-U', '-n', 'dom-058-115.abc.idm.lab.eng.brq.redhat.com', '-r', 'DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM', '-p', 'x2k1j5tdsl', '-a', 'x2k1j5tdsl', '--domain-level=0', '--setup-dns', '--forwarder', '10.38.5.26', '--auto-reverse'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] RUN ['ipa-server-install', '-U', '-n', 'dom-058-115.abc.idm.lab.eng.brq.redhat.com', '-r', 'DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM', '-p', 'x2k1j5tdsl', '-a', 'x2k1j5tdsl', '--domain-level=0', '--setup-dns', '--forwarder', '10.38.5.26', '--auto-reverse'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Checking DNS domain dom-058-115.abc.idm.lab.eng.brq.redhat.com, please wait ... [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] The log file for this installation can be found in /var/log/ipaserver-install.log [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] ============================================================================== [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] This program will set up the FreeIPA Server. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] This includes: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Configure a stand-alone CA (dogtag) for certificate management [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Configure the Network Time Daemon (ntpd) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Create and configure an instance of Directory Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Create and configure a Kerberos Key Distribution Center (KDC) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Configure Apache (httpd) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Configure DNS (bind) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Warning: skipping DNS resolution of host vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Checking DNS domain dom-058-115.abc.idm.lab.eng.brq.redhat.com., please wait ... [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Checking DNS forwarders, please wait ... [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] The IPA Master Server will be configured with: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Hostname: vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] IP address(es): 10.34.58.115 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Domain name: dom-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Realm name: DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] BIND DNS server will be configured to serve IPA domain with: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Forwarders: 10.38.5.26 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Reverse zone(s): No reverse zone [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring NTP daemon (ntpd) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/4]: stopping ntpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/4]: writing configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/4]: configuring ntpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/4]: starting ntpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring NTP daemon (ntpd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring directory server (dirsrv). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/46]: creating directory server user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/46]: creating directory server instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/46]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/46]: adding default schema [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/46]: enabling memberof plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/46]: enabling winsync plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/46]: configuring replication version plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/46]: enabling IPA enrollment plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/46]: enabling ldapi [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [10/46]: configuring uniqueness plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [11/46]: configuring uuid plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [12/46]: configuring modrdn plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [13/46]: configuring DNS plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [14/46]: enabling entryUSN plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [15/46]: configuring lockout plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [16/46]: configuring topology plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [17/46]: creating indices [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [18/46]: enabling referential integrity plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [19/46]: configuring certmap.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [20/46]: configure autobind for root [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [21/46]: configure new location for managed entries [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [22/46]: configure dirsrv ccache [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [23/46]: enabling SASL mapping fallback [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [24/46]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [25/46]: adding sasl mappings to the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [26/46]: adding default layout [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [27/46]: adding delegation layout [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [28/46]: creating container for managed entries [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [29/46]: configuring user private groups [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [30/46]: configuring netgroups from hostgroups [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [31/46]: creating default Sudo bind user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [32/46]: creating default Auto Member layout [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [33/46]: adding range check plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [34/46]: creating default HBAC rule allow_all [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [35/46]: adding sasl mappings to the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [36/46]: adding entries for topology management [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [37/46]: initializing group membership [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [38/46]: adding master entry [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [39/46]: initializing domain level [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [40/46]: configuring Posix uid/gid generation [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [41/46]: adding replication acis [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [42/46]: enabling compatibility plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [43/46]: activating sidgen plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [44/46]: activating extdom plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [45/46]: tuning directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [46/46]: configuring directory to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring directory server (dirsrv). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/28]: creating certificate server user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/28]: configuring certificate server instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/28]: stopping certificate server instance to update CS.cfg [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/28]: backing up CS.cfg [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/28]: disabling nonces [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/28]: set up CRL publishing [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/28]: enable PKIX certificate path discovery and validation [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/28]: starting certificate server instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/28]: creating RA agent certificate database [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [10/28]: importing CA chain to RA certificate database [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [11/28]: fixing RA database permissions [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [12/28]: setting up signing cert profile [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [13/28]: setting audit signing renewal to 2 years [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [14/28]: restarting certificate server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [15/28]: requesting RA certificate from CA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [16/28]: issuing RA agent certificate [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [17/28]: adding RA agent as a trusted user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [18/28]: authorizing RA to modify profiles [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [19/28]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [20/28]: configure certificate renewals [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [21/28]: configure RA certificate renewal [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [22/28]: configure Server-Cert certificate renewal [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [23/28]: Configure HTTP to proxy connections [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [24/28]: restarting certificate server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [25/28]: migrating certificate profiles to LDAP [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [26/28]: importing IPA certificate profiles [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [27/28]: adding default CA ACL [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [28/28]: updating IPA configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring certificate server (pki-tomcatd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring directory server (dirsrv). Estimated time: 10 seconds [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/3]: configuring ssl for ds instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/3]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/3]: adding CA certificate entry [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring directory server (dirsrv). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/9]: adding kerberos container to the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/9]: configuring KDC [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/9]: initialize kerberos container [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/9]: adding default ACIs [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/9]: creating a keytab for the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/9]: creating a keytab for the machine [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/9]: adding the password extension to the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/9]: starting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/9]: configuring KDC to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring Kerberos KDC (krb5kdc). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/2]: starting kadmin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/2]: configuring kadmin to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring kadmin. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/2]: starting ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/2]: configuring ipa_memcached to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring ipa_memcached. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/2]: starting ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/2]: configuring ipa-otpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring ipa-otpd. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/5]: Generating ipa-custodia config file [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/5]: Making sure custodia container exists [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/5]: Generating ipa-custodia keys [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/5]: starting ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/5]: configuring ipa-custodia to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring ipa-custodia. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring the web interface (httpd). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/21]: setting mod_nss port to 443 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/21]: setting mod_nss cipher suite [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/21]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/21]: setting mod_nss password file [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/21]: enabling mod_nss renegotiate [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/21]: adding URL rewriting rules [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/21]: configuring httpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/21]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/21]: setting up httpd keytab [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [10/21]: setting up ssl [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [11/21]: importing CA certificates from LDAP [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [12/21]: setting up browser autoconfig [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [13/21]: publish CA cert [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [14/21]: clean up any existing httpd ccache [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [15/21]: configuring SELinux for httpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [16/21]: create KDC proxy user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [17/21]: create KDC proxy config [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [18/21]: enable KDC proxy [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [19/21]: restarting httpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [20/21]: configuring httpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [21/21]: enabling oddjobd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring the web interface (httpd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Applying LDAP updates [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Upgrading IPA: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/9]: saving configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/9]: disabling listeners [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/9]: enabling DS global lock [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/9]: upgrading server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/9]: restoring configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting the directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring DNS (named) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/11]: generating rndc key file [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/11]: adding DNS container [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/11]: setting up our zone [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/11]: setting up our own record [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/11]: setting up records for other masters [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/11]: adding NS record to the zones [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/11]: setting up CA record [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/11]: setting up kerberos principal [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/11]: setting up named.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [10/11]: configuring named to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [11/11]: changing resolv.conf to point to ourselves [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring DNS (named). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring DNS key synchronization service (ipa-dnskeysyncd) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/7]: checking status [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/7]: setting up bind-dyndb-ldap working directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/7]: setting up kerberos principal [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/7]: setting up SoftHSM [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/7]: adding DNSSEC containers [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/7]: creating replica keys [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/7]: configuring ipa-dnskeysyncd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring DNS key synchronization service (ipa-dnskeysyncd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting ipa-dnskeysyncd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting named [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting the web server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring client side components [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Using existing certificate '/etc/ipa/ca.crt'. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Client hostname: vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Realm: DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] DNS Domain: dom-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] IPA Server: vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] BaseDN: dc=dom-058-115,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Skipping synchronizing time with NTP server. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] New SSSD config will be created [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured sudoers in /etc/nsswitch.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured /etc/sssd/sssd.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] trying https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Forwarding 'ping' to json server 'https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Forwarding 'ca_is_enabled' to json server 'https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Forwarding 'host_mod' to json server 'https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Could not update DNS SSHFP records. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] SSSD enabled [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured /etc/openldap/ldap.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured /etc/ssh/ssh_config [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured /etc/ssh/sshd_config [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring dom-058-115.abc.idm.lab.eng.brq.redhat.com as NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Client configuration complete. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] ============================================================================== [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Setup complete [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Next steps: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] 1. You must make sure these network ports are open: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] TCP Ports: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 80, 443: HTTP/HTTPS [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 389, 636: LDAP/LDAPS [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 88, 464: kerberos [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 53: bind [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] UDP Ports: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 88, 464: kerberos [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 53: bind [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 123: ntp [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] 2. You can now obtain a kerberos ticket using the command: 'kinit admin' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] This ticket will allow you to use the IPA tools (e.g., ipa user-add) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] and the web user interface. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Be sure to back up the CA certificates stored in /root/cacert.p12 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] These files are required to create replicas. The password for these [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] files is the Directory Manager password [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Exit code: 0 [ipa.ipatests.test_integration.tasks] Enable LDAP replication logging [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd9] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd9] modifying entry "cn=config" [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd9] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd9] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd10] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd10] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd11] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd11] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/sssd/* to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd12] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd12] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] removed ?/var/lib/sss/db/config.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] removed ?/var/lib/sss/db/sssd.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] removed ?/var/lib/sss/db/cache_dom-058-115.abc.idm.lab.eng.brq.redhat.com.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd14] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd14] removed ?/var/lib/sss/mc/group? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd14] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd15] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd15] removed ?/var/lib/sss/mc/passwd? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd15] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd16] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd16] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd17] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd17] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd17] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] Current domain level: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] Authenticating with private RSA key using user root [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd1] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd1] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/home/ofayans/ipatests/env.sh to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] WRITE /home/ofayans/ipatests/env.sh [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] READ /etc/hosts [ipa.ipatests.test_integration.tasks] Writing the following to /etc/hosts: 10.34.78.1 hector.abc.idm.lab.eng.brq.redhat.com localmirror 2620:52:0:224e:21a:4aff:fe23:1238 hector.abc.idm.lab.eng.brq.redhat.com localmirror 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.34.48.31 rhev-01.eng.brq.redhat.com 2620:52:0:227f:21e:4fff:fe28:7da8 rhev-01.eng.brq.redhat.com 10.34.58.118 vm-058-118.abc.idm.lab.eng.brq.redhat.com vm-058-118 10.34.58.114 vm-058-114.abc.idm.lab.eng.brq.redhat.com vm-058-114 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] WRITE /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd3] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd3] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] WRITE /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['hostname', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd4] RUN ['hostname', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd4] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd5] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd5] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/ipareplica-install.log to list of logs to collect [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/ipareplica-conncheck.log to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnsconfig-mod', '--allow-sync-ptr=true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd20] RUN ['ipa', 'dnsconfig-mod', '--allow-sync-ptr=true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd20] Allow PTR sync: TRUE [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd20] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] ipa: ERROR: abc.idm.lab.eng.brq.redhat.com.: DNS zone not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd6] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd6] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd7] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd7] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-add', '58.34.10.in-addr.arpa.'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] RUN ['ipa', 'dnszone-add', '58.34.10.in-addr.arpa.'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] Zone name: 58.34.10.in-addr.arpa. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] Active zone: TRUE [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] Authoritative nameserver: vm-058-115.abc.idm.lab.eng.brq.redhat.com. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] Administrator e-mail address: hostmaster [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] SOA serial: 1457529169 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] SOA refresh: 3600 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] SOA retry: 900 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] SOA expire: 1209600 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] SOA minimum: 3600 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] BIND update policy: grant DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM krb5-subdomain 58.34.10.in-addr.arpa. PTR; [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] Dynamic update: FALSE [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] Allow query: any; [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] Allow transfer: none; [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd23] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd23] ipa: ERROR: abc.idm.lab.eng.brq.redhat.com.: DNS zone not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd23] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-replica-prepare', '-p', 'x2k1j5tdsl', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] RUN ['ipa-replica-prepare', '-p', 'x2k1j5tdsl', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Unable to resolve the IP address 10.34.58.114 to a host name, check /etc/hosts and DNS name resolution [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Preparing replica for vm-058-114.abc.idm.lab.eng.brq.redhat.com from vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Creating SSL certificate for the Directory Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Creating SSL certificate for the dogtag Directory Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Saving dogtag Directory Server port [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Creating SSL certificate for the Web Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Exporting RA certificate [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Copying additional files [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Finalizing configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Packaging replica information into /var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] The ipa-replica-prepare command was successful [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] READ /var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] WRITE /home/ofayans/ipatests/replica-info.gpg [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-replica-install', '-U', '-p', 'x2k1j5tdsl', '-w', 'x2k1j5tdsl', '--setup-dns', '--forwarder', '10.38.5.26', '/home/ofayans/ipatests/replica-info.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] RUN ['ipa-replica-install', '-U', '-p', 'x2k1j5tdsl', '-w', 'x2k1j5tdsl', '--setup-dns', '--forwarder', '10.38.5.26', '/home/ofayans/ipatests/replica-info.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] ipa : ERROR Reverse DNS resolution of address 10.34.58.115 (vm-058-115.abc.idm.lab.eng.brq.redhat.com) failed. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Checking DNS forwarders, please wait ... [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Run connection check to master [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Connection check OK [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring NTP daemon (ntpd) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/4]: stopping ntpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/4]: writing configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [3/4]: configuring ntpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [4/4]: starting ntpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring NTP daemon (ntpd). [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring directory server (dirsrv). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/41]: creating directory server user [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/41]: creating directory server instance [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [3/41]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [4/41]: adding default schema [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [5/41]: enabling memberof plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [6/41]: enabling winsync plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [7/41]: configuring replication version plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [8/41]: enabling IPA enrollment plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [9/41]: enabling ldapi [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [10/41]: configuring uniqueness plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [11/41]: configuring uuid plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [12/41]: configuring modrdn plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [13/41]: configuring DNS plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [14/41]: enabling entryUSN plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [15/41]: configuring lockout plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [16/41]: configuring topology plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [17/41]: creating indices [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [18/41]: enabling referential integrity plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [19/41]: configuring ssl for ds instance [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [20/41]: configuring certmap.conf [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [21/41]: configure autobind for root [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [22/41]: configure new location for managed entries [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [23/41]: configure dirsrv ccache [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [24/41]: enabling SASL mapping fallback [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [25/41]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [26/41]: setting up initial replication [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Starting replication, please wait until this has completed. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Update in progress, 1 seconds elapsed Update in progress, 2 seconds elapsed Update in progress, 3 seconds elapsed Update in progress, 4 seconds elapsed [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Update succeeded [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [27/41]: adding sasl mappings to the directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [28/41]: updating schema [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [29/41]: setting Auto Member configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [30/41]: enabling S4U2Proxy delegation [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [31/41]: importing CA certificates from LDAP [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [32/41]: initializing group membership [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [33/41]: adding master entry [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [34/41]: initializing domain level [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [35/41]: configuring Posix uid/gid generation [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [36/41]: adding replication acis [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [37/41]: enabling compatibility plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [38/41]: activating sidgen plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [39/41]: activating extdom plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [40/41]: tuning directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [41/41]: configuring directory to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring directory server (dirsrv). [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/7]: configuring KDC [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/7]: creating a keytab for the directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [3/7]: creating a keytab for the machine [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [4/7]: adding the password extension to the directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [5/7]: enable GSSAPI for replication [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [6/7]: starting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [7/7]: configuring KDC to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring Kerberos KDC (krb5kdc). [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/2]: starting kadmin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/2]: configuring kadmin to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring kadmin. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/2]: starting ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/2]: configuring ipa_memcached to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring ipa_memcached. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring the web interface (httpd). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/20]: setting mod_nss port to 443 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/20]: setting mod_nss cipher suite [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [3/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [4/20]: setting mod_nss password file [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [5/20]: enabling mod_nss renegotiate [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [6/20]: adding URL rewriting rules [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [7/20]: configuring httpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [8/20]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [9/20]: setting up httpd keytab [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [10/20]: setting up ssl [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [11/20]: importing CA certificates from LDAP [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [12/20]: publish CA cert [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [13/20]: clean up any existing httpd ccache [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [14/20]: configuring SELinux for httpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [15/20]: create KDC proxy user [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [16/20]: create KDC proxy config [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [17/20]: enable KDC proxy [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [18/20]: restarting httpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [19/20]: configuring httpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [20/20]: enabling oddjobd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring the web interface (httpd). [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/2]: starting ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/2]: configuring ipa-otpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring ipa-otpd. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/5]: Generating ipa-custodia config file [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/5]: Making sure custodia container exists [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [3/5]: Generating ipa-custodia keys [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [4/5]: starting ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [5/5]: configuring ipa-custodia to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring ipa-custodia. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Applying LDAP updates [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Upgrading IPA: [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/9]: saving configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [3/9]: disabling listeners [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [4/9]: enabling DS global lock [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [5/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [6/9]: upgrading server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [7/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [8/9]: restoring configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [9/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Restarting the directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Restarting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring DNS (named) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/8]: generating rndc key file [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/8]: setting up our own record [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [3/8]: adding NS record to the zones [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [4/8]: setting up CA record [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [5/8]: setting up kerberos principal [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [6/8]: setting up named.conf [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [7/8]: configuring named to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [8/8]: changing resolv.conf to point to ourselves [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring DNS (named). [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring DNS key synchronization service (ipa-dnskeysyncd) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/7]: checking status [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/7]: setting up bind-dyndb-ldap working directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [3/7]: setting up kerberos principal [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [4/7]: setting up SoftHSM [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [5/7]: adding DNSSEC containers [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [6/7]: creating replica keys [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [7/7]: configuring ipa-dnskeysyncd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring DNS key synchronization service (ipa-dnskeysyncd). [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Restarting ipa-dnskeysyncd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Restarting named [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Global DNS configuration in LDAP server is not empty [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] The following configuration options override local settings in named.conf: [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Allow PTR sync: TRUE [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Restarting the web server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring client side components [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Using existing certificate '/etc/ipa/ca.crt'. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Client hostname: vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Realm: DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] DNS Domain: dom-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] IPA Server: vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] BaseDN: dc=dom-058-115,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Skipping synchronizing time with NTP server. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] New SSSD config will be created [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configured sudoers in /etc/nsswitch.conf [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configured /etc/sssd/sssd.conf [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] trying https://vm-058-114.abc.idm.lab.eng.brq.redhat.com/ipa/json [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Forwarding 'ping' to json server 'https://vm-058-114.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Forwarding 'ca_is_enabled' to json server 'https://vm-058-114.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Forwarding 'host_mod' to json server 'https://vm-058-114.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Could not update DNS SSHFP records. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] SSSD enabled [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configured /etc/openldap/ldap.conf [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configured /etc/ssh/ssh_config [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configured /etc/ssh/sshd_config [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring dom-058-115.abc.idm.lab.eng.brq.redhat.com as NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Client configuration complete. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Exit code: 0 [ipa.ipatests.test_integration.tasks] Enable LDAP replication logging [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd9] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd9] modifying entry "cn=config" [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd9] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd9] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd10] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd10] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd11] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd11] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/sssd/* to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd12] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd12] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] removed ?/var/lib/sss/db/config.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] removed ?/var/lib/sss/db/sssd.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] removed ?/var/lib/sss/db/cache_dom-058-115.abc.idm.lab.eng.brq.redhat.com.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd14] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd14] removed ?/var/lib/sss/mc/group? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd14] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd15] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd15] removed ?/var/lib/sss/mc/passwd? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd15] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd16] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd16] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] Current domain level: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] Authenticating with private RSA key using user root [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd1] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd1] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-118.abc.idm.lab.eng.brq.redhat.com:/home/ofayans/ipatests/env.sh to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] WRITE /home/ofayans/ipatests/env.sh [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd2] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd2] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] READ /etc/hosts [ipa.ipatests.test_integration.tasks] Writing the following to /etc/hosts: 10.34.78.1 hector.abc.idm.lab.eng.brq.redhat.com localmirror 2620:52:0:224e:21a:4aff:fe23:1238 hector.abc.idm.lab.eng.brq.redhat.com localmirror 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.34.48.31 rhev-01.eng.brq.redhat.com 2620:52:0:227f:21e:4fff:fe28:7da8 rhev-01.eng.brq.redhat.com 10.34.58.118 vm-058-118.abc.idm.lab.eng.brq.redhat.com vm-058-118 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] WRITE /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd3] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd3] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] WRITE /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['hostname', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd4] RUN ['hostname', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd4] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd5] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd5] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-118.abc.idm.lab.eng.brq.redhat.com:/var/log/ipareplica-install.log to list of logs to collect [ipa.ipatests.pytest_plugins.integration] Adding vm-058-118.abc.idm.lab.eng.brq.redhat.com:/var/log/ipareplica-conncheck.log to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnsconfig-mod', '--allow-sync-ptr=true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] RUN ['ipa', 'dnsconfig-mod', '--allow-sync-ptr=true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] ipa: ERROR: no modifications to be performed [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] ipa: ERROR: abc.idm.lab.eng.brq.redhat.com.: DNS zone not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd6] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd6] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd7] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd7] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-add', '58.34.10.in-addr.arpa.'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] RUN ['ipa', 'dnszone-add', '58.34.10.in-addr.arpa.'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] ipa: ERROR: DNS zone with name "58.34.10.in-addr.arpa." already exists [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] Exit code: 1 [ipa.ipatests.test_integration.tasks] ipa: ERROR: DNS zone with name "58.34.10.in-addr.arpa." already exists [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] ipa: ERROR: abc.idm.lab.eng.brq.redhat.com.: DNS zone not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-replica-prepare', '-p', 'x2k1j5tdsl', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] RUN ['ipa-replica-prepare', '-p', 'x2k1j5tdsl', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Preparing replica for vm-058-118.abc.idm.lab.eng.brq.redhat.com from vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Creating SSL certificate for the Directory Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Creating SSL certificate for the dogtag Directory Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Saving dogtag Directory Server port [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Creating SSL certificate for the Web Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Exporting RA certificate [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Copying additional files [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Finalizing configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Packaging replica information into /var/lib/ipa/replica-info-vm-058-118.abc.idm.lab.eng.brq.redhat.com.gpg [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] The ipa-replica-prepare command was successful [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] READ /var/lib/ipa/replica-info-vm-058-118.abc.idm.lab.eng.brq.redhat.com.gpg [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] WRITE /home/ofayans/ipatests/replica-info.gpg [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['ipa-replica-install', '-U', '-p', 'x2k1j5tdsl', '-w', 'x2k1j5tdsl', '--setup-dns', '--forwarder', '10.38.5.26', '/home/ofayans/ipatests/replica-info.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] RUN ['ipa-replica-install', '-U', '-p', 'x2k1j5tdsl', '-w', 'x2k1j5tdsl', '--setup-dns', '--forwarder', '10.38.5.26', '/home/ofayans/ipatests/replica-info.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] ipa : ERROR Reverse DNS resolution of address 10.34.58.115 (vm-058-115.abc.idm.lab.eng.brq.redhat.com) failed. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Checking DNS forwarders, please wait ... [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Run connection check to master [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Connection check OK [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring NTP daemon (ntpd) [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [1/4]: stopping ntpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [2/4]: writing configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [3/4]: configuring ntpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [4/4]: starting ntpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Done configuring NTP daemon (ntpd). [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring directory server (dirsrv). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [1/41]: creating directory server user [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [2/41]: creating directory server instance [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [3/41]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [4/41]: adding default schema [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [5/41]: enabling memberof plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [6/41]: enabling winsync plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [7/41]: configuring replication version plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [8/41]: enabling IPA enrollment plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [9/41]: enabling ldapi [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [10/41]: configuring uniqueness plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [11/41]: configuring uuid plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [12/41]: configuring modrdn plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [13/41]: configuring DNS plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [14/41]: enabling entryUSN plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [15/41]: configuring lockout plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [16/41]: configuring topology plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [17/41]: creating indices [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [18/41]: enabling referential integrity plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [19/41]: configuring ssl for ds instance [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [20/41]: configuring certmap.conf [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [21/41]: configure autobind for root [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [22/41]: configure new location for managed entries [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [23/41]: configure dirsrv ccache [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [24/41]: enabling SASL mapping fallback [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [25/41]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [26/41]: setting up initial replication [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Starting replication, please wait until this has completed. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Update in progress, 1 seconds elapsed Update in progress, 2 seconds elapsed Update in progress, 3 seconds elapsed [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Update succeeded [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [27/41]: adding sasl mappings to the directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [28/41]: updating schema [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [29/41]: setting Auto Member configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [30/41]: enabling S4U2Proxy delegation [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [31/41]: importing CA certificates from LDAP [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [32/41]: initializing group membership [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [33/41]: adding master entry [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [34/41]: initializing domain level [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [35/41]: configuring Posix uid/gid generation [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [36/41]: adding replication acis [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [37/41]: enabling compatibility plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [38/41]: activating sidgen plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [39/41]: activating extdom plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [40/41]: tuning directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [41/41]: configuring directory to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Done configuring directory server (dirsrv). [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [1/7]: configuring KDC [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [2/7]: creating a keytab for the directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [3/7]: creating a keytab for the machine [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [4/7]: adding the password extension to the directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [5/7]: enable GSSAPI for replication [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [6/7]: starting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [7/7]: configuring KDC to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Done configuring Kerberos KDC (krb5kdc). [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [1/2]: starting kadmin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [2/2]: configuring kadmin to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Done configuring kadmin. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [1/2]: starting ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [2/2]: configuring ipa_memcached to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Done configuring ipa_memcached. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring the web interface (httpd). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [1/20]: setting mod_nss port to 443 [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [2/20]: setting mod_nss cipher suite [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [3/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [4/20]: setting mod_nss password file [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [5/20]: enabling mod_nss renegotiate [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [6/20]: adding URL rewriting rules [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [7/20]: configuring httpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [8/20]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [9/20]: setting up httpd keytab [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [10/20]: setting up ssl [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [11/20]: importing CA certificates from LDAP [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [12/20]: publish CA cert [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [13/20]: clean up any existing httpd ccache [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [14/20]: configuring SELinux for httpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [15/20]: create KDC proxy user [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [16/20]: create KDC proxy config [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [17/20]: enable KDC proxy [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [18/20]: restarting httpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [19/20]: configuring httpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [20/20]: enabling oddjobd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Done configuring the web interface (httpd). [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [1/2]: starting ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [2/2]: configuring ipa-otpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Done configuring ipa-otpd. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [1/5]: Generating ipa-custodia config file [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [2/5]: Making sure custodia container exists [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [3/5]: Generating ipa-custodia keys [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [4/5]: starting ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [5/5]: configuring ipa-custodia to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Done configuring ipa-custodia. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Applying LDAP updates [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Upgrading IPA: [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [1/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [2/9]: saving configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [3/9]: disabling listeners [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [4/9]: enabling DS global lock [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [5/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [6/9]: upgrading server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [7/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [8/9]: restoring configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [9/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Done. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Restarting the directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Restarting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring DNS (named) [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [1/8]: generating rndc key file [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [2/8]: setting up our own record [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [3/8]: adding NS record to the zones [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [4/8]: setting up CA record [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [5/8]: setting up kerberos principal [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [6/8]: setting up named.conf [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [7/8]: configuring named to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [8/8]: changing resolv.conf to point to ourselves [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Done configuring DNS (named). [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring DNS key synchronization service (ipa-dnskeysyncd) [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [1/7]: checking status [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [2/7]: setting up bind-dyndb-ldap working directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [3/7]: setting up kerberos principal [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [4/7]: setting up SoftHSM [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [5/7]: adding DNSSEC containers [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [6/7]: creating replica keys [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [7/7]: configuring ipa-dnskeysyncd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Done configuring DNS key synchronization service (ipa-dnskeysyncd). [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Restarting ipa-dnskeysyncd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Restarting named [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Global DNS configuration in LDAP server is not empty [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] The following configuration options override local settings in named.conf: [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Allow PTR sync: TRUE [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Restarting the web server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring client side components [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Using existing certificate '/etc/ipa/ca.crt'. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Client hostname: vm-058-118.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Realm: DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] DNS Domain: dom-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] IPA Server: vm-058-118.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] BaseDN: dc=dom-058-115,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Skipping synchronizing time with NTP server. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] New SSSD config will be created [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configured sudoers in /etc/nsswitch.conf [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configured /etc/sssd/sssd.conf [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] trying https://vm-058-118.abc.idm.lab.eng.brq.redhat.com/ipa/json [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Forwarding 'ping' to json server 'https://vm-058-118.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Forwarding 'ca_is_enabled' to json server 'https://vm-058-118.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Forwarding 'host_mod' to json server 'https://vm-058-118.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Could not update DNS SSHFP records. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] SSSD enabled [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configured /etc/openldap/ldap.conf [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configured /etc/ssh/ssh_config [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configured /etc/ssh/sshd_config [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring dom-058-115.abc.idm.lab.eng.brq.redhat.com as NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Client configuration complete. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Exit code: 0 [ipa.ipatests.test_integration.tasks] Enable LDAP replication logging [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd9] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd9] modifying entry "cn=config" [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd9] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd9] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd10] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd10] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd11] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd11] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-118.abc.idm.lab.eng.brq.redhat.com:/var/log/sssd/* to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd12] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd12] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] removed ?/var/lib/sss/db/config.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] removed ?/var/lib/sss/db/sssd.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] removed ?/var/lib/sss/db/cache_dom-058-115.abc.idm.lab.eng.brq.redhat.com.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd14] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd14] removed ?/var/lib/sss/mc/group? [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd14] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd15] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd15] removed ?/var/lib/sss/mc/passwd? [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd15] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd16] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd16] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd17] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd17] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd17] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-ca-install', '-U', '-p', 'x2k1j5tdsl', '-P', 'admin', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] RUN ['ipa-ca-install', '-U', '-p', 'x2k1j5tdsl', '-P', 'admin', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] One or more CA masters are already present in IPA realm 'DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM'. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] If you wish to replicate CA to this host, please re-run 'ipa-ca-install' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] with a replica file generated on an existing CA master as argument. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-ca-install', '-U', '-p', 'x2k1j5tdsl', '-P', 'admin', '-w', 'x2k1j5tdsl', '/home/ofayans/ipatests/replica-info.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] RUN ['ipa-ca-install', '-U', '-p', 'x2k1j5tdsl', '-P', 'admin', '-w', 'x2k1j5tdsl', '/home/ofayans/ipatests/replica-info.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] This replica was created for 'vm-058-118.abc.idm.lab.eng.brq.redhat.com' but this machine is named 'vm-058-114.abc.idm.lab.eng.brq.redhat.com' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] This may cause problems. Continue? [no]: [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'domainlevel-set', '1'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] RUN ['ipa', 'domainlevel-set', '1'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] Current domain level: 1 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['ipa-ca-install', '-U', '-p', 'x2k1j5tdsl', '-P', 'admin', '-w', 'x2k1j5tdsl', '/home/ofayans/ipatests/replica-info.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd18] RUN ['ipa-ca-install', '-U', '-p', 'x2k1j5tdsl', '-P', 'admin', '-w', 'x2k1j5tdsl', '/home/ofayans/ipatests/replica-info.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd18] Too many parameters provided. No replica file is required [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd18] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['ipa-ca-install', '-U', '-p', 'x2k1j5tdsl', '-P', 'admin', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] RUN ['ipa-ca-install', '-U', '-p', 'x2k1j5tdsl', '-P', 'admin', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Run connection check to master [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Connection check OK [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [1/23]: creating certificate server user [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [2/23]: creating certificate server db [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [3/23]: setting up initial replication [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Starting replication, please wait until this has completed. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Update in progress, 1 seconds elapsed Update in progress, 2 seconds elapsed Update in progress, 3 seconds elapsed [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Update succeeded [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [4/23]: creating installation admin user [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [5/23]: setting up certificate server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [6/23]: stopping instance to update CS.cfg [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [7/23]: backing up CS.cfg [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [8/23]: disabling nonces [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [9/23]: set up CRL publishing [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [10/23]: enable PKIX certificate path discovery and validation [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [11/23]: set up client auth to db [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [12/23]: destroying installation admin user [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [13/23]: starting instance [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [14/23]: importing CA chain to RA certificate database [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [15/23]: fixing RA database permissions [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [16/23]: setting up signing cert profile [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [17/23]: setting audit signing renewal to 2 years [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [18/23]: configure certificate renewals [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [19/23]: configure Server-Cert certificate renewal [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [20/23]: Configure HTTP to proxy connections [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [21/23]: updating IPA configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [22/23]: Restart HTTP server to pick up changes [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] [23/23]: enabling CA instance [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Done configuring certificate server (pki-tomcatd). [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Exit code: 0 .[ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] Current domain level: 1 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] WARNING: This IPA master is still a part of the replication topology. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] To properly remove the master entry and clean up related segments, run: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] $ ipa-replica-manage del vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Ignoring topology errors and forcing uninstall [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Shutting down all IPA services [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Unconfiguring ntpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Configuring certmonger to stop tracking system certificates for KRA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Configuring certmonger to stop tracking system certificates for CA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Unconfiguring CA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Unconfiguring named [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Unconfiguring ipa-dnskeysyncd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Unconfiguring web server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Unconfiguring krb5kdc [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Unconfiguring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Unconfiguring directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Unconfiguring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Unconfiguring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Unconfiguring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Removing Kerberos service principals from /etc/krb5.keytab [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM' returned non-zero exit status 5 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Disabling client Kerberos and LDAP configurations [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Restoring client configuration files [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Unconfiguring the NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] nscd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] nslcd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Client uninstall complete. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Removing IPA client configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd35] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd35] ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd35] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd35] Exit code: 255 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-115.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd36] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-115.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd36] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] ?/home/ofayans/ipatests/file_backup/etc/hosts? -> ?/etc/hosts? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] ?/home/ofayans/ipatests/file_backup/etc/hostname? -> ?/etc/hostname? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] /sbin/restorecon reset /etc context system_u:object_r:nfs_t:s0->system_u:object_r:etc_t:s0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] /sbin/restorecon reset /etc/hosts context system_u:object_r:nfs_t:s0->system_u:object_r:net_conf_t:s0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] /sbin/restorecon reset /etc/hostname context system_u:object_r:nfs_t:s0->system_u:object_r:hostname_etc_t:s0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] removed ?/home/ofayans/ipatests/file_backup/etc/hosts? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] removed ?/home/ofayans/ipatests/file_backup/etc/hostname? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] removed directory: ?/home/ofayans/ipatests/file_backup/etc? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] removed directory: ?/home/ofayans/ipatests/file_backup? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['hostname', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] RUN ['hostname', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '/home/ofayans/ipatests/backup_hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd41] RUN ['rm', '/home/ofayans/ipatests/backup_hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd41] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] removed ?/home/ofayans/ipatests/env.sh? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] removed ?/home/ofayans/ipatests/replica-info.gpg? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] removed directory: ?/home/ofayans/ipatests? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] Current domain level: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] WARNING: This IPA master is still a part of the replication topology. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] To properly remove the master entry and clean up related segments, run: [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] $ ipa-replica-manage del vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Ignoring topology errors and forcing uninstall [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Shutting down all IPA services [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring ntpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Configuring certmonger to stop tracking system certificates for KRA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Configuring certmonger to stop tracking system certificates for CA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring named [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring ipa-dnskeysyncd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring web server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring krb5kdc [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Removing Kerberos service principals from /etc/krb5.keytab [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM' returned non-zero exit status 5 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Disabling client Kerberos and LDAP configurations [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Restoring client configuration files [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Unconfiguring the NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] nscd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] nslcd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Client uninstall complete. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Removing IPA client configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] Exit code: 255 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd23] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd23] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd23] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd23] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd24] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd24] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd24] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd24] find: ?/home/ofayans/ipatests/file_backup?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd24] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd26] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd26] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd26] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd26] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.tasks] No hostname backed up on vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd27] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd27] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd27] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd27] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd20] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd20] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd20] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd20] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd20] Current domain level: 1 [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd20] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd20] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] WARNING: Failed to determine whether the IPA master was already removed from topology. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] WARNING: This IPA master is still a part of the replication topology. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] To properly remove the master entry and clean up related segments, run: [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] $ ipa-replica-manage del vm-058-118.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Ignoring topology errors and forcing uninstall [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Shutting down all IPA services [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Unconfiguring ntpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Configuring certmonger to stop tracking system certificates for KRA [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Configuring certmonger to stop tracking system certificates for CA [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Unconfiguring CA [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Unconfiguring named [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Unconfiguring ipa-dnskeysyncd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Unconfiguring web server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Unconfiguring krb5kdc [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Unconfiguring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Unconfiguring directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Unconfiguring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Unconfiguring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Unconfiguring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Removing Kerberos service principals from /etc/krb5.keytab [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM' returned non-zero exit status 5 [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Disabling client Kerberos and LDAP configurations [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Restoring client configuration files [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Unconfiguring the NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] nscd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] nslcd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Client uninstall complete. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Removing IPA client configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd22] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd22] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd22] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd22] ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd22] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd22] Exit code: 255 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-118.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd23] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-118.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd23] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd23] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd23] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] find: ?/home/ofayans/ipatests/file_backup?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd25] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd25] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd25] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd25] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd25] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd26] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd26] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd26] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd26] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.tasks] No hostname backed up on vm-058-118.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd27] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd27] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd27] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd27] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/ipaserver-install.log to list of logs to collect [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/ipaclient-install.log to list of logs to collect [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/dirsrv/slapd-DOM-058-115-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM/errors to list of logs to collect [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/dirsrv/slapd-DOM-058-115-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM/access to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] Authenticating with private RSA key using user root [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd1] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd1] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd1] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/home/ofayans/ipatests/env.sh to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] MKDIR /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] WRITE /home/ofayans/ipatests/env.sh [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] MKDIR /home/ofayans/ipatests/file_backup [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] MKDIR /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd2] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd2] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] READ /etc/hosts [ipa.ipatests.test_integration.tasks] Writing the following to /etc/hosts: 10.34.78.1 hector.abc.idm.lab.eng.brq.redhat.com localmirror 2620:52:0:224e:21a:4aff:fe23:1238 hector.abc.idm.lab.eng.brq.redhat.com localmirror 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.34.48.31 rhev-01.eng.brq.redhat.com 2620:52:0:227f:21e:4fff:fe28:7da8 rhev-01.eng.brq.redhat.com 10.34.58.118 vm-058-118.abc.idm.lab.eng.brq.redhat.com vm-058-118 10.34.58.115 vm-058-115.abc.idm.lab.eng.brq.redhat.com vm-058-115 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] WRITE /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd3] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd3] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] WRITE /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['hostname', 'vm-058-115.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd4] RUN ['hostname', 'vm-058-115.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd4] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd5] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd5] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd6] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd6] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd7] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd7] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-server-install', '-U', '-n', 'dom-058-115.abc.idm.lab.eng.brq.redhat.com', '-r', 'DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM', '-p', 'x2k1j5tdsl', '-a', 'x2k1j5tdsl', '--domain-level=1', '--setup-dns', '--forwarder', '10.38.5.26', '--auto-reverse'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] RUN ['ipa-server-install', '-U', '-n', 'dom-058-115.abc.idm.lab.eng.brq.redhat.com', '-r', 'DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM', '-p', 'x2k1j5tdsl', '-a', 'x2k1j5tdsl', '--domain-level=1', '--setup-dns', '--forwarder', '10.38.5.26', '--auto-reverse'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Checking DNS domain dom-058-115.abc.idm.lab.eng.brq.redhat.com, please wait ... [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] The log file for this installation can be found in /var/log/ipaserver-install.log [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] ============================================================================== [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] This program will set up the FreeIPA Server. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] This includes: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Configure a stand-alone CA (dogtag) for certificate management [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Configure the Network Time Daemon (ntpd) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Create and configure an instance of Directory Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Create and configure a Kerberos Key Distribution Center (KDC) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Configure Apache (httpd) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Configure DNS (bind) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Warning: skipping DNS resolution of host vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Checking DNS domain dom-058-115.abc.idm.lab.eng.brq.redhat.com., please wait ... [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Checking DNS forwarders, please wait ... [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] The IPA Master Server will be configured with: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Hostname: vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] IP address(es): 10.34.58.115 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Domain name: dom-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Realm name: DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] BIND DNS server will be configured to serve IPA domain with: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Forwarders: 10.38.5.26 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Reverse zone(s): No reverse zone [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring NTP daemon (ntpd) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/4]: stopping ntpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/4]: writing configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/4]: configuring ntpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/4]: starting ntpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring NTP daemon (ntpd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring directory server (dirsrv). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/46]: creating directory server user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/46]: creating directory server instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/46]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/46]: adding default schema [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/46]: enabling memberof plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/46]: enabling winsync plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/46]: configuring replication version plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/46]: enabling IPA enrollment plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/46]: enabling ldapi [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [10/46]: configuring uniqueness plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [11/46]: configuring uuid plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [12/46]: configuring modrdn plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [13/46]: configuring DNS plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [14/46]: enabling entryUSN plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [15/46]: configuring lockout plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [16/46]: configuring topology plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [17/46]: creating indices [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [18/46]: enabling referential integrity plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [19/46]: configuring certmap.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [20/46]: configure autobind for root [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [21/46]: configure new location for managed entries [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [22/46]: configure dirsrv ccache [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [23/46]: enabling SASL mapping fallback [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [24/46]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [25/46]: adding sasl mappings to the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [26/46]: adding default layout [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [27/46]: adding delegation layout [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [28/46]: creating container for managed entries [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [29/46]: configuring user private groups [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [30/46]: configuring netgroups from hostgroups [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [31/46]: creating default Sudo bind user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [32/46]: creating default Auto Member layout [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [33/46]: adding range check plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [34/46]: creating default HBAC rule allow_all [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [35/46]: adding sasl mappings to the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [36/46]: adding entries for topology management [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [37/46]: initializing group membership [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [38/46]: adding master entry [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [39/46]: initializing domain level [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [40/46]: configuring Posix uid/gid generation [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [41/46]: adding replication acis [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [42/46]: enabling compatibility plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [43/46]: activating sidgen plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [44/46]: activating extdom plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [45/46]: tuning directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [46/46]: configuring directory to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring directory server (dirsrv). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/28]: creating certificate server user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/28]: configuring certificate server instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/28]: stopping certificate server instance to update CS.cfg [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/28]: backing up CS.cfg [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/28]: disabling nonces [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/28]: set up CRL publishing [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/28]: enable PKIX certificate path discovery and validation [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/28]: starting certificate server instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/28]: creating RA agent certificate database [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [10/28]: importing CA chain to RA certificate database [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [11/28]: fixing RA database permissions [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [12/28]: setting up signing cert profile [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [13/28]: setting audit signing renewal to 2 years [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [14/28]: restarting certificate server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [15/28]: requesting RA certificate from CA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [16/28]: issuing RA agent certificate [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [17/28]: adding RA agent as a trusted user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [18/28]: authorizing RA to modify profiles [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [19/28]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [20/28]: configure certificate renewals [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [21/28]: configure RA certificate renewal [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [22/28]: configure Server-Cert certificate renewal [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [23/28]: Configure HTTP to proxy connections [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [24/28]: restarting certificate server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [25/28]: migrating certificate profiles to LDAP [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [26/28]: importing IPA certificate profiles [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [27/28]: adding default CA ACL [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [28/28]: updating IPA configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring certificate server (pki-tomcatd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring directory server (dirsrv). Estimated time: 10 seconds [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/3]: configuring ssl for ds instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/3]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/3]: adding CA certificate entry [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring directory server (dirsrv). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/9]: adding kerberos container to the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/9]: configuring KDC [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/9]: initialize kerberos container [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/9]: adding default ACIs [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/9]: creating a keytab for the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/9]: creating a keytab for the machine [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/9]: adding the password extension to the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/9]: starting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/9]: configuring KDC to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring Kerberos KDC (krb5kdc). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/2]: starting kadmin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/2]: configuring kadmin to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring kadmin. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/2]: starting ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/2]: configuring ipa_memcached to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring ipa_memcached. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/2]: starting ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/2]: configuring ipa-otpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring ipa-otpd. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/5]: Generating ipa-custodia config file [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/5]: Making sure custodia container exists [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/5]: Generating ipa-custodia keys [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/5]: starting ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/5]: configuring ipa-custodia to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring ipa-custodia. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring the web interface (httpd). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/21]: setting mod_nss port to 443 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/21]: setting mod_nss cipher suite [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/21]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/21]: setting mod_nss password file [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/21]: enabling mod_nss renegotiate [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/21]: adding URL rewriting rules [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/21]: configuring httpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/21]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/21]: setting up httpd keytab [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [10/21]: setting up ssl [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [11/21]: importing CA certificates from LDAP [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [12/21]: setting up browser autoconfig [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [13/21]: publish CA cert [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [14/21]: clean up any existing httpd ccache [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [15/21]: configuring SELinux for httpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [16/21]: create KDC proxy user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [17/21]: create KDC proxy config [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [18/21]: enable KDC proxy [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [19/21]: restarting httpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [20/21]: configuring httpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [21/21]: enabling oddjobd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring the web interface (httpd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Applying LDAP updates [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Upgrading IPA: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/9]: saving configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/9]: disabling listeners [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/9]: enabling DS global lock [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/9]: upgrading server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/9]: restoring configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting the directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring DNS (named) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/11]: generating rndc key file [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/11]: adding DNS container [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/11]: setting up our zone [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/11]: setting up our own record [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/11]: setting up records for other masters [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/11]: adding NS record to the zones [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/11]: setting up CA record [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/11]: setting up kerberos principal [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/11]: setting up named.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [10/11]: configuring named to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [11/11]: changing resolv.conf to point to ourselves [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring DNS (named). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring DNS key synchronization service (ipa-dnskeysyncd) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/7]: checking status [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/7]: setting up bind-dyndb-ldap working directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/7]: setting up kerberos principal [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/7]: setting up SoftHSM [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/7]: adding DNSSEC containers [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/7]: creating replica keys [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/7]: configuring ipa-dnskeysyncd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring DNS key synchronization service (ipa-dnskeysyncd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting ipa-dnskeysyncd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting named [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting the web server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring client side components [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Using existing certificate '/etc/ipa/ca.crt'. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Client hostname: vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Realm: DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] DNS Domain: dom-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] IPA Server: vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] BaseDN: dc=dom-058-115,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Skipping synchronizing time with NTP server. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] New SSSD config will be created [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured sudoers in /etc/nsswitch.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured /etc/sssd/sssd.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] trying https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Forwarding 'ping' to json server 'https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Forwarding 'ca_is_enabled' to json server 'https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Forwarding 'host_mod' to json server 'https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Could not update DNS SSHFP records. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] SSSD enabled [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured /etc/openldap/ldap.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured /etc/ssh/ssh_config [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured /etc/ssh/sshd_config [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring dom-058-115.abc.idm.lab.eng.brq.redhat.com as NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Client configuration complete. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] ============================================================================== [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Setup complete [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Next steps: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] 1. You must make sure these network ports are open: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] TCP Ports: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 80, 443: HTTP/HTTPS [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 389, 636: LDAP/LDAPS [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 88, 464: kerberos [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 53: bind [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] UDP Ports: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 88, 464: kerberos [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 53: bind [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 123: ntp [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] 2. You can now obtain a kerberos ticket using the command: 'kinit admin' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] This ticket will allow you to use the IPA tools (e.g., ipa user-add) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] and the web user interface. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Be sure to back up the CA certificates stored in /root/cacert.p12 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] These files are required to create replicas. The password for these [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] files is the Directory Manager password [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Exit code: 0 [ipa.ipatests.test_integration.tasks] Enable LDAP replication logging [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd9] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd9] modifying entry "cn=config" [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd9] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd9] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd10] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd10] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd11] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd11] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/sssd/* to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd12] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd12] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] removed ?/var/lib/sss/db/sssd.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] removed ?/var/lib/sss/db/cache_dom-058-115.abc.idm.lab.eng.brq.redhat.com.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] removed ?/var/lib/sss/db/config.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd14] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd14] removed ?/var/lib/sss/mc/group? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd14] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd15] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd15] removed ?/var/lib/sss/mc/passwd? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd15] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd16] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd16] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd17] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd17] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd17] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] Current domain level: 1 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-kra-install', '-U', '-p', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] RUN ['ipa-kra-install', '-U', '-p', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] =================================================================== [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] This program will setup Dogtag KRA for the FreeIPA Server. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [1/8]: configuring KRA instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [2/8]: create KRA agent [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [3/8]: restarting KRA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [4/8]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [5/8]: configure certificate renewals [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [6/8]: configure HTTP to proxy connections [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [7/8]: add vault container [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] [8/8]: apply LDAP updates [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] Done configuring KRA server (pki-tomcatd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] Restarting the directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] The ipa-kra-install command was successful [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd20] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd20] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd20] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'vault-find'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] RUN ['ipa', 'vault-find'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] ---------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] 0 vaults matched [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] ---------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] ---------------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] Number of entries returned 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] ---------------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] Exit code: 1 .[ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-replica-manage', 'del', '--force', '-p', 'x2k1j5tdsl', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] RUN ['ipa-replica-manage', 'del', '--force', '-p', 'x2k1j5tdsl', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] vm-058-114.abc.idm.lab.eng.brq.redhat.com is not listed among IPA masters. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] Please specify an actual server or add the --cleanup option to force clean up. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] Exit code: 1 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/ipaserver-uninstall.log to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] Authenticating with private RSA key using user root [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd1] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd1] ipa: ERROR: Client is not configured. Run ipa-client-install. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd1] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-server-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] RUN ['ipa-server-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] WARNING: [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] IPA server is not configured on this system. If you want to install the [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] IPA server, please install it using 'ipa-server-install'. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] WARNING: Failed to connect to Directory Server to find information about [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] replication agreements. Uninstallation will continue despite the possible [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] existing replication agreements. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] If this server is the last instance of CA, [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] KRA, or DNSSEC master, uninstallation may result in data loss. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] Shutting down all IPA services [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] Configuring certmonger to stop tracking system certificates for KRA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] Configuring certmonger to stop tracking system certificates for CA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] IPA client is not configured on this system. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] Removing IPA client configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd3] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd3] ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd3] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd3] Exit code: 255 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd4] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd4] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd5] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd5] ?/home/ofayans/ipatests/file_backup/etc/hosts? -> ?/etc/hosts? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd5] ?/home/ofayans/ipatests/file_backup/etc/hostname? -> ?/etc/hostname? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd5] /sbin/restorecon reset /etc context system_u:object_r:nfs_t:s0->system_u:object_r:etc_t:s0 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd5] /sbin/restorecon reset /etc/hosts context system_u:object_r:nfs_t:s0->system_u:object_r:net_conf_t:s0 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd5] /sbin/restorecon reset /etc/hostname context system_u:object_r:nfs_t:s0->system_u:object_r:hostname_etc_t:s0 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd5] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd6] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd6] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd6] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd7] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd7] removed ?/home/ofayans/ipatests/file_backup/etc/hosts? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd7] removed ?/home/ofayans/ipatests/file_backup/etc/hostname? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd7] removed directory: ?/home/ofayans/ipatests/file_backup/etc? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd7] removed directory: ?/home/ofayans/ipatests/file_backup? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd7] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['hostname', 'vm-058-115.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] RUN ['hostname', 'vm-058-115.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '/home/ofayans/ipatests/backup_hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd9] RUN ['rm', '/home/ofayans/ipatests/backup_hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd9] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd10] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd10] removed ?/home/ofayans/ipatests/env.sh? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd10] removed directory: ?/home/ofayans/ipatests? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd10] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/ipaclient-uninstall.log to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-client-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd11] RUN ['ipa-client-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd11] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd11] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd11] IPA client is not configured on this system. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd11] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd12] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd12] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd12] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd12] find: ?/home/ofayans/ipatests/file_backup?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd12] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd14] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd14] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd14] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd14] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.tasks] No hostname backed up on vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd15] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd15] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd15] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd15] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'host-del', '--updatedns', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd23] RUN ['ipa', 'host-del', '--updatedns', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd23] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd23] shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd23] ipa: ERROR: vm-058-114.abc.idm.lab.eng.brq.redhat.com: host not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd23] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'host-del', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] RUN ['ipa', 'host-del', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] ipa: ERROR: vm-058-114.abc.idm.lab.eng.brq.redhat.com: host not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-replica-prepare', '-p', 'x2k1j5tdsl', '--ip-address', '10.34.58.114', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] RUN ['ipa-replica-prepare', '-p', 'x2k1j5tdsl', '--ip-address', '10.34.58.114', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] Replica creation using 'ipa-replica-prepare' to generate replica file [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] is supported only in 0-level IPA domain. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] The current IPA domain level is 1 and thus the replica must [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] be created by promoting an existing IPA client. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] To set up a replica use the following procedure: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] 1.) set up a client on the host using 'ipa-client-install' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] 2.) promote the client to replica running 'ipa-replica-install' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] *without* replica file specified [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] 'ipa-replica-prepare' is allowed only in domain level 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] The ipa-replica-prepare command failed. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] Exit code: 1 .[ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-replica-manage', 'del', '--force', '-p', 'x2k1j5tdsl', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] RUN ['ipa-replica-manage', 'del', '--force', '-p', 'x2k1j5tdsl', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] vm-058-114.abc.idm.lab.eng.brq.redhat.com is not listed among IPA masters. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] Please specify an actual server or add the --cleanup option to force clean up. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] Exit code: 1 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/ipaserver-uninstall.log to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd16] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd16] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd16] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd16] ipa: ERROR: Client is not configured. Run ipa-client-install. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd16] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-server-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] RUN ['ipa-server-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] WARNING: [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] IPA server is not configured on this system. If you want to install the [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] IPA server, please install it using 'ipa-server-install'. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] WARNING: Failed to connect to Directory Server to find information about [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] replication agreements. Uninstallation will continue despite the possible [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] existing replication agreements. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] If this server is the last instance of CA, [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] KRA, or DNSSEC master, uninstallation may result in data loss. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] Shutting down all IPA services [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] Configuring certmonger to stop tracking system certificates for KRA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] Configuring certmonger to stop tracking system certificates for CA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] IPA client is not configured on this system. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] Removing IPA client configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] Exit code: 255 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] find: ?/home/ofayans/ipatests/file_backup?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.tasks] No hostname backed up on vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd23] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd23] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd23] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd23] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/ipaclient-uninstall.log to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-client-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd24] RUN ['ipa-client-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd24] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd24] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd24] IPA client is not configured on this system. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd24] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] find: ?/home/ofayans/ipatests/file_backup?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd26] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd26] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd26] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd26] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd26] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd27] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd27] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd27] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd27] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.tasks] No hostname backed up on vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd28] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd28] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd28] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd28] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'host-del', '--updatedns', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] RUN ['ipa', 'host-del', '--updatedns', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] ipa: ERROR: vm-058-114.abc.idm.lab.eng.brq.redhat.com: host not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'host-del', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] RUN ['ipa', 'host-del', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] ipa: ERROR: vm-058-114.abc.idm.lab.eng.brq.redhat.com: host not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] Current domain level: 1 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Shutting down all IPA services [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Unconfiguring ntpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Configuring certmonger to stop tracking system certificates for KRA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Unconfiguring KRA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Configuring certmonger to stop tracking system certificates for CA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Unconfiguring CA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Unconfiguring named [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Unconfiguring ipa-dnskeysyncd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Unconfiguring web server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Unconfiguring krb5kdc [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Unconfiguring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Unconfiguring directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Unconfiguring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Unconfiguring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Unconfiguring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Removing Kerberos service principals from /etc/krb5.keytab [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM' returned non-zero exit status 5 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Disabling client Kerberos and LDAP configurations [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Restoring client configuration files [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Unconfiguring the NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] nscd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] nslcd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Client uninstall complete. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Removing IPA client configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Exit code: 255 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-115.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-115.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] find: ?/home/ofayans/ipatests/file_backup?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd35] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd35] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd35] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd35] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.tasks] No hostname backed up on vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd36] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd36] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd36] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd36] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd29] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd29] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd29] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd29] ipa: ERROR: Client is not configured. Run ipa-client-install. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd29] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-server-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] RUN ['ipa-server-install', '--uninstall', '-U'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] WARNING: [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] IPA server is not configured on this system. If you want to install the [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] IPA server, please install it using 'ipa-server-install'. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] WARNING: Failed to connect to Directory Server to find information about [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] replication agreements. Uninstallation will continue despite the possible [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] existing replication agreements. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] If this server is the last instance of CA, [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] KRA, or DNSSEC master, uninstallation may result in data loss. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] Shutting down all IPA services [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] Configuring certmonger to stop tracking system certificates for KRA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] Configuring certmonger to stop tracking system certificates for CA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] IPA client is not configured on this system. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] Removing IPA client configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd30] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd31] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd31] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd31] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd31] ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd31] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd31] Exit code: 255 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd32] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd33] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd33] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd33] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd33] find: ?/home/ofayans/ipatests/file_backup?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd33] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd34] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd34] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd34] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd34] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd34] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd35] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd35] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd35] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd35] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.tasks] No hostname backed up on vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd36] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd36] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd36] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd36] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/ipaserver-install.log to list of logs to collect [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/ipaclient-install.log to list of logs to collect [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/dirsrv/slapd-DOM-058-115-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM/errors to list of logs to collect [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/dirsrv/slapd-DOM-058-115-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM/access to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] Authenticating with private RSA key using user root [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd1] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd1] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd1] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/home/ofayans/ipatests/env.sh to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] MKDIR /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] WRITE /home/ofayans/ipatests/env.sh [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] MKDIR /home/ofayans/ipatests/file_backup [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] MKDIR /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd2] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd2] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] READ /etc/hosts [ipa.ipatests.test_integration.tasks] Writing the following to /etc/hosts: 10.34.78.1 hector.abc.idm.lab.eng.brq.redhat.com localmirror 2620:52:0:224e:21a:4aff:fe23:1238 hector.abc.idm.lab.eng.brq.redhat.com localmirror 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.34.48.31 rhev-01.eng.brq.redhat.com 2620:52:0:227f:21e:4fff:fe28:7da8 rhev-01.eng.brq.redhat.com 10.34.58.118 vm-058-118.abc.idm.lab.eng.brq.redhat.com vm-058-118 10.34.58.115 vm-058-115.abc.idm.lab.eng.brq.redhat.com vm-058-115 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] WRITE /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd3] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd3] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] WRITE /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['hostname', 'vm-058-115.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd4] RUN ['hostname', 'vm-058-115.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd4] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd5] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd5] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd6] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd6] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd7] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd7] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-server-install', '-U', '-n', 'dom-058-115.abc.idm.lab.eng.brq.redhat.com', '-r', 'DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM', '-p', 'x2k1j5tdsl', '-a', 'x2k1j5tdsl', '--domain-level=0', '--setup-dns', '--forwarder', '10.38.5.26', '--auto-reverse'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] RUN ['ipa-server-install', '-U', '-n', 'dom-058-115.abc.idm.lab.eng.brq.redhat.com', '-r', 'DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM', '-p', 'x2k1j5tdsl', '-a', 'x2k1j5tdsl', '--domain-level=0', '--setup-dns', '--forwarder', '10.38.5.26', '--auto-reverse'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Checking DNS domain dom-058-115.abc.idm.lab.eng.brq.redhat.com, please wait ... [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] The log file for this installation can be found in /var/log/ipaserver-install.log [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] ============================================================================== [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] This program will set up the FreeIPA Server. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] This includes: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Configure a stand-alone CA (dogtag) for certificate management [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Configure the Network Time Daemon (ntpd) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Create and configure an instance of Directory Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Create and configure a Kerberos Key Distribution Center (KDC) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Configure Apache (httpd) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * Configure DNS (bind) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Warning: skipping DNS resolution of host vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Checking DNS domain dom-058-115.abc.idm.lab.eng.brq.redhat.com., please wait ... [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Checking DNS forwarders, please wait ... [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] The IPA Master Server will be configured with: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Hostname: vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] IP address(es): 10.34.58.115 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Domain name: dom-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Realm name: DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] BIND DNS server will be configured to serve IPA domain with: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Forwarders: 10.38.5.26 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Reverse zone(s): No reverse zone [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring NTP daemon (ntpd) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/4]: stopping ntpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/4]: writing configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/4]: configuring ntpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/4]: starting ntpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring NTP daemon (ntpd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring directory server (dirsrv). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/46]: creating directory server user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/46]: creating directory server instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/46]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/46]: adding default schema [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/46]: enabling memberof plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/46]: enabling winsync plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/46]: configuring replication version plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/46]: enabling IPA enrollment plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/46]: enabling ldapi [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [10/46]: configuring uniqueness plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [11/46]: configuring uuid plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [12/46]: configuring modrdn plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [13/46]: configuring DNS plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [14/46]: enabling entryUSN plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [15/46]: configuring lockout plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [16/46]: configuring topology plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [17/46]: creating indices [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [18/46]: enabling referential integrity plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [19/46]: configuring certmap.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [20/46]: configure autobind for root [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [21/46]: configure new location for managed entries [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [22/46]: configure dirsrv ccache [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [23/46]: enabling SASL mapping fallback [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [24/46]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [25/46]: adding sasl mappings to the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [26/46]: adding default layout [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [27/46]: adding delegation layout [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [28/46]: creating container for managed entries [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [29/46]: configuring user private groups [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [30/46]: configuring netgroups from hostgroups [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [31/46]: creating default Sudo bind user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [32/46]: creating default Auto Member layout [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [33/46]: adding range check plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [34/46]: creating default HBAC rule allow_all [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [35/46]: adding sasl mappings to the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [36/46]: adding entries for topology management [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [37/46]: initializing group membership [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [38/46]: adding master entry [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [39/46]: initializing domain level [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [40/46]: configuring Posix uid/gid generation [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [41/46]: adding replication acis [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [42/46]: enabling compatibility plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [43/46]: activating sidgen plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [44/46]: activating extdom plugin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [45/46]: tuning directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [46/46]: configuring directory to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring directory server (dirsrv). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/28]: creating certificate server user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/28]: configuring certificate server instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/28]: stopping certificate server instance to update CS.cfg [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/28]: backing up CS.cfg [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/28]: disabling nonces [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/28]: set up CRL publishing [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/28]: enable PKIX certificate path discovery and validation [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/28]: starting certificate server instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/28]: creating RA agent certificate database [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [10/28]: importing CA chain to RA certificate database [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [11/28]: fixing RA database permissions [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [12/28]: setting up signing cert profile [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [13/28]: setting audit signing renewal to 2 years [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [14/28]: restarting certificate server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [15/28]: requesting RA certificate from CA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [16/28]: issuing RA agent certificate [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [17/28]: adding RA agent as a trusted user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [18/28]: authorizing RA to modify profiles [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [19/28]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [20/28]: configure certificate renewals [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [21/28]: configure RA certificate renewal [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [22/28]: configure Server-Cert certificate renewal [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [23/28]: Configure HTTP to proxy connections [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [24/28]: restarting certificate server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [25/28]: migrating certificate profiles to LDAP [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [26/28]: importing IPA certificate profiles [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [27/28]: adding default CA ACL [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [28/28]: updating IPA configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring certificate server (pki-tomcatd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring directory server (dirsrv). Estimated time: 10 seconds [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/3]: configuring ssl for ds instance [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/3]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/3]: adding CA certificate entry [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring directory server (dirsrv). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/9]: adding kerberos container to the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/9]: configuring KDC [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/9]: initialize kerberos container [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/9]: adding default ACIs [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/9]: creating a keytab for the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/9]: creating a keytab for the machine [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/9]: adding the password extension to the directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/9]: starting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/9]: configuring KDC to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring Kerberos KDC (krb5kdc). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/2]: starting kadmin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/2]: configuring kadmin to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring kadmin. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/2]: starting ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/2]: configuring ipa_memcached to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring ipa_memcached. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/2]: starting ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/2]: configuring ipa-otpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring ipa-otpd. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/5]: Generating ipa-custodia config file [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/5]: Making sure custodia container exists [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/5]: Generating ipa-custodia keys [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/5]: starting ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/5]: configuring ipa-custodia to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring ipa-custodia. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring the web interface (httpd). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/21]: setting mod_nss port to 443 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/21]: setting mod_nss cipher suite [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/21]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/21]: setting mod_nss password file [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/21]: enabling mod_nss renegotiate [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/21]: adding URL rewriting rules [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/21]: configuring httpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/21]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/21]: setting up httpd keytab [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [10/21]: setting up ssl [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [11/21]: importing CA certificates from LDAP [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [12/21]: setting up browser autoconfig [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [13/21]: publish CA cert [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [14/21]: clean up any existing httpd ccache [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [15/21]: configuring SELinux for httpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [16/21]: create KDC proxy user [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [17/21]: create KDC proxy config [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [18/21]: enable KDC proxy [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [19/21]: restarting httpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [20/21]: configuring httpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [21/21]: enabling oddjobd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring the web interface (httpd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Applying LDAP updates [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Upgrading IPA: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/9]: saving configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/9]: disabling listeners [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/9]: enabling DS global lock [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/9]: upgrading server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/9]: restoring configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting the directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring DNS (named) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/11]: generating rndc key file [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/11]: adding DNS container [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/11]: setting up our zone [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/11]: setting up our own record [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/11]: setting up records for other masters [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/11]: adding NS record to the zones [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/11]: setting up CA record [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [8/11]: setting up kerberos principal [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [9/11]: setting up named.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [10/11]: configuring named to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [11/11]: changing resolv.conf to point to ourselves [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring DNS (named). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring DNS key synchronization service (ipa-dnskeysyncd) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [1/7]: checking status [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [2/7]: setting up bind-dyndb-ldap working directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [3/7]: setting up kerberos principal [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [4/7]: setting up SoftHSM [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [5/7]: adding DNSSEC containers [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [6/7]: creating replica keys [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [7/7]: configuring ipa-dnskeysyncd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Done configuring DNS key synchronization service (ipa-dnskeysyncd). [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting ipa-dnskeysyncd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting named [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Restarting the web server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring client side components [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Using existing certificate '/etc/ipa/ca.crt'. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Client hostname: vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Realm: DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] DNS Domain: dom-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] IPA Server: vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] BaseDN: dc=dom-058-115,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Skipping synchronizing time with NTP server. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] New SSSD config will be created [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured sudoers in /etc/nsswitch.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured /etc/sssd/sssd.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] trying https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Forwarding 'ping' to json server 'https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Forwarding 'ca_is_enabled' to json server 'https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Forwarding 'host_mod' to json server 'https://vm-058-115.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Could not update DNS SSHFP records. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] SSSD enabled [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured /etc/openldap/ldap.conf [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured /etc/ssh/ssh_config [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configured /etc/ssh/sshd_config [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Configuring dom-058-115.abc.idm.lab.eng.brq.redhat.com as NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Client configuration complete. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] ============================================================================== [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Setup complete [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Next steps: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] 1. You must make sure these network ports are open: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] TCP Ports: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 80, 443: HTTP/HTTPS [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 389, 636: LDAP/LDAPS [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 88, 464: kerberos [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 53: bind [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] UDP Ports: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 88, 464: kerberos [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 53: bind [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] * 123: ntp [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] 2. You can now obtain a kerberos ticket using the command: 'kinit admin' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] This ticket will allow you to use the IPA tools (e.g., ipa user-add) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] and the web user interface. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Be sure to back up the CA certificates stored in /root/cacert.p12 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] These files are required to create replicas. The password for these [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] files is the Directory Manager password [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd8] Exit code: 0 [ipa.ipatests.test_integration.tasks] Enable LDAP replication logging [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd9] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd9] modifying entry "cn=config" [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd9] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd9] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd10] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd10] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd11] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd11] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-115.abc.idm.lab.eng.brq.redhat.com:/var/log/sssd/* to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd12] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd12] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] removed ?/var/lib/sss/db/config.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] removed ?/var/lib/sss/db/sssd.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] removed ?/var/lib/sss/db/cache_dom-058-115.abc.idm.lab.eng.brq.redhat.com.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd13] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd14] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd14] removed ?/var/lib/sss/mc/group? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd14] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd15] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd15] removed ?/var/lib/sss/mc/passwd? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd15] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd16] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd16] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd17] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd17] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd17] Exit code: 0 [ipa.ipatests.test_integration.tasks] IPA: found 1 A records for vm-058-115.abc.idm.lab.eng.brq.redhat.com.: 10.34.58.115 [ipa.ipatests.test_integration.tasks] The host (dom-058-115.abc.idm.lab.eng.brq.redhat.com) is resolvable. [ipa.ipatests.test_integration.tasks] IPA: found 1 A records for vm-058-114.abc.idm.lab.eng.brq.redhat.com.: 10.34.58.114 [ipa.ipatests.test_integration.tasks] The host (dom-058-115.abc.idm.lab.eng.brq.redhat.com) is resolvable. [ipa.ipatests.test_integration.tasks] IPA: found 1 A records for vm-058-118.abc.idm.lab.eng.brq.redhat.com.: 10.34.58.118 [ipa.ipatests.test_integration.tasks] The host (dom-058-115.abc.idm.lab.eng.brq.redhat.com) is resolvable. [ipa.ipatests.test_integration.tasks] Installing replica from [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] Current domain level: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd18] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] Authenticating with private RSA key using user root [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd1] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd1] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/home/ofayans/ipatests/env.sh to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] WRITE /home/ofayans/ipatests/env.sh [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd2] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] READ /etc/hosts [ipa.ipatests.test_integration.tasks] Writing the following to /etc/hosts: 10.34.78.1 hector.abc.idm.lab.eng.brq.redhat.com localmirror 2620:52:0:224e:21a:4aff:fe23:1238 hector.abc.idm.lab.eng.brq.redhat.com localmirror 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.34.48.31 rhev-01.eng.brq.redhat.com 2620:52:0:227f:21e:4fff:fe28:7da8 rhev-01.eng.brq.redhat.com 10.34.58.118 vm-058-118.abc.idm.lab.eng.brq.redhat.com vm-058-118 10.34.58.114 vm-058-114.abc.idm.lab.eng.brq.redhat.com vm-058-114 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] WRITE /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd3] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd3] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] WRITE /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['hostname', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd4] RUN ['hostname', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd4] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd5] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd5] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/ipareplica-install.log to list of logs to collect [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/ipareplica-conncheck.log to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd19] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnsconfig-mod', '--allow-sync-ptr=true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd20] RUN ['ipa', 'dnsconfig-mod', '--allow-sync-ptr=true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd20] Allow PTR sync: TRUE [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd20] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] ipa: ERROR: abc.idm.lab.eng.brq.redhat.com.: DNS zone not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd21] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd6] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd6] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd7] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd7] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-add', '58.34.10.in-addr.arpa.'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] RUN ['ipa', 'dnszone-add', '58.34.10.in-addr.arpa.'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] Zone name: 58.34.10.in-addr.arpa. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] Active zone: TRUE [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] Authoritative nameserver: vm-058-115.abc.idm.lab.eng.brq.redhat.com. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] Administrator e-mail address: hostmaster [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] SOA serial: 1457531452 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] SOA refresh: 3600 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] SOA retry: 900 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] SOA expire: 1209600 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] SOA minimum: 3600 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] BIND update policy: grant DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM krb5-subdomain 58.34.10.in-addr.arpa. PTR; [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] Dynamic update: FALSE [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] Allow query: any; [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] Allow transfer: none; [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd22] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd23] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd23] ipa: ERROR: abc.idm.lab.eng.brq.redhat.com.: DNS zone not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd23] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-replica-prepare', '-p', 'x2k1j5tdsl', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] RUN ['ipa-replica-prepare', '-p', 'x2k1j5tdsl', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Unable to resolve the IP address 10.34.58.114 to a host name, check /etc/hosts and DNS name resolution [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Preparing replica for vm-058-114.abc.idm.lab.eng.brq.redhat.com from vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Creating SSL certificate for the Directory Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Creating SSL certificate for the dogtag Directory Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Saving dogtag Directory Server port [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Creating SSL certificate for the Web Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Exporting RA certificate [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Copying additional files [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Finalizing configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Packaging replica information into /var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] The ipa-replica-prepare command was successful [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd24] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] READ /var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] WRITE /home/ofayans/ipatests/replica-info.gpg [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-replica-install', '-U', '-p', 'x2k1j5tdsl', '-w', 'x2k1j5tdsl', '--setup-ca', '/home/ofayans/ipatests/replica-info.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] RUN ['ipa-replica-install', '-U', '-p', 'x2k1j5tdsl', '-w', 'x2k1j5tdsl', '--setup-ca', '/home/ofayans/ipatests/replica-info.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] ipa : ERROR Reverse DNS resolution of address 10.34.58.115 (vm-058-115.abc.idm.lab.eng.brq.redhat.com) failed. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Run connection check to master [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Connection check OK [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring NTP daemon (ntpd) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/4]: stopping ntpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/4]: writing configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [3/4]: configuring ntpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [4/4]: starting ntpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring NTP daemon (ntpd). [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring directory server (dirsrv). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/41]: creating directory server user [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/41]: creating directory server instance [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [3/41]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [4/41]: adding default schema [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [5/41]: enabling memberof plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [6/41]: enabling winsync plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [7/41]: configuring replication version plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [8/41]: enabling IPA enrollment plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [9/41]: enabling ldapi [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [10/41]: configuring uniqueness plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [11/41]: configuring uuid plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [12/41]: configuring modrdn plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [13/41]: configuring DNS plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [14/41]: enabling entryUSN plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [15/41]: configuring lockout plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [16/41]: configuring topology plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [17/41]: creating indices [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [18/41]: enabling referential integrity plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [19/41]: configuring ssl for ds instance [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [20/41]: configuring certmap.conf [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [21/41]: configure autobind for root [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [22/41]: configure new location for managed entries [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [23/41]: configure dirsrv ccache [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [24/41]: enabling SASL mapping fallback [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [25/41]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [26/41]: setting up initial replication [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Starting replication, please wait until this has completed. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Update in progress, 1 seconds elapsed Update in progress, 2 seconds elapsed Update in progress, 3 seconds elapsed Update in progress, 4 seconds elapsed [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Update succeeded [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [27/41]: adding sasl mappings to the directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [28/41]: updating schema [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [29/41]: setting Auto Member configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [30/41]: enabling S4U2Proxy delegation [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [31/41]: importing CA certificates from LDAP [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [32/41]: initializing group membership [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [33/41]: adding master entry [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [34/41]: initializing domain level [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [35/41]: configuring Posix uid/gid generation [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [36/41]: adding replication acis [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [37/41]: enabling compatibility plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [38/41]: activating sidgen plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [39/41]: activating extdom plugin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [40/41]: tuning directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [41/41]: configuring directory to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring directory server (dirsrv). [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/24]: creating certificate server user [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/24]: configuring certificate server instance [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [3/24]: stopping certificate server instance to update CS.cfg [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [4/24]: backing up CS.cfg [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [5/24]: disabling nonces [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [6/24]: set up CRL publishing [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [7/24]: enable PKIX certificate path discovery and validation [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [8/24]: starting certificate server instance [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [9/24]: creating RA agent certificate database [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [10/24]: importing CA chain to RA certificate database [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [11/24]: fixing RA database permissions [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [12/24]: setting up signing cert profile [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [13/24]: setting audit signing renewal to 2 years [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [14/24]: importing RA certificate from PKCS #12 file [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [15/24]: authorizing RA to modify profiles [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [16/24]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [17/24]: configure certificate renewals [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [18/24]: configure Server-Cert certificate renewal [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [19/24]: Configure HTTP to proxy connections [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [20/24]: restarting certificate server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [21/24]: migrating certificate profiles to LDAP [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [22/24]: importing IPA certificate profiles [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [23/24]: adding default CA ACL [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [24/24]: updating IPA configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring certificate server (pki-tomcatd). [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Restarting the directory and certificate servers [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/7]: configuring KDC [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/7]: creating a keytab for the directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [3/7]: creating a keytab for the machine [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [4/7]: adding the password extension to the directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [5/7]: enable GSSAPI for replication [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [6/7]: starting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [7/7]: configuring KDC to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring Kerberos KDC (krb5kdc). [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/2]: starting kadmin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/2]: configuring kadmin to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring kadmin. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/2]: starting ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/2]: configuring ipa_memcached to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring ipa_memcached. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring the web interface (httpd). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/20]: setting mod_nss port to 443 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/20]: setting mod_nss cipher suite [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [3/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [4/20]: setting mod_nss password file [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [5/20]: enabling mod_nss renegotiate [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [6/20]: adding URL rewriting rules [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [7/20]: configuring httpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [8/20]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [9/20]: setting up httpd keytab [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [10/20]: setting up ssl [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [11/20]: importing CA certificates from LDAP [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [12/20]: publish CA cert [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [13/20]: clean up any existing httpd ccache [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [14/20]: configuring SELinux for httpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [15/20]: create KDC proxy user [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [16/20]: create KDC proxy config [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [17/20]: enable KDC proxy [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [18/20]: restarting httpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [19/20]: configuring httpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [20/20]: enabling oddjobd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring the web interface (httpd). [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/2]: starting ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/2]: configuring ipa-otpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring ipa-otpd. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/5]: Generating ipa-custodia config file [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/5]: Making sure custodia container exists [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [3/5]: Generating ipa-custodia keys [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [4/5]: starting ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [5/5]: configuring ipa-custodia to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done configuring ipa-custodia. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Applying LDAP updates [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Upgrading IPA: [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [1/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [2/9]: saving configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [3/9]: disabling listeners [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [4/9]: enabling DS global lock [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [5/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [6/9]: upgrading server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [7/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [8/9]: restoring configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [9/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Done. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Restarting the directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Restarting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Restarting the web server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring client side components [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Using existing certificate '/etc/ipa/ca.crt'. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Client hostname: vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Realm: DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] DNS Domain: dom-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] IPA Server: vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] BaseDN: dc=dom-058-115,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Skipping synchronizing time with NTP server. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] New SSSD config will be created [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configured sudoers in /etc/nsswitch.conf [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configured /etc/sssd/sssd.conf [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] trying https://vm-058-114.abc.idm.lab.eng.brq.redhat.com/ipa/json [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Forwarding 'ping' to json server 'https://vm-058-114.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Forwarding 'ca_is_enabled' to json server 'https://vm-058-114.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Forwarding 'host_mod' to json server 'https://vm-058-114.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Could not update DNS SSHFP records. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] SSSD enabled [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configured /etc/openldap/ldap.conf [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configured /etc/ssh/ssh_config [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configured /etc/ssh/sshd_config [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Configuring dom-058-115.abc.idm.lab.eng.brq.redhat.com as NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Client configuration complete. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd8] Exit code: 0 [ipa.ipatests.test_integration.tasks] Enable LDAP replication logging [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd9] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd9] modifying entry "cn=config" [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd9] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd9] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd10] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd10] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd11] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd11] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-114.abc.idm.lab.eng.brq.redhat.com:/var/log/sssd/* to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd12] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd12] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] removed ?/var/lib/sss/db/config.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] removed ?/var/lib/sss/db/sssd.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] removed ?/var/lib/sss/db/cache_dom-058-115.abc.idm.lab.eng.brq.redhat.com.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd13] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd14] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd14] removed ?/var/lib/sss/mc/group? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd14] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd15] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd15] removed ?/var/lib/sss/mc/passwd? [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd15] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd16] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd16] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd17] Exit code: 0 [ipa.ipatests.test_integration.tasks] Installing replica from [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] Current domain level: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd25] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] Authenticating with private RSA key using user root [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd1] RUN ['true'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd1] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-118.abc.idm.lab.eng.brq.redhat.com:/home/ofayans/ipatests/env.sh to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] WRITE /home/ofayans/ipatests/env.sh [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd2] RUN ['cp', '-af', '/etc/hosts', '/home/ofayans/ipatests/file_backup/etc/hosts'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd2] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] READ /etc/hosts [ipa.ipatests.test_integration.tasks] Writing the following to /etc/hosts: 10.34.78.1 hector.abc.idm.lab.eng.brq.redhat.com localmirror 2620:52:0:224e:21a:4aff:fe23:1238 hector.abc.idm.lab.eng.brq.redhat.com localmirror 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.34.48.31 rhev-01.eng.brq.redhat.com 2620:52:0:227f:21e:4fff:fe28:7da8 rhev-01.eng.brq.redhat.com 10.34.58.118 vm-058-118.abc.idm.lab.eng.brq.redhat.com vm-058-118 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] WRITE /etc/hosts [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /home/ofayans/ipatests/file_backup/etc [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd3] RUN ['cp', '-af', '/etc/hostname', '/home/ofayans/ipatests/file_backup/etc/hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd3] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] WRITE /etc/hostname [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['hostname', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd4] RUN ['hostname', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd4] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd5] RUN hostname > '/home/ofayans/ipatests/backup_hostname' [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd5] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-118.abc.idm.lab.eng.brq.redhat.com:/var/log/ipareplica-install.log to list of logs to collect [ipa.ipatests.pytest_plugins.integration] Adding vm-058-118.abc.idm.lab.eng.brq.redhat.com:/var/log/ipareplica-conncheck.log to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd26] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnsconfig-mod', '--allow-sync-ptr=true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] RUN ['ipa', 'dnsconfig-mod', '--allow-sync-ptr=true'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] ipa: ERROR: no modifications to be performed [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd27] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] ipa: ERROR: abc.idm.lab.eng.brq.redhat.com.: DNS zone not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd28] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd6] RUN ['systemctl', 'stop', 'httpd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd6] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd7] RUN for line in `ipcs -s | grep apache | cut -d " " -f 2`; do ipcrm -s $line; done [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd7] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-add', '58.34.10.in-addr.arpa.'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] RUN ['ipa', 'dnszone-add', '58.34.10.in-addr.arpa.'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] ipa: ERROR: DNS zone with name "58.34.10.in-addr.arpa." already exists [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd29] Exit code: 1 [ipa.ipatests.test_integration.tasks] ipa: ERROR: DNS zone with name "58.34.10.in-addr.arpa." already exists [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] RUN ['ipa', 'dnszone-show', 'abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] ipa: ERROR: abc.idm.lab.eng.brq.redhat.com.: DNS zone not found [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd30] Exit code: 2 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-replica-prepare', '-p', 'x2k1j5tdsl', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] RUN ['ipa-replica-prepare', '-p', 'x2k1j5tdsl', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Preparing replica for vm-058-118.abc.idm.lab.eng.brq.redhat.com from vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Creating SSL certificate for the Directory Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Creating SSL certificate for the dogtag Directory Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Saving dogtag Directory Server port [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Creating SSL certificate for the Web Server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Exporting RA certificate [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Copying additional files [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Finalizing configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Packaging replica information into /var/lib/ipa/replica-info-vm-058-118.abc.idm.lab.eng.brq.redhat.com.gpg [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] The ipa-replica-prepare command was successful [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd31] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] READ /var/lib/ipa/replica-info-vm-058-118.abc.idm.lab.eng.brq.redhat.com.gpg [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] WRITE /home/ofayans/ipatests/replica-info.gpg [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['ipa-replica-install', '-U', '-p', 'x2k1j5tdsl', '-w', 'x2k1j5tdsl', '--setup-ca', '/home/ofayans/ipatests/replica-info.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] RUN ['ipa-replica-install', '-U', '-p', 'x2k1j5tdsl', '-w', 'x2k1j5tdsl', '--setup-ca', '/home/ofayans/ipatests/replica-info.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] ipa : ERROR Reverse DNS resolution of address 10.34.58.115 (vm-058-115.abc.idm.lab.eng.brq.redhat.com) failed. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Run connection check to master [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Connection check OK [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring NTP daemon (ntpd) [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [1/4]: stopping ntpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [2/4]: writing configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [3/4]: configuring ntpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [4/4]: starting ntpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Done configuring NTP daemon (ntpd). [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring directory server (dirsrv). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [1/41]: creating directory server user [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [2/41]: creating directory server instance [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [3/41]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [4/41]: adding default schema [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [5/41]: enabling memberof plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [6/41]: enabling winsync plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [7/41]: configuring replication version plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [8/41]: enabling IPA enrollment plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [9/41]: enabling ldapi [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [10/41]: configuring uniqueness plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [11/41]: configuring uuid plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [12/41]: configuring modrdn plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [13/41]: configuring DNS plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [14/41]: enabling entryUSN plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [15/41]: configuring lockout plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [16/41]: configuring topology plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [17/41]: creating indices [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [18/41]: enabling referential integrity plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [19/41]: configuring ssl for ds instance [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [20/41]: configuring certmap.conf [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [21/41]: configure autobind for root [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [22/41]: configure new location for managed entries [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [23/41]: configure dirsrv ccache [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [24/41]: enabling SASL mapping fallback [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [25/41]: restarting directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [26/41]: setting up initial replication [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Starting replication, please wait until this has completed. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Update in progress, 1 seconds elapsed Update in progress, 2 seconds elapsed Update in progress, 3 seconds elapsed [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Update succeeded [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [27/41]: adding sasl mappings to the directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [28/41]: updating schema [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [29/41]: setting Auto Member configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [30/41]: enabling S4U2Proxy delegation [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [31/41]: importing CA certificates from LDAP [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [32/41]: initializing group membership [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [33/41]: adding master entry [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [34/41]: initializing domain level [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [35/41]: configuring Posix uid/gid generation [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [36/41]: adding replication acis [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [37/41]: enabling compatibility plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [38/41]: activating sidgen plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [39/41]: activating extdom plugin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [40/41]: tuning directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [41/41]: configuring directory to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Done configuring directory server (dirsrv). [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [1/24]: creating certificate server user [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [2/24]: configuring certificate server instance [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [3/24]: stopping certificate server instance to update CS.cfg [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [4/24]: backing up CS.cfg [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [5/24]: disabling nonces [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [6/24]: set up CRL publishing [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [7/24]: enable PKIX certificate path discovery and validation [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [8/24]: starting certificate server instance [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [9/24]: creating RA agent certificate database [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [10/24]: importing CA chain to RA certificate database [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [11/24]: fixing RA database permissions [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [12/24]: setting up signing cert profile [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [13/24]: setting audit signing renewal to 2 years [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [14/24]: importing RA certificate from PKCS #12 file [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [15/24]: authorizing RA to modify profiles [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [16/24]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [17/24]: configure certificate renewals [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [18/24]: configure Server-Cert certificate renewal [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [19/24]: Configure HTTP to proxy connections [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [20/24]: restarting certificate server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [21/24]: migrating certificate profiles to LDAP [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [22/24]: importing IPA certificate profiles [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [23/24]: adding default CA ACL [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [24/24]: updating IPA configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Done configuring certificate server (pki-tomcatd). [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Restarting the directory and certificate servers [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [1/7]: configuring KDC [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [2/7]: creating a keytab for the directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [3/7]: creating a keytab for the machine [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [4/7]: adding the password extension to the directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [5/7]: enable GSSAPI for replication [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [6/7]: starting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [7/7]: configuring KDC to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Done configuring Kerberos KDC (krb5kdc). [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [1/2]: starting kadmin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [2/2]: configuring kadmin to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Done configuring kadmin. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [1/2]: starting ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [2/2]: configuring ipa_memcached to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Done configuring ipa_memcached. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring the web interface (httpd). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [1/20]: setting mod_nss port to 443 [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [2/20]: setting mod_nss cipher suite [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [3/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [4/20]: setting mod_nss password file [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [5/20]: enabling mod_nss renegotiate [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [6/20]: adding URL rewriting rules [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [7/20]: configuring httpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [8/20]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [9/20]: setting up httpd keytab [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [10/20]: setting up ssl [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [11/20]: importing CA certificates from LDAP [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [12/20]: publish CA cert [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [13/20]: clean up any existing httpd ccache [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [14/20]: configuring SELinux for httpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [15/20]: create KDC proxy user [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [16/20]: create KDC proxy config [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [17/20]: enable KDC proxy [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [18/20]: restarting httpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [19/20]: configuring httpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [20/20]: enabling oddjobd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Done configuring the web interface (httpd). [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [1/2]: starting ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [2/2]: configuring ipa-otpd to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Done configuring ipa-otpd. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [1/5]: Generating ipa-custodia config file [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [2/5]: Making sure custodia container exists [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [3/5]: Generating ipa-custodia keys [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [4/5]: starting ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [5/5]: configuring ipa-custodia to start on boot [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Done configuring ipa-custodia. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Applying LDAP updates [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Upgrading IPA: [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [1/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [2/9]: saving configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [3/9]: disabling listeners [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [4/9]: enabling DS global lock [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [5/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [6/9]: upgrading server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [7/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [8/9]: restoring configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [9/9]: starting directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Done. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Restarting the directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Restarting the KDC [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Restarting the web server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring client side components [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Using existing certificate '/etc/ipa/ca.crt'. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Client hostname: vm-058-118.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Realm: DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] DNS Domain: dom-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] IPA Server: vm-058-118.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] BaseDN: dc=dom-058-115,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Skipping synchronizing time with NTP server. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] New SSSD config will be created [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configured sudoers in /etc/nsswitch.conf [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configured /etc/sssd/sssd.conf [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] trying https://vm-058-118.abc.idm.lab.eng.brq.redhat.com/ipa/json [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Forwarding 'ping' to json server 'https://vm-058-118.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Forwarding 'ca_is_enabled' to json server 'https://vm-058-118.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Forwarding 'host_mod' to json server 'https://vm-058-118.abc.idm.lab.eng.brq.redhat.com/ipa/json' [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Could not update DNS SSHFP records. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] SSSD enabled [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configured /etc/openldap/ldap.conf [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configured /etc/ssh/ssh_config [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configured /etc/ssh/sshd_config [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Configuring dom-058-115.abc.idm.lab.eng.brq.redhat.com as NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Client configuration complete. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd8] Exit code: 0 [ipa.ipatests.test_integration.tasks] Enable LDAP replication logging [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd9] RUN ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'x2k1j5tdsl'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd9] modifying entry "cn=config" [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd9] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd9] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd10] RUN ['sed', '-i', '/debug_level = 7/d', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd10] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd11] RUN ['sed', '-i', '/\\[*\\]/ a\\debug_level = 7', '/etc/sssd/sssd.conf'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd11] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding vm-058-118.abc.idm.lab.eng.brq.redhat.com:/var/log/sssd/* to list of logs to collect [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] STAT /bin/systemctl [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd12] RUN ['systemctl', 'stop', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd12] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] RUN find /var/lib/sss/db -name '*.ldb' | xargs rm -fv [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] removed ?/var/lib/sss/db/config.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] removed ?/var/lib/sss/db/sssd.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] removed ?/var/lib/sss/db/cache_dom-058-115.abc.idm.lab.eng.brq.redhat.com.ldb? [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd13] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd14] RUN ['rm', '-fv', '/var/lib/sss/mc/group'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd14] removed ?/var/lib/sss/mc/group? [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd14] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd15] RUN ['rm', '-fv', '/var/lib/sss/mc/passwd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd15] removed ?/var/lib/sss/mc/passwd? [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd15] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd16] RUN ['systemctl', 'start', 'sssd'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd16] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd17] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd17] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd17] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-replica-manage', 'connect', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] RUN ['ipa-replica-manage', 'connect', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] ipa: INFO: Getting ldap service principals for conversion: (krbprincipalname=ldap/vm-058-114.abc.idm.lab.eng.brq.redhat.com at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM) and (krbprincipalname=ldap/vm-058-118.abc.idm.lab.eng.brq.redhat.com at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] Connected 'vm-058-114.abc.idm.lab.eng.brq.redhat.com' to 'vm-058-118.abc.idm.lab.eng.brq.redhat.com' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd32] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-replica-manage', 'disconnect', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] RUN ['ipa-replica-manage', 'disconnect', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] ipa: INFO: Setting agreement cn=meTovm-058-114.abc.idm.lab.eng.brq.redhat.com,cn=replica,cn=dc\=dom-058-115\,dc\=abc\,dc\=idm\,dc\=lab\,dc\=eng\,dc\=brq\,dc\=redhat\,dc\=com,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meTovm-058-114.abc.idm.lab.eng.brq.redhat.com,cn=replica,cn=dc\=dom-058-115\,dc\=abc\,dc\=idm\,dc\=lab\,dc\=eng\,dc\=brq\,dc\=redhat\,dc\=com,cn=mapping tree,cn=config [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 0: end: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] Deleted replication agreement from 'vm-058-114.abc.idm.lab.eng.brq.redhat.com' to 'vm-058-118.abc.idm.lab.eng.brq.redhat.com' [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd33] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'domainlevel-set', '1'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] RUN ['ipa', 'domainlevel-set', '1'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Current domain level: 1 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd34] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-replica-manage', 'connect', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd35] RUN ['ipa-replica-manage', 'connect', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd35] Creation of IPA replication agreement is deprecated with managed IPA replication topology. Please use `ipa topologysegment-*` commands to manage the topology. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd35] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd36] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd36] Password for admin at DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd36] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'topologysegment-add', 'domain', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com-to-vm-058-118.abc.idm.lab.eng.brq.redhat.com', '--leftnode=vm-058-114.abc.idm.lab.eng.brq.redhat.com', '--rightnode=vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] RUN ['ipa', 'topologysegment-add', 'domain', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com-to-vm-058-118.abc.idm.lab.eng.brq.redhat.com', '--leftnode=vm-058-114.abc.idm.lab.eng.brq.redhat.com', '--rightnode=vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] ------------------------------------------------------------------------------------------------------ [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] Added segment "vm-058-114.abc.idm.lab.eng.brq.redhat.com-to-vm-058-118.abc.idm.lab.eng.brq.redhat.com" [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] ------------------------------------------------------------------------------------------------------ [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] Segment name: vm-058-114.abc.idm.lab.eng.brq.redhat.com-to-vm-058-118.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] Left node: vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] Right node: vm-058-118.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] Connectivity: both [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd37] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-replica-manage', 'disconnect', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] RUN ['ipa-replica-manage', 'disconnect', 'vm-058-114.abc.idm.lab.eng.brq.redhat.com', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] Removal of IPA replication agreement is deprecated with managed IPA replication topology. Please use `ipa topologysegment-*` commands to manage the topology. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd38] Exit code: 1 .[ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Current domain level: 1 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd39] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] WARNING: This IPA master is still a part of the replication topology. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] To properly remove the master entry and clean up related segments, run: [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] $ ipa-replica-manage del vm-058-115.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Ignoring topology errors and forcing uninstall [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Shutting down all IPA services [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Unconfiguring ntpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Configuring certmonger to stop tracking system certificates for KRA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Configuring certmonger to stop tracking system certificates for CA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Unconfiguring CA [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Unconfiguring named [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Unconfiguring ipa-dnskeysyncd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Unconfiguring web server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Unconfiguring krb5kdc [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Unconfiguring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Unconfiguring directory server [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Unconfiguring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Unconfiguring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Unconfiguring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Removing Kerberos service principals from /etc/krb5.keytab [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM' returned non-zero exit status 5 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Disabling client Kerberos and LDAP configurations [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Restoring client configuration files [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Unconfiguring the NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] nscd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] nslcd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Client uninstall complete. [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Removing IPA client configuration [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd40] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd41] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd41] ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd41] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd41] Exit code: 255 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-115.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-115.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd42] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd43] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd43] ?/home/ofayans/ipatests/file_backup/etc/hosts? -> ?/etc/hosts? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd43] ?/home/ofayans/ipatests/file_backup/etc/hostname? -> ?/etc/hostname? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd43] /sbin/restorecon reset /etc context system_u:object_r:nfs_t:s0->system_u:object_r:etc_t:s0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd43] /sbin/restorecon reset /etc/hosts context system_u:object_r:nfs_t:s0->system_u:object_r:net_conf_t:s0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd43] /sbin/restorecon reset /etc/hostname context system_u:object_r:nfs_t:s0->system_u:object_r:hostname_etc_t:s0 [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd43] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd44] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd44] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd44] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd45] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd45] removed ?/home/ofayans/ipatests/file_backup/etc/hosts? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd45] removed ?/home/ofayans/ipatests/file_backup/etc/hostname? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd45] removed directory: ?/home/ofayans/ipatests/file_backup/etc? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd45] removed directory: ?/home/ofayans/ipatests/file_backup? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd45] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['hostname', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd46] RUN ['hostname', 'vm-058-118.abc.idm.lab.eng.brq.redhat.com'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd46] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '/home/ofayans/ipatests/backup_hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd47] RUN ['rm', '/home/ofayans/ipatests/backup_hostname'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd47] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-115.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] removed ?/home/ofayans/ipatests/env.sh? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] removed ?/home/ofayans/ipatests/replica-info.gpg? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] removed directory: ?/home/ofayans/ipatests? [ipa.ipatests.test_integration.host.Host.vm-058-115.cmd48] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] Current domain level: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd18] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] WARNING: This IPA master is still a part of the replication topology. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] To properly remove the master entry and clean up related segments, run: [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] $ ipa-replica-manage del vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Ignoring topology errors and forcing uninstall [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Shutting down all IPA services [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Unconfiguring ntpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Configuring certmonger to stop tracking system certificates for KRA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Configuring certmonger to stop tracking system certificates for CA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Unconfiguring CA [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Unconfiguring named [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Unconfiguring web server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Unconfiguring krb5kdc [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Unconfiguring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Unconfiguring directory server [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Unconfiguring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Unconfiguring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Unconfiguring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Removing Kerberos service principals from /etc/krb5.keytab [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM' returned non-zero exit status 5 [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Disabling client Kerberos and LDAP configurations [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Restoring client configuration files [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Unconfiguring the NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] nscd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] nslcd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Client uninstall complete. [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Removing IPA client configuration [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd19] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd20] Exit code: 255 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-114.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd21] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] find: ?/home/ofayans/ipatests/file_backup?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd22] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd23] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd23] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd23] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd23] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd23] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd24] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd24] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd24] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd24] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.tasks] No hostname backed up on vm-058-114.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-114.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-114.cmd25] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd18] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd18] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd18] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd18] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd18] Current domain level: 1 [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd18] ----------------------- [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd18] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] WARNING: Failed to determine whether the IPA master was already removed from topology. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] WARNING: This IPA master is still a part of the replication topology. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] To properly remove the master entry and clean up related segments, run: [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] $ ipa-replica-manage del vm-058-118.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Ignoring topology errors and forcing uninstall [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Shutting down all IPA services [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Unconfiguring ntpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Configuring certmonger to stop tracking system certificates for KRA [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Configuring certmonger to stop tracking system certificates for CA [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Unconfiguring CA [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Unconfiguring named [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Unconfiguring web server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Unconfiguring krb5kdc [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Unconfiguring kadmin [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Unconfiguring directory server [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Unconfiguring ipa-custodia [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Unconfiguring ipa_memcached [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Unconfiguring ipa-otpd [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Removing Kerberos service principals from /etc/krb5.keytab [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r DOM-058-115.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM' returned non-zero exit status 5 [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Disabling client Kerberos and LDAP configurations [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Restoring client configuration files [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Unconfiguring the NIS domain. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] nscd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] nslcd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Client uninstall complete. [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Removing IPA client configuration [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd19] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd20] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd20] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd20] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd20] ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd20] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd20] Exit code: 255 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-118.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-vm-058-118.abc.idm.lab.eng.brq.redhat.com.gpg'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd21] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd22] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd22] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd22] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd22] find: ?/home/ofayans/ipatests/file_backup?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd22] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd23] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd23] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd23] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd23] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd23] Exit code: 1 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd24] Exit code: 0 [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.tasks] No hostname backed up on vm-058-118.abc.idm.lab.eng.brq.redhat.com [ipa.ipatests.test_integration.host.Host.vm-058-118.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd25] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd25] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd25] -bash: line 2: /home/ofayans/ipatests/env.sh: No such file or directory [ipa.ipatests.test_integration.host.Host.vm-058-118.cmd25] Exit code: 0 ========================= 8 passed in 7824.24 seconds ========================== -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0024.3-Enabled-setting-domain-level-explicitly-in-test-clas.patch Type: text/x-patch Size: 4117 bytes Desc: not available URL: From ftweedal at redhat.com Fri Mar 11 01:06:29 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 11 Mar 2016 11:06:29 +1000 Subject: [Freeipa-devel] Design review request: RFC 2818 certificate compliance In-Reply-To: <56DD20D0.50706@redhat.com> References: <20160229065915.GC21191@dhcp-40-8.bne.redhat.com> <56DD20D0.50706@redhat.com> Message-ID: <20160311010629.GC12127@dhcp-40-8.bne.redhat.com> On Mon, Mar 07, 2016 at 07:33:52AM +0100, Jan Cholasta wrote: > Hi, > > On 29.2.2016 07:59, Fraser Tweedale wrote: > >Hi all (especially those interested in certificates), > > > >Please provide early review of my design for RFC 2818 compliance > >which will address the following tickets: > > > >- #4970 Server certificate profile should always include a Subject Alternate name for the host > >- #5706 [RFE] Support SAN-only certificates > > > >http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance > > > >The design is a WIP and there is no code for it yet. Looking for > >feedback and (hopefully) validation of the approach before > >committing cycles to implementing new profile components in Dogtag. > > 1) Do wildcard certificates need special handling? There is no mention of > them in the design doc. > No special handling of wildcard certs is needed but I've added some commentary to the design page. > 2) Should we accept invalid CSR where CN length is greater than 64? I > wouldn't be surprised if these existed in the wild. > Good question. I agree such CSRs probably exist. There are various ways to handle them: a) Reject request (with useful message; instruction to issue SAN-only request instead) b) Issue non-compliant cert with overlong CN. It will be helpful to find out how important clients handle such certs. c) Accept the CSR but "promote" the overlong CN from CSR into a SAN dnsName, and issue a SAN-only cert. Some clients may not handle such certs very well. Personally I like (c), because the user intent is clear but we still issue a valid cert, however, I expect there are clients out there (particularly in "enterprise" environments?) that will not handle it well. I've copied pki-devel@ to solicit additional insights here :) > 3) Sometimes it is not clear which parts belong to Dogtag and which to IPA > itself. For example the upgrade section - I assume Dogtag should update > registry.cfg and IPA caIPAserviceCert profile, but it is not clearly stated > anywhere. > Thanks, I've added clarifying remarks. In brief: yes Dogtag should update registry.cfg, but FreeIPA should update the profile. Thank you for your feedback, Jan. Fraser From jcholast at redhat.com Fri Mar 11 06:24:22 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 11 Mar 2016 07:24:22 +0100 Subject: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns In-Reply-To: <56DFF770.1010208@redhat.com> References: <56DD6A4A.4050004@redhat.com> <56DD73B8.3080705@redhat.com> <56DD8D5D.6090301@redhat.com> <56DD9E19.6010608@redhat.com> <56DFF770.1010208@redhat.com> Message-ID: <56E26496.90500@redhat.com> On 9.3.2016 11:14, Martin Babinsky wrote: > On 03/07/2016 04:28 PM, Martin Kosek wrote: >> On 03/07/2016 03:17 PM, Petr Spacek wrote: >>> On 7.3.2016 13:27, Jan Cholasta wrote: >>>> Hi, >>>> >>>> On 7.3.2016 12:47, Martin Babinsky wrote: >>>>> https://fedorahosted.org/freeipa/ticket/5696 >>>> >>>> Shouldn't we rather fix IPA to work with bind running in chroot >>>> (which is >>>> AFAIK considered good security practice)? >>> >>> I would not invest into it: >>> http://www.freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot#NOTE:_Chroot_should_not_be_considered_a_security_feature >>> >> >> +1 >> >> Martin >> > > Then the patch should be sufficient, yes? Yes, but I would prefer if the directive was visually separated from requires and had a comment (see how nss-pam-ldapd conflicts in freeipa-server is done). -- Jan Cholasta From tbabej at redhat.com Fri Mar 11 07:53:07 2016 From: tbabej at redhat.com (Tomas Babej) Date: Fri, 11 Mar 2016 08:53:07 +0100 Subject: [Freeipa-devel] [MAN] [PATCH] 0004 Fix phrasing in man page for stageuser.py In-Reply-To: <559B7560.3000107@redhat.com> References: <559B7560.3000107@redhat.com> Message-ID: <56E27963.9070506@redhat.com> On 07/07/2015 08:44 AM, Tomas Babej wrote: > > > On 07/04/2015 02:03 PM, J?r?me Fenal wrote: >> Hi all, >> >> A quick patch to the man page part of stageuser to avoid ambiguity in >> the phrasing, spotted while translating the page. >> >> Regards, >> >> J. >> >> >> > > Thanks, ACK. > > I will not push this patch to master until we branch off 4.2 development > branch as it would disrupt already translated strings in the other > languages. > > Tomas > One could say the condition has been fulfilled, so let's follow up on that promise: Pushed to master: 0e4e5cbddd349300340fd4a2fb19e8505f57b47d Tomas From dkupka at redhat.com Fri Mar 11 08:16:20 2016 From: dkupka at redhat.com (David Kupka) Date: Fri, 11 Mar 2016 09:16:20 +0100 Subject: [Freeipa-devel] [PATCH 0095-0098] NTP: use augeas, configure chronyd, do not overwrite config Message-ID: <56E27ED4.4020306@redhat.com> Current version (0.5.0) of python-augeas is missing copy() method. Use dkupka/python-augeas copr repo before new version it's build and available in the official repos. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0095.0-augeas-add-wrapper-around-python-binding.patch Type: text/x-patch Size: 10581 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0096.0-ntp-Add-module-for-NTP-configuration.patch Type: text/x-patch Size: 19280 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0097.0-ntp-Add-platform-specific-tasks.patch Type: text/x-patch Size: 3656 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0098.0-ntp-install-Use-tasks-to-configure-NTP-daemon.patch Type: text/x-patch Size: 34453 bytes Desc: not available URL: From pvoborni at redhat.com Fri Mar 11 08:25:20 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 11 Mar 2016 09:25:20 +0100 Subject: [Freeipa-devel] [PATCH] 0008 Add X-Frame-Options and frame-ancestors options In-Reply-To: <1457634175.8257.336.camel@redhat.com> References: <56E1B319.9020204@redhat.com> <1457632943.8257.335.camel@redhat.com> <56E1BAEA.805@redhat.com> <1457634175.8257.336.camel@redhat.com> Message-ID: <56E280F0.6070203@redhat.com> On 03/10/2016 07:22 PM, Simo Sorce wrote: > On Thu, 2016-03-10 at 19:20 +0100, Pavel Vomacka wrote: >> >> On 03/10/2016 07:02 PM, Simo Sorce wrote: >>> On Thu, 2016-03-10 at 18:47 +0100, Pavel Vomacka wrote: >>>> Hi, >>>> >>>> These two options allow preventing clickjacking attacks. They don't >>>> allow open FreeIPA in frame, iframe or object element. >>> Will these apply to the whole server or just to /ipa ? >>> >> Yes, you are right, these apply to whole server. In this new patch they >> are applied only on /ipa. >> >> -- >> Pavel^3 Vomacka > > Thanks, > LGTM > > Simo. > VERSION in a header needs to incremented so that the config file is correctly processed during upgrade. -- Petr Vobornik From mbabinsk at redhat.com Fri Mar 11 08:32:44 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 11 Mar 2016 09:32:44 +0100 Subject: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns In-Reply-To: <56E26496.90500@redhat.com> References: <56DD6A4A.4050004@redhat.com> <56DD73B8.3080705@redhat.com> <56DD8D5D.6090301@redhat.com> <56DD9E19.6010608@redhat.com> <56DFF770.1010208@redhat.com> <56E26496.90500@redhat.com> Message-ID: <56E282AC.3070306@redhat.com> On 03/11/2016 07:24 AM, Jan Cholasta wrote: > On 9.3.2016 11:14, Martin Babinsky wrote: >> On 03/07/2016 04:28 PM, Martin Kosek wrote: >>> On 03/07/2016 03:17 PM, Petr Spacek wrote: >>>> On 7.3.2016 13:27, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> On 7.3.2016 12:47, Martin Babinsky wrote: >>>>>> https://fedorahosted.org/freeipa/ticket/5696 >>>>> >>>>> Shouldn't we rather fix IPA to work with bind running in chroot >>>>> (which is >>>>> AFAIK considered good security practice)? >>>> >>>> I would not invest into it: >>>> http://www.freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot#NOTE:_Chroot_should_not_be_considered_a_security_feature >>>> >>>> >>> >>> +1 >>> >>> Martin >>> >> >> Then the patch should be sufficient, yes? > > Yes, but I would prefer if the directive was visually separated from > requires and had a comment (see how nss-pam-ldapd conflicts in > freeipa-server is done). > Fixed -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0137.1-spec-add-conflict-with-bind-chroot-to-freeipa-server.patch Type: text/x-patch Size: 962 bytes Desc: not available URL: From mkosek at redhat.com Fri Mar 11 08:33:48 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 11 Mar 2016 09:33:48 +0100 Subject: [Freeipa-devel] [PATCH 0434] log: add timestamp to filename of logs In-Reply-To: <56DF14D3.5050400@redhat.com> References: <56DEF053.4090809@redhat.com> <56DEF1B7.40907@redhat.com> <56DF14D3.5050400@redhat.com> Message-ID: <56E282EC.5060206@redhat.com> On 03/08/2016 07:07 PM, Martin Basti wrote: > > > On 08.03.2016 16:37, Martin Basti wrote: >> >> >> On 08.03.2016 16:31, Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/4501 >>> >>> Patch attached. >>> >>> >> Rebased patch attached. >> >> > > self-NACK > > Scripts print to CLI unformatted strings, it should not be so easy. > See /var/log/ipaupgrade-{timestamp}.log for more information second-NACK. We cannot break existing log file paths. The paths are mentioned in a documentation and there may be also automation around that (gathering log files). So there should be always symlink from the well known location to the newest timestampe'd log. From jcholast at redhat.com Fri Mar 11 08:55:50 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 11 Mar 2016 09:55:50 +0100 Subject: [Freeipa-devel] [PATCH 0434] log: add timestamp to filename of logs In-Reply-To: <56E282EC.5060206@redhat.com> References: <56DEF053.4090809@redhat.com> <56DEF1B7.40907@redhat.com> <56DF14D3.5050400@redhat.com> <56E282EC.5060206@redhat.com> Message-ID: <56E28816.50407@redhat.com> On 11.3.2016 09:33, Martin Kosek wrote: > On 03/08/2016 07:07 PM, Martin Basti wrote: >> >> >> On 08.03.2016 16:37, Martin Basti wrote: >>> >>> >>> On 08.03.2016 16:31, Martin Basti wrote: >>>> https://fedorahosted.org/freeipa/ticket/4501 >>>> >>>> Patch attached. >>>> >>>> >>> Rebased patch attached. >>> >>> >> >> self-NACK >> >> Scripts print to CLI unformatted strings, it should not be so easy. >> See /var/log/ipaupgrade-{timestamp}.log for more information > > second-NACK. We cannot break existing log file paths. The paths are mentioned > in a documentation and there may be also automation around that (gathering log > files). So there should be always symlink from the well known location to the > newest timestampe'd log. Sorry, but this is absurd. What's the point of maintaining backward compatibility with obsolete documentation? Following this logic, we would not be able to change anything ever. What we should actually do is update the documentation. Ditto for automation. -- Jan Cholasta From pvomacka at redhat.com Fri Mar 11 09:09:40 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Fri, 11 Mar 2016 10:09:40 +0100 Subject: [Freeipa-devel] [PATCH] 0005 webui: topology graph: canvas resizes itself according to the window size In-Reply-To: <56E1AA07.5040102@redhat.com> References: <56BC7105.3020609@redhat.com> <56BDD5A6.8010108@redhat.com> <56C1ECA4.2070900@redhat.com> <56C4ADF0.4080702@redhat.com> <56CF1498.8080302@redhat.com> <56E1AA07.5040102@redhat.com> Message-ID: <56E28B54.8090204@redhat.com> On 03/10/2016 06:08 PM, Petr Vobornik wrote: > On 02/25/2016 03:50 PM, Pavel Vomacka wrote: >> >> >> On 02/17/2016 06:29 PM, Petr Vobornik wrote: >>> On 02/15/2016 04:20 PM, Pavel Vomacka wrote: >>>> >>>> >>>> On 02/12/2016 01:52 PM, Pavel Vomacka wrote: >>>>> >>>>> >>>>> On 02/11/2016 12:31 PM, Pavel Vomacka wrote: >>>>>> Hello, >>>>>> >>>>>> The canvas of the graph had static size. This patch fixes this issue >>>>>> and from now the graph canvas is resized according to the window >>>>>> size. >>>>>> >>>>>> Pavel Vomacka >>>>>> >>>>>> >>>>> Because of changes in previous patch I'm sending also this one again. >>>>> Plus I fixed some jslint warnings. >>>>> >>>>> And again a link to the ticket: >>>>> https://fedorahosted.org/freeipa/ticket/5647 . >>>>> >>>>> -- >>>>> Pavel^3 Vomacka >>>>> >>>>> >>>> And another change in the code. This patch adds checking whether a svg >>>> element even exists. And don't add 'col-sm-12' class to the svg >>>> element >>>> any more. This class just added useless paddings to the element. >>>> >>>> -- >>>> Pavel^3 Vomacka >>>> >>> >>> Hi, >>> >>> thanks for the patch. >> Hi, >> >> thank you for reviewing. >>> >>> 1. I don't like the fact that the resize handler registered in >>> initialize method is active forever, even when viewing other facets. >> I moved the handler to the topology graph facet. It is also removed >> after hide event is emited. >>> 2. The code will probably fail if there is other svg element present >>> on the page. >>> >>> $('svg') searches for all svg elements in DOM, such search is usually >>> slow and undeterministic. It is better to use a stored reference(if >>> possible) or limit the search to some parent element, e.g. TopoGraph >>> can store and then use its container. >>> >>> Would be funny if there were 2 graphs. >> Yep, you are right. I avoid using this type of searching in this patch. >> >>> >>> 3. Why is there the toFixed(1) call? Or more specifically on that >>> position? It hides the fact that toFixed transforms Number to String >>> and then '-' operator with Number on the right casts it back to Number. >> The toFixed(1) was used just because we don't need so accurate numbers, >> but in this patch this function is not used any more. >>> >>> 4. width could be just: this._svg.parent().width() >> The width is now solved by using this.content.width() in topology graph >> facet. I think that the calculating of width and height should be at the >> same place. That is why I didn't put calculating of width into the >> TopoGraph. >>> >>> 5. Your approach for bottom padding works well but I don't like that >>> the component assumes that there is some col-sm-12 element on a page >>> whose right padding is actually equal to space on the left of the svg. >> I agree, fixed. >>> >>> #1 and #5 makes me think that the resize logic should be moved >>> topology facet. Something like: >>> >>> * register resize handler on facet's 'show' event >>> * unregister resize handler on facet's 'hide' event (will solve #1) >>> * on window resize, compute the size in topology facet, call new >>> .resize(width, height) method of TopoGraph >>> >>> Then, we wouldn't have to search whole DOM for 'svg' elements to check >>> if page is visible. The bottom padding can be obtained by: >>> parseInt(this.content.css('paddingLeft')) where 'this' is facet. >>> >> I followed these tips and here is a new patch. >> >> -- >> Pavel^3 Vomacka > > > 1. > - width: 960, > - height: 500, > > Graph even without this patch allows to set initial size in a > constructor, e.g.: > > E.g. so he could also use: > this.graph = new topology_graph.TopoGraph({ > nodes: data.nodes, > links: data.links, > suffixes: data.suffixes > height: height, > width: width > }); > > IMO we should leave some default size there, e.g. the old 960x500 so > that the graph is shown even without explicit configuration. > Ok, I put the default size back, but into graph specification as you write here. > 2. > - update: function() { > + update: function(height, width) { > > Update method should not required size params. E.g. if it should > trigger only data update. So it should contain at least a doc string > that the values are optional. Maybe it should be a single param. > > These parameters are not required so I add doc string and also changed them to single param. -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0005-5-Resize-topology-graph-canvas-according-to-window-siz.patch Type: text/x-patch Size: 5191 bytes Desc: not available URL: From pvomacka at redhat.com Fri Mar 11 09:12:32 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Fri, 11 Mar 2016 10:12:32 +0100 Subject: [Freeipa-devel] [TESTS][PATCH 0010] WebUI tests - ID views In-Reply-To: <56DED4F5.3000608@redhat.com> References: <56CC6A9D.5060309@redhat.com> <56DEBADB.5050503@redhat.com> <56DED4F5.3000608@redhat.com> Message-ID: <56E28C00.2060706@redhat.com> On 03/08/2016 02:34 PM, Lenka Doudova wrote: > > > On 03/08/2016 12:43 PM, Pavel Vomacka wrote: >> >> >> On 02/23/2016 03:20 PM, Lenka Doudova wrote: >>> Hi, >>> >>> attached is patch providing missing test coverage for ID views in >>> webUI. >>> >>> Lenka >>> >>> >> Hi, >> >> Thank you for your patch. I have small one comment: The >> delete_associtaion() function duplicates code, it would be good to >> create auxiliary function and move that code there. NACK. >> >> -- >> Pavel^3 Vomacka >> >> > Hi, > > thanks for review, fixed patch attached. > > Lenka > > Thank you, ACK. -- Pavel^3 Vomacka -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvomacka at redhat.com Fri Mar 11 09:20:47 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Fri, 11 Mar 2016 10:20:47 +0100 Subject: [Freeipa-devel] [PATCH] 0008 Add X-Frame-Options and frame-ancestors options In-Reply-To: <56E280F0.6070203@redhat.com> References: <56E1B319.9020204@redhat.com> <1457632943.8257.335.camel@redhat.com> <56E1BAEA.805@redhat.com> <1457634175.8257.336.camel@redhat.com> <56E280F0.6070203@redhat.com> Message-ID: <56E28DEF.9020309@redhat.com> On 03/11/2016 09:25 AM, Petr Vobornik wrote: > On 03/10/2016 07:22 PM, Simo Sorce wrote: >> On Thu, 2016-03-10 at 19:20 +0100, Pavel Vomacka wrote: >>> >>> On 03/10/2016 07:02 PM, Simo Sorce wrote: >>>> On Thu, 2016-03-10 at 18:47 +0100, Pavel Vomacka wrote: >>>>> Hi, >>>>> >>>>> These two options allow preventing clickjacking attacks. They don't >>>>> allow open FreeIPA in frame, iframe or object element. >>>> Will these apply to the whole server or just to /ipa ? >>>> >>> Yes, you are right, these apply to whole server. In this new patch they >>> are applied only on /ipa. >>> >>> -- >>> Pavel^3 Vomacka >> >> Thanks, >> LGTM >> >> Simo. >> > > VERSION in a header needs to incremented so that the config file is > correctly processed during upgrade. > VERSION incremented. -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0008-3-Add-X-Frame-Options-and-frame-ancestors-options.patch Type: text/x-patch Size: 1169 bytes Desc: not available URL: From slaznick at redhat.com Fri Mar 11 09:39:50 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 11 Mar 2016 10:39:50 +0100 Subject: [Freeipa-devel] [PATCH 0024] ipa-replica-manage: added --suffix option for certain commands Message-ID: <56E29266.8000501@redhat.com> Hi, Please see the patch attached. Contrary to the discussion at https://fedorahosted.org/freeipa/ticket/4987 I also added the suffix option for clean_ruv command. If this command is available for normal RUVs, it should probably be available for CS-RUVs as well (or deprecated for both with advised use of clean_dangling_ruv). Standa -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0024-ipa-replica-manage-added-suffix-option.patch Type: text/x-patch Size: 12824 bytes Desc: not available URL: From mkosek at redhat.com Fri Mar 11 10:21:26 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 11 Mar 2016 11:21:26 +0100 Subject: [Freeipa-devel] [PATCH 0434] log: add timestamp to filename of logs In-Reply-To: <56E28816.50407@redhat.com> References: <56DEF053.4090809@redhat.com> <56DEF1B7.40907@redhat.com> <56DF14D3.5050400@redhat.com> <56E282EC.5060206@redhat.com> <56E28816.50407@redhat.com> Message-ID: <56E29C26.7080806@redhat.com> On 03/11/2016 09:55 AM, Jan Cholasta wrote: > On 11.3.2016 09:33, Martin Kosek wrote: >> On 03/08/2016 07:07 PM, Martin Basti wrote: >>> >>> >>> On 08.03.2016 16:37, Martin Basti wrote: >>>> >>>> >>>> On 08.03.2016 16:31, Martin Basti wrote: >>>>> https://fedorahosted.org/freeipa/ticket/4501 >>>>> >>>>> Patch attached. >>>>> >>>>> >>>> Rebased patch attached. >>>> >>>> >>> >>> self-NACK >>> >>> Scripts print to CLI unformatted strings, it should not be so easy. >>> See /var/log/ipaupgrade-{timestamp}.log for more information >> >> second-NACK. We cannot break existing log file paths. The paths are mentioned >> in a documentation and there may be also automation around that (gathering log >> files). So there should be always symlink from the well known location to the >> newest timestampe'd log. > > Sorry, but this is absurd. What's the point of maintaining backward > compatibility with obsolete documentation? Following this logic, we would not > be able to change anything ever. What we should actually do is update the > documentation. Ditto for automation. +1 for updating the automation and documentation. But some backward compatibility will need to be retained, at least for the stable systems like RHEL where *other* people may have some automation or documentation around it, not just us. From mbasti at redhat.com Fri Mar 11 10:53:25 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 11 Mar 2016 11:53:25 +0100 Subject: [Freeipa-devel] [TESTS][PATCH 0010] WebUI tests - ID views In-Reply-To: <56E28C00.2060706@redhat.com> References: <56CC6A9D.5060309@redhat.com> <56DEBADB.5050503@redhat.com> <56DED4F5.3000608@redhat.com> <56E28C00.2060706@redhat.com> Message-ID: <56E2A3A5.7090308@redhat.com> On 11.03.2016 10:12, Pavel Vomacka wrote: > > > On 03/08/2016 02:34 PM, Lenka Doudova wrote: >> >> >> On 03/08/2016 12:43 PM, Pavel Vomacka wrote: >>> >>> >>> On 02/23/2016 03:20 PM, Lenka Doudova wrote: >>>> Hi, >>>> >>>> attached is patch providing missing test coverage for ID views in >>>> webUI. >>>> >>>> Lenka >>>> >>>> >>> Hi, >>> >>> Thank you for your patch. I have small one comment: The >>> delete_associtaion() function duplicates code, it would be good to >>> create auxiliary function and move that code there. NACK. >>> >>> -- >>> Pavel^3 Vomacka >>> >>> >> Hi, >> >> thanks for review, fixed patch attached. >> >> Lenka >> >> > Thank you, ACK. > > -- > Pavel^3 Vomacka > > Pushed to master: 904db149e9f99b9a318441bc50972a8336a5b4c0 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Mar 11 14:00:19 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 11 Mar 2016 09:00:19 -0500 Subject: [Freeipa-devel] [PATCH 0434] log: add timestamp to filename of logs In-Reply-To: <56E29C26.7080806@redhat.com> References: <56DEF053.4090809@redhat.com> <56DEF1B7.40907@redhat.com> <56DF14D3.5050400@redhat.com> <56E282EC.5060206@redhat.com> <56E28816.50407@redhat.com> <56E29C26.7080806@redhat.com> Message-ID: <56E2CF73.1010409@redhat.com> Martin Kosek wrote: > On 03/11/2016 09:55 AM, Jan Cholasta wrote: >> On 11.3.2016 09:33, Martin Kosek wrote: >>> On 03/08/2016 07:07 PM, Martin Basti wrote: >>>> >>>> >>>> On 08.03.2016 16:37, Martin Basti wrote: >>>>> >>>>> >>>>> On 08.03.2016 16:31, Martin Basti wrote: >>>>>> https://fedorahosted.org/freeipa/ticket/4501 >>>>>> >>>>>> Patch attached. >>>>>> >>>>>> >>>>> Rebased patch attached. >>>>> >>>>> >>>> >>>> self-NACK >>>> >>>> Scripts print to CLI unformatted strings, it should not be so easy. >>>> See /var/log/ipaupgrade-{timestamp}.log for more information >>> >>> second-NACK. We cannot break existing log file paths. The paths are mentioned >>> in a documentation and there may be also automation around that (gathering log >>> files). So there should be always symlink from the well known location to the >>> newest timestampe'd log. >> >> Sorry, but this is absurd. What's the point of maintaining backward >> compatibility with obsolete documentation? Following this logic, we would not >> be able to change anything ever. What we should actually do is update the >> documentation. Ditto for automation. > > +1 for updating the automation and documentation. But some backward > compatibility will need to be retained, at least for the stable systems like > RHEL where *other* people may have some automation or documentation around it, > not just us. > Or you could just also create a symlink to the old name and it will always just work. rob From pvoborni at redhat.com Fri Mar 11 14:35:05 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 11 Mar 2016 15:35:05 +0100 Subject: [Freeipa-devel] [PATCH 0434] log: add timestamp to filename of logs In-Reply-To: <56E2CF73.1010409@redhat.com> References: <56DEF053.4090809@redhat.com> <56DEF1B7.40907@redhat.com> <56DF14D3.5050400@redhat.com> <56E282EC.5060206@redhat.com> <56E28816.50407@redhat.com> <56E29C26.7080806@redhat.com> <56E2CF73.1010409@redhat.com> Message-ID: <56E2D799.3000705@redhat.com> On 03/11/2016 03:00 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> On 03/11/2016 09:55 AM, Jan Cholasta wrote: >>> On 11.3.2016 09:33, Martin Kosek wrote: >>>> On 03/08/2016 07:07 PM, Martin Basti wrote: >>>>> >>>>> >>>>> On 08.03.2016 16:37, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 08.03.2016 16:31, Martin Basti wrote: >>>>>>> https://fedorahosted.org/freeipa/ticket/4501 >>>>>>> >>>>>>> Patch attached. >>>>>>> >>>>>>> >>>>>> Rebased patch attached. >>>>>> >>>>>> >>>>> >>>>> self-NACK >>>>> >>>>> Scripts print to CLI unformatted strings, it should not be so easy. >>>>> See /var/log/ipaupgrade-{timestamp}.log for more information >>>> >>>> second-NACK. We cannot break existing log file paths. The paths are mentioned >>>> in a documentation and there may be also automation around that (gathering log >>>> files). So there should be always symlink from the well known location to the >>>> newest timestampe'd log. >>> >>> Sorry, but this is absurd. What's the point of maintaining backward >>> compatibility with obsolete documentation? Following this logic, we would not >>> be able to change anything ever. What we should actually do is update the >>> documentation. Ditto for automation. >> >> +1 for updating the automation and documentation. But some backward >> compatibility will need to be retained, at least for the stable systems like >> RHEL where *other* people may have some automation or documentation around it, >> not just us. >> > > Or you could just also create a symlink to the old name and it will > always just work. > > rob > Aren't the symlinks what Martin2 mentioned in second-NACK? These new timestamped logs should be combined with the Gabe's patches: #5728 (renamed to command name) and #5724 (move to /var/log/ipa directory). So that there will be e.g.: /var/log/ipaserver-install.log -> /var/log/ipa-server-install-{timestamp}.log /var/log/ipa/ipa-server-install.log -> /var/log/ipa-server-install-{timestamp}.log -- Petr Vobornik From fskola at redhat.com Fri Mar 11 14:42:30 2016 From: fskola at redhat.com (Filip Skola) Date: Fri, 11 Mar 2016 09:42:30 -0500 (EST) Subject: [Freeipa-devel] [PATCH 0005] Refactor test_nesting, create HostGroupTracker In-Reply-To: <56DE9B15.40305@redhat.com> References: <2134068455.1326509.1450781775764.JavaMail.zimbra@redhat.com> <1902672460.4566340.1452602887525.JavaMail.zimbra@redhat.com> <1118746236.11920442.1452868635399.JavaMail.zimbra@redhat.com> <569CD698.4020900@redhat.com> <1592657483.12984474.1453123591078.JavaMail.zimbra@redhat.com> <56A7B764.3080202@redhat.com> <212120579.19163053.1453974347696.JavaMail.zimbra@redhat.com> <56DE9B15.40305@redhat.com> Message-ID: <1335569448.42727105.1457707349989.JavaMail.zimbra@redhat.com> ----- Original Message ----- > On 01/28/2016 10:45 AM, Filip Skola wrote: > > > >> The same as with patch 0002: > >> ************* Module ipatests.test_xmlrpc.tracker.hostgroup_plugin > >> W:142,26: Calling a dict.iter*() method (dict-iter-method) > >> > >> Please use dict.items method. > >> > >> -- > >> Milan Kubik > >> > >> > > Hi, > > > > attaching a fixed patch. This patch is dependent on updated group plugin > > test patch 0002-7. > > > > Filip > Hello, sorry for delay. The patch no longer applies after 0002-8. > > -- > Milan Kubik > > Hi, rebased. The next patch should be applicable on top of this one. Filip -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-fskola-0005-5-Refactor-test_nesting-create-HostGroupTracker.patch Type: text/x-patch Size: 39641 bytes Desc: not available URL: From redhatrises at gmail.com Fri Mar 11 14:56:33 2016 From: redhatrises at gmail.com (Gabe Alford) Date: Fri, 11 Mar 2016 07:56:33 -0700 Subject: [Freeipa-devel] [PATCH 0434] log: add timestamp to filename of logs In-Reply-To: <56E2D799.3000705@redhat.com> References: <56DEF053.4090809@redhat.com> <56DEF1B7.40907@redhat.com> <56DF14D3.5050400@redhat.com> <56E282EC.5060206@redhat.com> <56E28816.50407@redhat.com> <56E29C26.7080806@redhat.com> <56E2CF73.1010409@redhat.com> <56E2D799.3000705@redhat.com> Message-ID: On Fri, Mar 11, 2016 at 7:35 AM, Petr Vobornik wrote: > On 03/11/2016 03:00 PM, Rob Crittenden wrote: > >> Martin Kosek wrote: >> >>> On 03/11/2016 09:55 AM, Jan Cholasta wrote: >>> >>>> On 11.3.2016 09:33, Martin Kosek wrote: >>>> >>>>> On 03/08/2016 07:07 PM, Martin Basti wrote: >>>>> >>>>>> >>>>>> >>>>>> On 08.03.2016 16:37, Martin Basti wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On 08.03.2016 16:31, Martin Basti wrote: >>>>>>> >>>>>>>> https://fedorahosted.org/freeipa/ticket/4501 >>>>>>>> >>>>>>>> Patch attached. >>>>>>>> >>>>>>>> >>>>>>>> Rebased patch attached. >>>>>>> >>>>>>> >>>>>>> >>>>>> self-NACK >>>>>> >>>>>> Scripts print to CLI unformatted strings, it should not be so easy. >>>>>> See /var/log/ipaupgrade-{timestamp}.log for more information >>>>>> >>>>> >>>>> second-NACK. We cannot break existing log file paths. The paths are >>>>> mentioned >>>>> in a documentation and there may be also automation around that >>>>> (gathering log >>>>> files). So there should be always symlink from the well known location >>>>> to the >>>>> newest timestampe'd log. >>>>> >>>> >>>> Sorry, but this is absurd. What's the point of maintaining backward >>>> compatibility with obsolete documentation? Following this logic, we >>>> would not >>>> be able to change anything ever. What we should actually do is update >>>> the >>>> documentation. Ditto for automation. >>>> >>> >>> +1 for updating the automation and documentation. But some backward >>> compatibility will need to be retained, at least for the stable systems >>> like >>> RHEL where *other* people may have some automation or documentation >>> around it, >>> not just us. >>> >>> >> Or you could just also create a symlink to the old name and it will >> always just work. >> >> rob >> >> > Aren't the symlinks what Martin2 mentioned in second-NACK? > > These new timestamped logs should be combined with the Gabe's patches: > #5728 (renamed to command name) and #5724 (move to /var/log/ipa directory). > > So that there will be e.g.: > /var/log/ipaserver-install.log -> > /var/log/ipa-server-install-{timestamp}.log > > /var/log/ipa/ipa-server-install.log -> > /var/log/ipa-server-install-{timestamp}.log > I wonder if it would be simpler/better to always write to the *.log file, and then have old logs timestamped rather than write directly to a timestamped log file? Then just symlink the original log file in /var/log/ to the new log file name/location in /var/log/ipa. For example: /var/log/ipaserver-install.log -> /var/log/ipa/ipa-server-install.log <-- We write to this log (current) /var/log/ipa-server-install-{timestamp}.log <-- Old log with some date /var/log/ipa-server-install-{timestamp}.log <-- Older log with some date /var/log/ipa-server-install-{timestamp}.log <-- Oldest log with some date Gabe -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Mar 11 16:29:45 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 11 Mar 2016 17:29:45 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <56E1F09D.10405@redhat.com> References: <5640A90B.6030906@redhat.com> <56587616.5030609@redhat.com> <565DB7D3.5040500@redhat.com> <565F0BDD.8080206@redhat.com> <565F17EE.3020701@redhat.com> <5666DC18.2040906@redhat.com> <56675E31.3050203@redhat.com> <5667F49B.5020709@redhat.com> <5667FEFB.6090904@redhat.com> <56680C2E.7060805@redhat.com> <56680DDD.2000106@redhat.com> <566FDD80.7030805@redhat.com> <56717785.4020304@redhat.com> <567195B9.9070104@redhat.com> <56727AA7.2030809@redhat.com> <5675E08C.7030109@redhat.com> <56D43687.10502@redhat.com> <56D57DDE.3020306@redhat.com> <56D57F0C.1060103@redhat.com> <56D59F78.1000000@redhat.com> <56D5D9C3.8000102@redhat.com> <56D621DF.406@redhat.com> <56D6ACF5.4070402@redhat.com> <56D6E0E7.8020503@redhat.com> <56D87699.6030305@redhat.com> <56D93B28.2020302@redhat.com> <56D93B98.4090307@redhat.com> <56D9AA4B.103@redhat.com> <56D9B8CB.3040507@redhat.com> <56DEB998.3070501@redhat.com> <56DF0ABD.4040603@redhat.com> <56DF256E.8010000@redhat.com> <56E1F09D.10405@redhat.com> Message-ID: <56E2F279.8050302@redhat.com> On 10.03.2016 23:09, Oleg Fayans wrote: > Hi Martin, > > > > On 03/08/2016 08:18 PM, Martin Basti wrote: >> >> On 08.03.2016 18:24, Martin Basti wrote: >>> >>> On 08.03.2016 12:38, Oleg Fayans wrote: >>>> The patches were rebased against the current master >>>> >>>> On 03/04/2016 05:33 PM, Martin Basti wrote: >>>>> * old messages have been removed * >>>>>>>>> 1) >>>>>>>>> this method is unused please remove it >>>>>>>>> >>>>>>>>> def test_kra_install_master(self): >>>>>> Well, in fact it is used twice: in both domain levels, so I'd better >>>>>> keep it: >>>>>> >>>>>> -bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py >>>>>> --collect-only >>>>>> ==================================================================================== >>>>>> >>>>>> >>>>>> test session starts >>>>>> ===================================================================================== >>>>>> >>>>>> >>>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>> pytest.ini >>>>>> plugins: sourceorder, multihost >>>>>> collected 8 items >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> aah my bad, I forgot that pytest executes it when it begins with test_* >>>>> even in parent class >>>>>>>>> 2) >>>>>>>>> Why are these there? I do not see any usage >>>>>>>>> >>>>>>>>> from env_config import get_global_config >>>>>>>>> config = get_global_config() >>>>>> Removed >>>>>> >>>>>>>>> 3) nitpick >>>>>>>>> + num_clients = 0 >>>>>>>>> this is set by default >>>>>> Removed >>>>>> >>>>>>>>> otherwise LGTM >>>>>>>>> >>>>>>>>> Results of testing tomorrow. >>>>>>>>> >>>>>>>>> Martin^2 >>>>>>>>> >>>>>>>> I applied all patches including workarounds, but test failed. >>>>>>>> >>>>>>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] RUN >>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>>>> '--setup-ca', '--ip-address', '192.168.144.102', >>>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] The host >>>>>>>> replica1.ipa.test already exists on the master server. >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] You should >>>>>>>> remove it before proceeding: >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] % ipa >>>>>>>> host-del replica1.ipa.test >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>>> ipa-replica-install command failed. See >>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] Exit >>>>>>>> code: 3 >>>>>>>> FAILED >>>>>> this is exactly the error that happens when a workaround for 5627 >>>>>> is not >>>>>> applied. I have re-run the tests with all the patches and everything >>>>>> passed. Could you please double-check, whether patch 0027 was applied >>>>>> correctly? >>>>>> >>>>>> bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py >>>>>> --pdb >>>>>> ==================================================================================== >>>>>> >>>>>> >>>>>> test session starts >>>>>> ===================================================================================== >>>>>> >>>>>> >>>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>> pytest.ini >>>>>> plugins: sourceorder, multihost >>>>>> collected 8 items >>>>>> >>>>>> test_integration/test_replica_promotion.py ........ >>>>>> >>>>>> ================================================================================ >>>>>> >>>>>> >>>>>> 8 passed in 7561.93 seconds >>>>>> ================================================================================= >>>>>> >>>>>> >>>>>> >>>>> I will >>>>> >>>>>>> And it needs ticket, otherwise it will not be in 4-3 branch. >>>>>> https://fedorahosted.org/freeipa/ticket/5723 >>> NACK >>> >>> 1) >>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>> >>> >>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', >>> 'IPA.TEST'] >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] RUN >>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>> '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] IPA client is >>> already configured on this system, ignoring the --domain, --server, >>> --realm, --hostname, --password and --keytab options. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Your system >>> may be partly configured. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Run >>> /usr/sbin/ipa-server-install --uninstall to clean up. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>> provide a file generated by ipa-replica-prepare to create a replica >>> when the domain is at level 0. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>> ipa-replica-install command failed. See >>> /var/log/ipareplica-install.log for more information >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Exit code: 1 >>> FAILED >>> >>> 2) >>> ipatests.test_integration.test_replica_promotion.TestKRAInstall >>> >>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', >>> 'IPA.TEST'] >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>> '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA client is >>> already configured on this system, ignoring the --domain, --server, >>> --realm, --hostname, --password and --keytab options. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your system >>> may be partly configured. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >>> /usr/sbin/ipa-server-install --uninstall to clean up. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>> provide a file generated by ipa-replica-prepare to create a replica >>> when the domain is at level 0. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>> ipa-replica-install command failed. See >>> /var/log/ipareplica-install.log for more information >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit code: 1 >>> FAILED >>> >>> >>> 3) >>> ipatests.test_integration.test_replica_promotion.TestCAInstall >>> >>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>> 'Secret123', '--setup-dns', '--forwarder', '10.34.78.1', >>> '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>> '--setup-dns', '--forwarder', '10.34.78.1', '--ip-address', >>> '192.168.200.103', '-r', 'IPA.TEST'] >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA client is >>> already configured on this system, ignoring the --domain, --server, >>> --realm, --hostname, --password and --keytab options. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your system >>> may be partly configured. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >>> /usr/sbin/ipa-server-install --uninstall to clean up. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>> provide a file generated by ipa-replica-prepare to create a replica >>> when the domain is at level 0. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>> ipa-replica-install command failed. See >>> /var/log/ipareplica-install.log for more information >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit code: 1 >>> FAILED >>> >>> >>> Reason: >>> >>> def install_replica(master, replica, setup_ca=True, setup_dns=False, >>> - setup_kra=False, extra_args=()): >>> + setup_kra=False, extra_args=(), domain_level=None): >>> + if domain_level is None: >>> + domain_level = domainlevel(master) > Oops. Sorry, must have been a result of inaccurate rebase. Fixed > The successful run is attached > >>> - if domainlevel(master) == DOMAIN_LEVEL_0: >>> + if domainlevel == DOMAIN_LEVEL_0: >>> >>> domain_level variable is actually unused >>> >> Also with your patch that removes host_prepare, I see many following >> errors in test debug output >> >> [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: line 1: >> cd: /root/ipatests: No such file or directory >> [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: line 2: >> /root/ipatests/env.sh: No such file or directory >> >> >> I do not see these errors in current tests, so the patch does not seem >> right to me. > http://jenkins.idm.lab.eng.brq.redhat.com:8080/job/freeipa-integration-f23master-customized_ds_config_install-domlevel-1/23/consoleFull > > I've been experimenting a lot to find get rid of it but was > unsuccessful. Seemingly it does not affect the tests. > > ACK I added ticket to commit messages Pushed to: ipa-4-3: bad89ea7b94e020532eb17cea03321cfb4ace85c master: 578cff956738af06b005c3ef931dbe518d5605a3 From jhrozek at redhat.com Fri Mar 11 17:01:58 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 11 Mar 2016 18:01:58 +0100 Subject: [Freeipa-devel] [PATCH] sudo: Fix a typo in the --help output of sudocmdgroup Message-ID: <20160311170158.GB3112@hendrix.redhat.com> Hi, attached is a trivial patch. -------------- next part -------------- >From 21ff083a3bf08e914f3df6682b88265f39254ea1 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 11 Mar 2016 18:01:11 +0100 Subject: [PATCH] sudo: Fix a typo in the --help output of sudocmdgroup --- ipalib/plugins/sudocmdgroup.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/sudocmdgroup.py b/ipalib/plugins/sudocmdgroup.py index f35bc8d265b94de3315455f486ea9d5c2c2d9922..800521a320e4f1ad8dfa0217770907f11ea10e5a 100644 --- a/ipalib/plugins/sudocmdgroup.py +++ b/ipalib/plugins/sudocmdgroup.py @@ -48,10 +48,10 @@ EXAMPLES: ipa sudocmdgroup-add-member --sudocmds=/usr/bin/less --sudocmds=/usr/bin/vim admincmds Manage Sudo Command Group membership, commands: - ipa group-remove-member --sudocmds=/usr/bin/less admincmds + ipa sudocmdgroup-remove-member --sudocmds=/usr/bin/less admincmds Show a Sudo Command Group: - ipa group-show localadmins + ipa sudocmdgroup-show admincmds """) register = Registry() -- 2.4.3 From cfu at redhat.com Fri Mar 11 18:20:49 2016 From: cfu at redhat.com (Christina Fu) Date: Fri, 11 Mar 2016 10:20:49 -0800 Subject: [Freeipa-devel] [Pki-devel] Design review request: RFC 2818 certificate compliance In-Reply-To: <20160311010629.GC12127@dhcp-40-8.bne.redhat.com> References: <20160229065915.GC21191@dhcp-40-8.bne.redhat.com> <56DD20D0.50706@redhat.com> <20160311010629.GC12127@dhcp-40-8.bne.redhat.com> Message-ID: <56E30C81.2020609@redhat.com> Hi Fraser, I think the general idea looks good. If tested to work, I actually think you should have it replace the current caServerCert.cfg and make it the default server cert profile for Dogtag. So I'd suggest you name things more generically. Just for your reference, there is an implementation that injects SAN(s) into server certs at time of Dogtag instance creation. It also allows one to put multiple SANs in one ssl server cert: https://fedorahosted.org/pki/ticket/1316#comment:14 again, it's only limited to pkispawn option so it serves a different purpose. Christina On 03/10/2016 05:06 PM, Fraser Tweedale wrote: > On Mon, Mar 07, 2016 at 07:33:52AM +0100, Jan Cholasta wrote: >> Hi, >> >> On 29.2.2016 07:59, Fraser Tweedale wrote: >>> Hi all (especially those interested in certificates), >>> >>> Please provide early review of my design for RFC 2818 compliance >>> which will address the following tickets: >>> >>> - #4970 Server certificate profile should always include a Subject Alternate name for the host >>> - #5706 [RFE] Support SAN-only certificates >>> >>> http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance >>> >>> The design is a WIP and there is no code for it yet. Looking for >>> feedback and (hopefully) validation of the approach before >>> committing cycles to implementing new profile components in Dogtag. >> 1) Do wildcard certificates need special handling? There is no mention of >> them in the design doc. >> > No special handling of wildcard certs is needed but I've added some > commentary to the design page. > >> 2) Should we accept invalid CSR where CN length is greater than 64? I >> wouldn't be surprised if these existed in the wild. >> > Good question. I agree such CSRs probably exist. There are various > ways to handle them: > > a) Reject request (with useful message; instruction to issue > SAN-only request instead) > > b) Issue non-compliant cert with overlong CN. It will be helpful to > find out how important clients handle such certs. > > c) Accept the CSR but "promote" the overlong CN from CSR into a SAN > dnsName, and issue a SAN-only cert. Some clients may not handle > such certs very well. > > Personally I like (c), because the user intent is clear but we still > issue a valid cert, however, I expect there are clients out there > (particularly in "enterprise" environments?) that will not handle it > well. > > I've copied pki-devel@ to solicit additional insights here :) > >> 3) Sometimes it is not clear which parts belong to Dogtag and which to IPA >> itself. For example the upgrade section - I assume Dogtag should update >> registry.cfg and IPA caIPAserviceCert profile, but it is not clearly stated >> anywhere. >> > Thanks, I've added clarifying remarks. In brief: yes Dogtag should > update registry.cfg, but FreeIPA should update the profile. > > Thank you for your feedback, Jan. > Fraser > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From ftweedal at redhat.com Sun Mar 13 07:51:17 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Sun, 13 Mar 2016 17:51:17 +1000 Subject: [Freeipa-devel] [Pki-devel] Design review request: RFC 2818 certificate compliance In-Reply-To: <56E30C81.2020609@redhat.com> References: <20160229065915.GC21191@dhcp-40-8.bne.redhat.com> <56DD20D0.50706@redhat.com> <20160311010629.GC12127@dhcp-40-8.bne.redhat.com> <56E30C81.2020609@redhat.com> Message-ID: <20160313075117.GD12127@dhcp-40-8.bne.redhat.com> On Fri, Mar 11, 2016 at 10:20:49AM -0800, Christina Fu wrote: > Hi Fraser, > > I think the general idea looks good. If tested to work, I actually think > you should have it replace the current caServerCert.cfg and make it the > default server cert profile for Dogtag. So I'd suggest you name things more > generically. > Thanks Christina for the feedback. W.r.t naming, can you clarify what you think should be more generic and why? > Just for your reference, there is an implementation that injects SAN(s) into > server certs at time of Dogtag instance creation. It also allows one to put > multiple SANs in one ssl server cert: > https://fedorahosted.org/pki/ticket/1316#comment:14 > again, it's only limited to pkispawn option so it serves a different > purpose. > > Christina > > On 03/10/2016 05:06 PM, Fraser Tweedale wrote: > >On Mon, Mar 07, 2016 at 07:33:52AM +0100, Jan Cholasta wrote: > >>Hi, > >> > >>On 29.2.2016 07:59, Fraser Tweedale wrote: > >>>Hi all (especially those interested in certificates), > >>> > >>>Please provide early review of my design for RFC 2818 compliance > >>>which will address the following tickets: > >>> > >>>- #4970 Server certificate profile should always include a Subject Alternate name for the host > >>>- #5706 [RFE] Support SAN-only certificates > >>> > >>>http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance > >>> > >>>The design is a WIP and there is no code for it yet. Looking for > >>>feedback and (hopefully) validation of the approach before > >>>committing cycles to implementing new profile components in Dogtag. > >>1) Do wildcard certificates need special handling? There is no mention of > >>them in the design doc. > >> > >No special handling of wildcard certs is needed but I've added some > >commentary to the design page. > > > >>2) Should we accept invalid CSR where CN length is greater than 64? I > >>wouldn't be surprised if these existed in the wild. > >> > >Good question. I agree such CSRs probably exist. There are various > >ways to handle them: > > > >a) Reject request (with useful message; instruction to issue > > SAN-only request instead) > > > >b) Issue non-compliant cert with overlong CN. It will be helpful to > > find out how important clients handle such certs. > > > >c) Accept the CSR but "promote" the overlong CN from CSR into a SAN > > dnsName, and issue a SAN-only cert. Some clients may not handle > > such certs very well. > > > >Personally I like (c), because the user intent is clear but we still > >issue a valid cert, however, I expect there are clients out there > >(particularly in "enterprise" environments?) that will not handle it > >well. > > > >I've copied pki-devel@ to solicit additional insights here :) > > > >>3) Sometimes it is not clear which parts belong to Dogtag and which to IPA > >>itself. For example the upgrade section - I assume Dogtag should update > >>registry.cfg and IPA caIPAserviceCert profile, but it is not clearly stated > >>anywhere. > >> > >Thanks, I've added clarifying remarks. In brief: yes Dogtag should > >update registry.cfg, but FreeIPA should update the profile. > > > >Thank you for your feedback, Jan. > >Fraser > > > >_______________________________________________ > >Pki-devel mailing list > >Pki-devel at redhat.com > >https://www.redhat.com/mailman/listinfo/pki-devel > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From ftweedal at redhat.com Mon Mar 14 04:04:17 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 14 Mar 2016 14:04:17 +1000 Subject: [Freeipa-devel] [PATCH] 0050 caacl: correctly handle full user principal name Message-ID: <20160314040417.GH12127@dhcp-40-8.bne.redhat.com> The attached patch fixes https://fedorahosted.org/freeipa/ticket/5733. Thanks to Alexander for finding and reporting. Cheers, Fraser -------------- next part -------------- From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 14 Mar 2016 14:49:47 +1100 Subject: [PATCH] caacl: correctly handle full user principal name The caacl HBAC request is correct when just the username is given, but the full 'user at REALM' form was not handled correctly. Fixes: https://fedorahosted.org/freeipa/ticket/5733 --- ipalib/plugins/caacl.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py index 64dbec16e11e9fa2a67287b195b4bd1180a379e7..d83c3ce892031a9877fac198eb51961fbd159571 100644 --- a/ipalib/plugins/caacl.py +++ b/ipalib/plugins/caacl.py @@ -61,14 +61,14 @@ def _acl_make_request(principal_type, principal, ca_ref, profile_id): req.targethost.name = ca_ref req.service.name = profile_id if principal_type == 'user': - req.user.name = principal + req.user.name = name elif principal_type == 'host': req.user.name = name elif principal_type == 'service': req.user.name = normalize_principal(principal) groups = [] if principal_type == 'user': - user_obj = api.Command.user_show(principal)['result'] + user_obj = api.Command.user_show(name)['result'] groups = user_obj.get('memberof_group', []) groups += user_obj.get('memberofindirect_group', []) elif principal_type == 'host': -- 2.5.0 From abokovoy at redhat.com Mon Mar 14 05:18:24 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 14 Mar 2016 07:18:24 +0200 Subject: [Freeipa-devel] [PATCH] 0050 caacl: correctly handle full user principal name In-Reply-To: <20160314040417.GH12127@dhcp-40-8.bne.redhat.com> References: <20160314040417.GH12127@dhcp-40-8.bne.redhat.com> Message-ID: <20160314051824.GX4492@redhat.com> On Mon, 14 Mar 2016, Fraser Tweedale wrote: >The attached patch fixes >https://fedorahosted.org/freeipa/ticket/5733. Thanks to Alexander >for finding and reporting. > >Cheers, >Fraser >From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001 >From: Fraser Tweedale >Date: Mon, 14 Mar 2016 14:49:47 +1100 >Subject: [PATCH] caacl: correctly handle full user principal name > >The caacl HBAC request is correct when just the username is given, >but the full 'user at REALM' form was not handled correctly. > >Fixes: https://fedorahosted.org/freeipa/ticket/5733 A context might be helpful here: if you are using certmonger's -K option to specify a user principal name to add to certificate, the name will get normalized to include the realm. This is how it gets to caacl check. ACK. -- / Alexander Bokovoy From jcholast at redhat.com Mon Mar 14 07:06:27 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 14 Mar 2016 08:06:27 +0100 Subject: [Freeipa-devel] [PATCH 0434] log: add timestamp to filename of logs In-Reply-To: References: <56DEF053.4090809@redhat.com> <56DEF1B7.40907@redhat.com> <56DF14D3.5050400@redhat.com> <56E282EC.5060206@redhat.com> <56E28816.50407@redhat.com> <56E29C26.7080806@redhat.com> <56E2CF73.1010409@redhat.com> <56E2D799.3000705@redhat.com> Message-ID: <56E662F3.8010408@redhat.com> On 11.3.2016 15:56, Gabe Alford wrote: > On Fri, Mar 11, 2016 at 7:35 AM, Petr Vobornik > wrote: > > On 03/11/2016 03:00 PM, Rob Crittenden wrote: > > Martin Kosek wrote: > > On 03/11/2016 09:55 AM, Jan Cholasta wrote: > > On 11.3.2016 09:33, Martin Kosek wrote: > > On 03/08/2016 07:07 PM, Martin Basti wrote: > > > > On 08.03.2016 16:37, Martin Basti wrote: > > > > On 08.03.2016 16:31, Martin Basti wrote: > > https://fedorahosted.org/freeipa/ticket/4501 > > Patch attached. > > > Rebased patch attached. > > > > self-NACK > > Scripts print to CLI unformatted strings, it > should not be so easy. > See /var/log/ipaupgrade-{timestamp}.log for more > information > > > second-NACK. We cannot break existing log file > paths. The paths are mentioned > in a documentation and there may be also automation > around that (gathering log > files). So there should be always symlink from the > well known location to the > newest timestampe'd log. > > > Sorry, but this is absurd. What's the point of > maintaining backward > compatibility with obsolete documentation? Following > this logic, we would not > be able to change anything ever. What we should actually > do is update the > documentation. Ditto for automation. > > > +1 for updating the automation and documentation. But some > backward > compatibility will need to be retained, at least for the > stable systems like > RHEL where *other* people may have some automation or > documentation around it, > not just us. > > > Or you could just also create a symlink to the old name and it will > always just work. > > rob > > > Aren't the symlinks what Martin2 mentioned in second-NACK? > > These new timestamped logs should be combined with the Gabe's > patches: #5728 (renamed to command name) and #5724 (move to > /var/log/ipa directory). > > So that there will be e.g.: > /var/log/ipaserver-install.log -> > /var/log/ipa-server-install-{timestamp}.log > > /var/log/ipa/ipa-server-install.log -> > /var/log/ipa-server-install-{timestamp}.log > > > I wonder if it would be simpler/better to always write to the *.log > file, and then have old logs timestamped rather than write directly to a > timestamped log file? > Then just symlink the original log file in /var/log/ to the new log file > name/location in /var/log/ipa. > > For example: > /var/log/ipaserver-install.log -> > /var/log/ipa/ipa-server-install.log <-- We write to this > log (current) > > /var/log/ipa-server-install-{timestamp}.log <-- Old log with some date > > /var/log/ipa-server-install-{timestamp}.log <-- Older log with some date > > /var/log/ipa-server-install-{timestamp}.log <-- Oldest log with some date This is way too overengineered for something that should actually be really simple. I don't care if it is done this way or not, but IMHO it would be a waste of time. Logs are not API and should not be treated as such. If it needs to be done differently on RHEL, it should be handled downstream. -- Jan Cholasta From jcholast at redhat.com Mon Mar 14 08:29:23 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 14 Mar 2016 09:29:23 +0100 Subject: [Freeipa-devel] [PATCH 550] certdb: never use the -r option of certutil Message-ID: <56E67663.3030405@redhat.com> Hi, the attached patch fixes and . Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-550-certdb-never-use-the-r-option-of-certutil.patch Type: text/x-patch Size: 1879 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-550.0.4_2-certdb-never-use-the-r-option-of-certutil.patch Type: text/x-patch Size: 1650 bytes Desc: not available URL: From jcholast at redhat.com Mon Mar 14 11:05:37 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 14 Mar 2016 12:05:37 +0100 Subject: [Freeipa-devel] [PATCH 0024] ipa-replica-manage: added --suffix option for certain commands In-Reply-To: <56E29266.8000501@redhat.com> References: <56E29266.8000501@redhat.com> Message-ID: <56E69B01.6000108@redhat.com> Hi, On 11.3.2016 10:39, Stanislav Laznicka wrote: > Hi, > > Please see the patch attached. Contrary to the discussion at > https://fedorahosted.org/freeipa/ticket/4987 I also added the suffix > option for clean_ruv command. If this command is available for normal > RUVs, it should probably be available for CS-RUVs as well (or deprecated > for both with advised use of clean_dangling_ruv). ipa-csreplica-manage is used to manage the CA suffix, so ipa-csreplica-manage should be extended instead of adding --suffix option to ipa-replica-manage. Having half of the CA suffix managed by ipa-replica-manage and the other half by ipa-replica-manage is confusing. Honza -- Jan Cholasta From mbasti at redhat.com Mon Mar 14 11:50:33 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 14 Mar 2016 12:50:33 +0100 Subject: [Freeipa-devel] [PATCH 0024] ipa-replica-manage: added --suffix option for certain commands In-Reply-To: <56E69B01.6000108@redhat.com> References: <56E29266.8000501@redhat.com> <56E69B01.6000108@redhat.com> Message-ID: <56E6A589.4050207@redhat.com> On 14.03.2016 12:05, Jan Cholasta wrote: > Hi, > > On 11.3.2016 10:39, Stanislav Laznicka wrote: >> Hi, >> >> Please see the patch attached. Contrary to the discussion at >> https://fedorahosted.org/freeipa/ticket/4987 I also added the suffix >> option for clean_ruv command. If this command is available for normal >> RUVs, it should probably be available for CS-RUVs as well (or deprecated >> for both with advised use of clean_dangling_ruv). > > ipa-csreplica-manage is used to manage the CA suffix, so > ipa-csreplica-manage should be extended instead of adding --suffix > option to ipa-replica-manage. Having half of the CA suffix managed by > ipa-replica-manage and the other half by ipa-replica-manage is confusing. > > Honza > There is a design document about deprecating ipa-csreplica-manage and move part of its responsibilities to ipa-replica-manage. http://www.freeipa.org/page/V4/Manage_replication_topology_4_4#ipa.28cs.29replica_manange_changes So patch is compatible with design. Martin^2 From jcholast at redhat.com Mon Mar 14 11:57:45 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 14 Mar 2016 12:57:45 +0100 Subject: [Freeipa-devel] [PATCH 0024] ipa-replica-manage: added --suffix option for certain commands In-Reply-To: <56E6A589.4050207@redhat.com> References: <56E29266.8000501@redhat.com> <56E69B01.6000108@redhat.com> <56E6A589.4050207@redhat.com> Message-ID: <56E6A739.3000505@redhat.com> On 14.3.2016 12:50, Martin Basti wrote: > > > On 14.03.2016 12:05, Jan Cholasta wrote: >> Hi, >> >> On 11.3.2016 10:39, Stanislav Laznicka wrote: >>> Hi, >>> >>> Please see the patch attached. Contrary to the discussion at >>> https://fedorahosted.org/freeipa/ticket/4987 I also added the suffix >>> option for clean_ruv command. If this command is available for normal >>> RUVs, it should probably be available for CS-RUVs as well (or deprecated >>> for both with advised use of clean_dangling_ruv). >> >> ipa-csreplica-manage is used to manage the CA suffix, so >> ipa-csreplica-manage should be extended instead of adding --suffix >> option to ipa-replica-manage. Having half of the CA suffix managed by >> ipa-replica-manage and the other half by ipa-replica-manage is confusing. >> >> Honza >> > There is a design document about deprecating ipa-csreplica-manage and > move part of its responsibilities to ipa-replica-manage. > > http://www.freeipa.org/page/V4/Manage_replication_topology_4_4#ipa.28cs.29replica_manange_changes > > > So patch is compatible with design. The design is wrong then. Either do it in ipa-csreplica-manage, or make *all* ipa-replica-manage sub-commands respect the --suffix option. Anything else is inconsistent mess. -- Jan Cholasta From mbabinsk at redhat.com Mon Mar 14 12:46:30 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 14 Mar 2016 13:46:30 +0100 Subject: [Freeipa-devel] [PATCH 0095-0098] NTP: use augeas, configure chronyd, do not overwrite config In-Reply-To: <56E27ED4.4020306@redhat.com> References: <56E27ED4.4020306@redhat.com> Message-ID: <56E6B2A6.9050904@redhat.com> On 03/11/2016 09:16 AM, David Kupka wrote: > Current version (0.5.0) of python-augeas is missing copy() method. Use > dkupka/python-augeas copr repo before new version it's build and > available in the official repos. > > > Hi David, TLDR: NACK :D. Here are high-level remarks to discuss: Maybe it would be a good idea to move ipaaugeas/changeconf and ntp to ipaplatform since it is dealing with (sorta) platform specific behavior (ntp vs. chrony vs. whatever we will have for timesync in the future). CC'ing Jan for thoughts. Also regarding patches 0096-0097, we could have platform specific TimeDateService object that could wrap NTP/chrony management. for example, the task namespace functions in Pathc 0096 could be reimplemented as a methods of the service (RedhatTimeDateService, FedoraTimeDateService etc.) and then called in a platform-agnostic manner. Here are some comments regarding code: Patch 0095: 1.) + IPA_CUSTOM_AUGEAS_LENSES_DIR = '/usr/share/augeas/lenses/ipa/' Do not forget to add this directory to %install and %files spection of the spec file so that it is correctly added to RPM build. 2.) please separate import of system-wide and IPA-specific modules by blank line +import collections +from augeas import Augeas +from ipaplatform.paths import paths +from ipapython.ipa_log_manager import root_logger 3.) the call to parent's __new__ should have signature 'super(aug_obj, cls).__new__(*args, **kwargs)' + cls._instance = super(aug_obj, cls).__new__(cls, *args, **kwargs) 4.) + raise RuntimeError('Augeas lenses was loaded. Could not add more' + 'lenses.') Should be 'Augeas lenses _were_ loaded' 5.) + if lens in self.lenses: + raise RuntimeError('Lens %s already added.' % lens) + self.lenses.append(lens) + load_path = '/augeas/load/{0}'.format(lens Shouldn't the following code use os.path,join to construct the load_path? 6.) I would prefer the following indentation style in the add_lens() method @@ -65,9 +65,9 @@ class aug_obj(object): for conf_file in conf_files: self._aug.set(os.path.join(load_path, 'incl[0]'), conf_file) self.tree['old'] = self.tree.get(conf_file, None) - self.tree[conf_file] = aug_node(self._aug, - os.path.join('/files', - conf_file[1:])) + self.tree[conf_file] = aug_node( + self._aug, os.path.join('/files', conf_file[1:]) + ) 7.) I would also prefer if the hardcoded paths like '/augeas/load', 'files', and '//error' would be made into either module variables or class members. 8.) + def load(self): + if self._loaded: + raise RuntimeError('Augeas lenses was loaded. Could not add more' + 'lenses.') Fix the excpetion text in the same way as in 4.) 9.) + errors = self._aug.match(os.path.join('//error')) is the os.path.join necessary here? 10.) I guess you can rewrite the error message in load() method using list comprehension: @@ -76,9 +76,9 @@ class aug_obj(object): self._aug.load() errors = self._aug.match(os.path.join('//error')) if errors: - err_msg = "" - for error in errors: - err_msg += ("{}: {}".format(error, self._aug.get(error))) + err_msg = '\n'.join( + ["{}: {}".format(e, self._aug.get(e)) for e in errors] + ) raise RuntimeError(err_msg) self._loaded = True 11.) +class aug_node(collections.MutableMapping): + """ Single augeas node. + Can be handled as python dict(). + """ + def __init__(self, aug, path): + self._aug = aug + if path and os.path.isabs(path): + self._path = path + else: + self._tmp = _tmp_path(aug, path) + self._path = self._tmp.path Isn't it better to change signature of __init__ to: def __init__(self, aug, path=None): and then test whether path is None? 12.) def __setitem__(self, key, node): + target = os.path.join(self._path, key) + end = '{0}[0]'.format(os.path.join(self._path, key)) + if self._aug.match(target): + self._aug.remove(target) + target_list = aug_list(self._aug, target) + for src_node in aug_list(node._aug, node._path): + target_list.append(src_node) The 'end' variable is declared but not used. 13.) + + def __len__(self): + return len(self._aug.match('{0}/*'.format(self._path))) + + def __iter__(self): + for key in self._aug.match('{0}/*'.format(self._path)): + yield self._aug.label(key) + raise StopIteration() + Shouldn't we construct paths using os.path.join for the sake of consistency? 14.) + def __bool__(self): + return (bool(len(self)) or bool(self.value)) The parentheses around the boolean expression are not needed 15.) +class aug_list(collections.MutableSequence): + """Augeas NODESET. + Can be handled as a list(). + """ + def __init__(self, aug, path): + self._aug = aug + if path and os.path.isabs(path): + self._path = path + else: + self._tmp = _tmp_path(aug, path) + self._path = self._tmp.path I would use 'path=None' int he signature and then test whether 'path is not None'. 16.) + if not self._aug.match(target): + raise IndexError() It would be nice if you could put some basic error message into the raised exceptions, like "node index out of range" or something like that 17.) + elif isinstance(index, slice): + label = self._path.split('/')[-1] you could use os.path.basename() to get the leaf node. 18.) + replace = range_target[:len(node)] + delete = create = [] Be careful here as you create two references to the same empty list object, which is probably not what you wanted. 19.) + try: + create_start = range_target[-1]+1 + except IndexError: + create_start = self._idx_pos(index.start) + create_stop = create_start+len(node)-len(replace) + create = list(range(create_start, create_stop)) Please respect PEP8 and put spaces around arithmetic operators in assignments. Also it would be nice to have at least a minimal test suite for this module, but that may be a separate ticket. patch 0096: 1.) please fix the commit message 2.) please use new-style license header in ipapython/ntp.py 3.) + return ("Conflicting Time&Date synchroniztion service '%s' is " + "currently enabled and/or running on the system." + % self.conflicting_service) Please fix the typo in the error message. 4.) + service = services.service(self.service_name) + if sstore: + if sstore.get_state('ntp', 'enabled') is None: + sstore.backup_state('ntp', 'enabled', service.is_enabled()) + + if fstore: + if not fstore.has_file(self.conf_file): + fstore.backup_file(self.conf_file) the conditions in the 'if' statement can be merged into single AND expression 5.) + self._store_service_state(sstore, fstore) + if sstore: + sstore.backup_state('ntp', "enabled", service.is_enabled()) + + if fstore: + fstore.backup_file(self.conf_file) I think these checks are redundant here. 6.) + # In such case it is OK to fail + try: + restored = fstore.restore_file(self.conf_file) + except Exception: + pass Instead of 'pass' it would be better to set restored to False so that you don't hit NameError later. 7.) + + def configure_client(self, ntp_servers=[], sstore=None, fstore=None): + self.server_options['burst'] = None + self.server_options['iburst'] = None I would rather set these instance variables in __init__() than here. 8.) + def configure_client(self, ntp_servers=[], sstore=None, fstore=None): + self.conf_file = paths.CHRONY_CONF self.conf_file is already defined in constructor. 9.) + self.server_options['iburst'] = None this should be moved to __init__() 10.) + with ipaaugeas.aug_obj() as aug: + try: + aug.add_lens(self.lens, [self.conf_file]) + aug.load() + except RuntimeError as e: + raise NTPConfigurationError(e) This code is repeated quite a few times, maybe it would be a good idea to factor it out to a method of NTPService object. Patch 0097: 1.) please fix a typo here: + description="Disble any other Time synchronization services." 2.) + installutils, kra, krbinstance, memcacheinstance, ntpinstance, you have 2 spaces before 'ntpinstance' -- Martin^3 Babinsky From mbasti at redhat.com Mon Mar 14 12:46:30 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 14 Mar 2016 13:46:30 +0100 Subject: [Freeipa-devel] [PATCH 0138] only search for Kerberos SRV records when autodiscovery was requested In-Reply-To: <56DDB42F.2070504@redhat.com> References: <56DDB42F.2070504@redhat.com> Message-ID: <56E6B2A6.10503@redhat.com> On 07.03.2016 18:02, Martin Babinsky wrote: > A quick fix for https://fedorahosted.org/freeipa/ticket/4305 > > I'm aware that we were talking about putting realmd discovery into > IPADiscovery class and stuff, but that is a bit beyond the scope of > this ticket. > > I will open ticket(s) tracking: > > 1.) Offload at least the IPA realm DNS discovery to realmd D-Bus > interface > 2.) rewrite (not refactoring: the stuff also needs a substantial > functional redesign IMHO) of the DNS discovery in the client-side > installers. > > I will make sure that this effort is not forgotten and we are not left > with yet-another temporary fix. > > > ACK Pushed to: ipa-4-3: b81f333c2c043c763f3534a8ef96a605bf04c343 master: 8290d4b4cba8cf0b9ca517f7f09db2ee81606899 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Mar 14 12:56:47 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Mar 2016 08:56:47 -0400 Subject: [Freeipa-devel] [PATCH 0434] log: add timestamp to filename of logs In-Reply-To: <56E662F3.8010408@redhat.com> References: <56DEF053.4090809@redhat.com> <56DEF1B7.40907@redhat.com> <56DF14D3.5050400@redhat.com> <56E282EC.5060206@redhat.com> <56E28816.50407@redhat.com> <56E29C26.7080806@redhat.com> <56E2CF73.1010409@redhat.com> <56E2D799.3000705@redhat.com> <56E662F3.8010408@redhat.com> Message-ID: <56E6B50F.6050200@redhat.com> Jan Cholasta wrote: > On 11.3.2016 15:56, Gabe Alford wrote: >> On Fri, Mar 11, 2016 at 7:35 AM, Petr Vobornik > > wrote: >> >> On 03/11/2016 03:00 PM, Rob Crittenden wrote: >> >> Martin Kosek wrote: >> >> On 03/11/2016 09:55 AM, Jan Cholasta wrote: >> >> On 11.3.2016 09:33, Martin Kosek wrote: >> >> On 03/08/2016 07:07 PM, Martin Basti wrote: >> >> >> >> On 08.03.2016 16:37, Martin Basti wrote: >> >> >> >> On 08.03.2016 16:31, Martin Basti wrote: >> >> >> https://fedorahosted.org/freeipa/ticket/4501 >> >> Patch attached. >> >> >> Rebased patch attached. >> >> >> >> self-NACK >> >> Scripts print to CLI unformatted strings, it >> should not be so easy. >> See /var/log/ipaupgrade-{timestamp}.log for more >> information >> >> >> second-NACK. We cannot break existing log file >> paths. The paths are mentioned >> in a documentation and there may be also automation >> around that (gathering log >> files). So there should be always symlink from the >> well known location to the >> newest timestampe'd log. >> >> >> Sorry, but this is absurd. What's the point of >> maintaining backward >> compatibility with obsolete documentation? Following >> this logic, we would not >> be able to change anything ever. What we should actually >> do is update the >> documentation. Ditto for automation. >> >> >> +1 for updating the automation and documentation. But some >> backward >> compatibility will need to be retained, at least for the >> stable systems like >> RHEL where *other* people may have some automation or >> documentation around it, >> not just us. >> >> >> Or you could just also create a symlink to the old name and it >> will >> always just work. >> >> rob >> >> >> Aren't the symlinks what Martin2 mentioned in second-NACK? >> >> These new timestamped logs should be combined with the Gabe's >> patches: #5728 (renamed to command name) and #5724 (move to >> /var/log/ipa directory). >> >> So that there will be e.g.: >> /var/log/ipaserver-install.log -> >> /var/log/ipa-server-install-{timestamp}.log >> >> /var/log/ipa/ipa-server-install.log -> >> /var/log/ipa-server-install-{timestamp}.log >> >> >> I wonder if it would be simpler/better to always write to the *.log >> file, and then have old logs timestamped rather than write directly to a >> timestamped log file? >> Then just symlink the original log file in /var/log/ to the new log file >> name/location in /var/log/ipa. >> >> For example: >> /var/log/ipaserver-install.log -> >> /var/log/ipa/ipa-server-install.log <-- We write to this >> log (current) >> >> /var/log/ipa-server-install-{timestamp}.log <-- Old log with some date >> >> /var/log/ipa-server-install-{timestamp}.log <-- Older log with some >> date >> >> /var/log/ipa-server-install-{timestamp}.log <-- Oldest log with some >> date > > This is way too overengineered for something that should actually be > really simple. I don't care if it is done this way or not, but IMHO it > would be a waste of time. Logs are not API and should not be treated as > such. If it needs to be done differently on RHEL, it should be handled > downstream. Sure logs are not API but they have been named the same way since inception (nearly 8 years now). I don't think symlinking to the old names is a big deal. rob From rcritten at redhat.com Mon Mar 14 12:57:07 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 14 Mar 2016 08:57:07 -0400 Subject: [Freeipa-devel] [PATCH 550] certdb: never use the -r option of certutil In-Reply-To: <56E67663.3030405@redhat.com> References: <56E67663.3030405@redhat.com> Message-ID: <56E6B523.5060006@redhat.com> Jan Cholasta wrote: > Hi, > > the attached patch fixes > and . > IMHO you should file a bug against nss as well. rob From mbasti at redhat.com Mon Mar 14 13:01:53 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 14 Mar 2016 14:01:53 +0100 Subject: [Freeipa-devel] [PATCH 0095-0098] NTP: use augeas, configure chronyd, do not overwrite config In-Reply-To: <56E6B2A6.9050904@redhat.com> References: <56E27ED4.4020306@redhat.com> <56E6B2A6.9050904@redhat.com> Message-ID: <56E6B641.7030202@redhat.com> On 14.03.2016 13:46, Martin Babinsky wrote: > On 03/11/2016 09:16 AM, David Kupka wrote: >> Current version (0.5.0) of python-augeas is missing copy() method. Use >> dkupka/python-augeas copr repo before new version it's build and >> available in the official repos. >> >> >> > Hi David, > > TLDR: NACK :D. > > Here are high-level remarks to discuss: > > Maybe it would be a good idea to move ipaaugeas/changeconf and ntp to > ipaplatform since it is dealing with (sorta) platform specific > behavior (ntp vs. chrony vs. whatever we will have for timesync in the > future). CC'ing Jan for thoughts. > > Also regarding patches 0096-0097, we could have platform specific > TimeDateService object that could wrap NTP/chrony management. for > example, the task namespace functions in Pathc 0096 could be > reimplemented as a methods of the service (RedhatTimeDateService, > FedoraTimeDateService etc.) and then called in a platform-agnostic > manner. > > Here are some comments regarding code: > > Patch 0095: > > 1.) > + IPA_CUSTOM_AUGEAS_LENSES_DIR = '/usr/share/augeas/lenses/ipa/' > > Do not forget to add this directory to %install and %files spection of > the spec file so that it is correctly added to RPM build. > > 2.) > > please separate import of system-wide and IPA-specific modules by > blank line > > +import collections > +from augeas import Augeas > +from ipaplatform.paths import paths > +from ipapython.ipa_log_manager import root_logger > > 3.) the call to parent's __new__ should have signature 'super(aug_obj, > cls).__new__(*args, **kwargs)' > > + cls._instance = super(aug_obj, cls).__new__(cls, *args, > **kwargs) > > 4.) > > + raise RuntimeError('Augeas lenses was loaded. Could not > add more' > + 'lenses.') > > Should be 'Augeas lenses _were_ loaded' > > 5.) > > + if lens in self.lenses: > + raise RuntimeError('Lens %s already added.' % lens) > + self.lenses.append(lens) > + load_path = '/augeas/load/{0}'.format(lens > > > Shouldn't the following code use os.path,join to construct the load_path? > > 6.) I would prefer the following indentation style in the add_lens() > method > > @@ -65,9 +65,9 @@ class aug_obj(object): > for conf_file in conf_files: > self._aug.set(os.path.join(load_path, 'incl[0]'), conf_file) > self.tree['old'] = self.tree.get(conf_file, None) > - self.tree[conf_file] = aug_node(self._aug, > - os.path.join('/files', > - conf_file[1:])) > + self.tree[conf_file] = aug_node( > + self._aug, os.path.join('/files', conf_file[1:]) > + ) > > 7.) I would also prefer if the hardcoded paths like '/augeas/load', > 'files', and '//error' would be made into either module variables or > class members. > > 8.) > > + def load(self): > + if self._loaded: > + raise RuntimeError('Augeas lenses was loaded. Could not > add more' > + 'lenses.') > > Fix the excpetion text in the same way as in 4.) > > 9.) > > + errors = self._aug.match(os.path.join('//error')) > > is the os.path.join necessary here? > > 10.) I guess you can rewrite the error message in load() method using > list comprehension: > > @@ -76,9 +76,9 @@ class aug_obj(object): > self._aug.load() > errors = self._aug.match(os.path.join('//error')) > if errors: > - err_msg = "" > - for error in errors: > - err_msg += ("{}: {}".format(error, > self._aug.get(error))) > + err_msg = '\n'.join( > + ["{}: {}".format(e, self._aug.get(e)) for e in errors] > + ) > raise RuntimeError(err_msg) > self._loaded = True > > 11.) > > +class aug_node(collections.MutableMapping): > + """ Single augeas node. > + Can be handled as python dict(). > + """ > + def __init__(self, aug, path): > + self._aug = aug > + if path and os.path.isabs(path): > + self._path = path > + else: > + self._tmp = _tmp_path(aug, path) > + self._path = self._tmp.path > > Isn't it better to change signature of __init__ to: > > def __init__(self, aug, path=None): > > and then test whether path is None? > > 12.) > > def __setitem__(self, key, node): > + target = os.path.join(self._path, key) > + end = '{0}[0]'.format(os.path.join(self._path, key)) > + if self._aug.match(target): > + self._aug.remove(target) > + target_list = aug_list(self._aug, target) > + for src_node in aug_list(node._aug, node._path): > + target_list.append(src_node) > > The 'end' variable is declared but not used. > > 13.) > > + > + def __len__(self): > + return len(self._aug.match('{0}/*'.format(self._path))) > + > + def __iter__(self): > + for key in self._aug.match('{0}/*'.format(self._path)): > + yield self._aug.label(key) > + raise StopIteration() > + > > Shouldn't we construct paths using os.path.join for the sake of > consistency? > > 14.) > > + def __bool__(self): > + return (bool(len(self)) or bool(self.value)) > > The parentheses around the boolean expression are not needed > > 15.) > > +class aug_list(collections.MutableSequence): > + """Augeas NODESET. > + Can be handled as a list(). > + """ > + def __init__(self, aug, path): > + self._aug = aug > + if path and os.path.isabs(path): > + self._path = path > + else: > + self._tmp = _tmp_path(aug, path) > + self._path = self._tmp.path > > I would use 'path=None' int he signature and then test whether 'path > is not None'. > > 16.) > > + if not self._aug.match(target): > + raise IndexError() > > It would be nice if you could put some basic error message into the > raised exceptions, like "node index out of range" or something like that > > 17.) > > + elif isinstance(index, slice): > + label = self._path.split('/')[-1] > > you could use os.path.basename() to get the leaf node. > > > 18.) > > + replace = range_target[:len(node)] > + delete = create = [] > > Be careful here as you create two references to the same empty list > object, which is probably not what you wanted. > > 19.) > + try: > + create_start = range_target[-1]+1 > + except IndexError: > + create_start = self._idx_pos(index.start) > + create_stop = create_start+len(node)-len(replace) > + create = list(range(create_start, create_stop)) > > Please respect PEP8 and put spaces around arithmetic operators in > assignments. > > Also it would be nice to have at least a minimal test suite for this > module, but that may be a separate ticket. > > patch 0096: > > 1.) please fix the commit message > 2.) please use new-style license header in ipapython/ntp.py > 3.) > > + return ("Conflicting Time&Date synchroniztion service '%s' is " > + "currently enabled and/or running on the system." > + % self.conflicting_service) > > Please fix the typo in the error message. > > 4.) > + service = services.service(self.service_name) > + if sstore: > + if sstore.get_state('ntp', 'enabled') is None: > + sstore.backup_state('ntp', 'enabled', > service.is_enabled()) > + > + if fstore: > + if not fstore.has_file(self.conf_file): > + fstore.backup_file(self.conf_file) > > the conditions in the 'if' statement can be merged into single AND > expression > > 5.) > + self._store_service_state(sstore, fstore) > + if sstore: > + sstore.backup_state('ntp', "enabled", service.is_enabled()) > + > + if fstore: > + fstore.backup_file(self.conf_file) > > I think these checks are redundant here. > > 6.) > + # In such case it is OK to fail > + try: > + restored = fstore.restore_file(self.conf_file) > + except Exception: > + pass > > Instead of 'pass' it would be better to set restored to False so that > you don't hit NameError later. > > 7.) > + > + def configure_client(self, ntp_servers=[], sstore=None, > fstore=None): > + self.server_options['burst'] = None > + self.server_options['iburst'] = None > > I would rather set these instance variables in __init__() than here. > > 8.) > > + def configure_client(self, ntp_servers=[], sstore=None, > fstore=None): > + self.conf_file = paths.CHRONY_CONF > self.conf_file is already defined in constructor. > > 9.) > > + self.server_options['iburst'] = None > this should be moved to __init__() > > 10.) > + with ipaaugeas.aug_obj() as aug: > + try: > + aug.add_lens(self.lens, [self.conf_file]) > + aug.load() > + except RuntimeError as e: > + raise NTPConfigurationError(e) > > This code is repeated quite a few times, maybe it would be a good idea > to factor it out to a method of NTPService object. > > > Patch 0097: > > 1.) please fix a typo here: > > + description="Disble any other Time synchronization services." > > 2.) > > + installutils, kra, krbinstance, memcacheinstance, ntpinstance, > you have 2 spaces before 'ntpinstance' > I'm adding my nitpicks too :) 1) +#!/usr/bin/python This should not be in modules, only in executable files 2) Missing license in ipaaugeas.py Martin^2 From jcholast at redhat.com Mon Mar 14 13:15:24 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 14 Mar 2016 14:15:24 +0100 Subject: [Freeipa-devel] [PATCH 0434] log: add timestamp to filename of logs In-Reply-To: <56E6B50F.6050200@redhat.com> References: <56DEF053.4090809@redhat.com> <56DEF1B7.40907@redhat.com> <56DF14D3.5050400@redhat.com> <56E282EC.5060206@redhat.com> <56E28816.50407@redhat.com> <56E29C26.7080806@redhat.com> <56E2CF73.1010409@redhat.com> <56E2D799.3000705@redhat.com> <56E662F3.8010408@redhat.com> <56E6B50F.6050200@redhat.com> Message-ID: <56E6B96C.6030404@redhat.com> On 14.3.2016 13:56, Rob Crittenden wrote: > Jan Cholasta wrote: >> On 11.3.2016 15:56, Gabe Alford wrote: >>> On Fri, Mar 11, 2016 at 7:35 AM, Petr Vobornik >> > wrote: >>> >>> On 03/11/2016 03:00 PM, Rob Crittenden wrote: >>> >>> Martin Kosek wrote: >>> >>> On 03/11/2016 09:55 AM, Jan Cholasta wrote: >>> >>> On 11.3.2016 09:33, Martin Kosek wrote: >>> >>> On 03/08/2016 07:07 PM, Martin Basti wrote: >>> >>> >>> >>> On 08.03.2016 16:37, Martin Basti wrote: >>> >>> >>> >>> On 08.03.2016 16:31, Martin Basti wrote: >>> >>> >>> https://fedorahosted.org/freeipa/ticket/4501 >>> >>> Patch attached. >>> >>> >>> Rebased patch attached. >>> >>> >>> >>> self-NACK >>> >>> Scripts print to CLI unformatted strings, it >>> should not be so easy. >>> See /var/log/ipaupgrade-{timestamp}.log for more >>> information >>> >>> >>> second-NACK. We cannot break existing log file >>> paths. The paths are mentioned >>> in a documentation and there may be also automation >>> around that (gathering log >>> files). So there should be always symlink from the >>> well known location to the >>> newest timestampe'd log. >>> >>> >>> Sorry, but this is absurd. What's the point of >>> maintaining backward >>> compatibility with obsolete documentation? Following >>> this logic, we would not >>> be able to change anything ever. What we should actually >>> do is update the >>> documentation. Ditto for automation. >>> >>> >>> +1 for updating the automation and documentation. But some >>> backward >>> compatibility will need to be retained, at least for the >>> stable systems like >>> RHEL where *other* people may have some automation or >>> documentation around it, >>> not just us. >>> >>> >>> Or you could just also create a symlink to the old name and it >>> will >>> always just work. >>> >>> rob >>> >>> >>> Aren't the symlinks what Martin2 mentioned in second-NACK? >>> >>> These new timestamped logs should be combined with the Gabe's >>> patches: #5728 (renamed to command name) and #5724 (move to >>> /var/log/ipa directory). >>> >>> So that there will be e.g.: >>> /var/log/ipaserver-install.log -> >>> /var/log/ipa-server-install-{timestamp}.log >>> >>> /var/log/ipa/ipa-server-install.log -> >>> /var/log/ipa-server-install-{timestamp}.log >>> >>> >>> I wonder if it would be simpler/better to always write to the *.log >>> file, and then have old logs timestamped rather than write directly to a >>> timestamped log file? >>> Then just symlink the original log file in /var/log/ to the new log file >>> name/location in /var/log/ipa. >>> >>> For example: >>> /var/log/ipaserver-install.log -> >>> /var/log/ipa/ipa-server-install.log <-- We write to this >>> log (current) >>> >>> /var/log/ipa-server-install-{timestamp}.log <-- Old log with some date >>> >>> /var/log/ipa-server-install-{timestamp}.log <-- Older log with some >>> date >>> >>> /var/log/ipa-server-install-{timestamp}.log <-- Oldest log with some >>> date >> >> This is way too overengineered for something that should actually be >> really simple. I don't care if it is done this way or not, but IMHO it >> would be a waste of time. Logs are not API and should not be treated as >> such. If it needs to be done differently on RHEL, it should be handled >> downstream. > > Sure logs are not API but they have been named the same way since > inception (nearly 8 years now). I don't think symlinking to the old > names is a big deal. It kind of is, since you have to keep the symlink up to date, handle the case when there is a regular file in place of the symlink, and they won't work properly for commands which currently append to their log files rather than overwrite them anyway. To do this properly, you have to add a new FileHandler with proper options for each old log file. IMHO there is no benefit in doing this upstream, but it is relatively straightforward and isolated to be done downstream. -- Jan Cholasta From mkosek at redhat.com Mon Mar 14 14:10:55 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 14 Mar 2016 15:10:55 +0100 Subject: [Freeipa-devel] [PATCH] 0050 caacl: correctly handle full user principal name In-Reply-To: <20160314051824.GX4492@redhat.com> References: <20160314040417.GH12127@dhcp-40-8.bne.redhat.com> <20160314051824.GX4492@redhat.com> Message-ID: <56E6C66F.90605@redhat.com> On 03/14/2016 06:18 AM, Alexander Bokovoy wrote: > On Mon, 14 Mar 2016, Fraser Tweedale wrote: >> The attached patch fixes >> https://fedorahosted.org/freeipa/ticket/5733. Thanks to Alexander >> for finding and reporting. >> >> Cheers, >> Fraser > >> From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001 >> From: Fraser Tweedale >> Date: Mon, 14 Mar 2016 14:49:47 +1100 >> Subject: [PATCH] caacl: correctly handle full user principal name >> >> The caacl HBAC request is correct when just the username is given, >> but the full 'user at REALM' form was not handled correctly. >> >> Fixes: https://fedorahosted.org/freeipa/ticket/5733 > A context might be helpful here: if you are using certmonger's -K option > to specify a user principal name to add to certificate, the name will > get normalized to include the realm. This is how it gets to caacl check. > > ACK. Seeing the patch, I am curious - is the realm validated anywhere pr is it just dropped and we just assume it is FreeIPA one? I mean, do we make sure that REALM matches FreeIPA REALM and it is not trusted AD realm for example? From pvoborni at redhat.com Mon Mar 14 15:26:25 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 14 Mar 2016 16:26:25 +0100 Subject: [Freeipa-devel] [PATCH 0024] ipa-replica-manage: added --suffix option for certain commands In-Reply-To: <56E6A739.3000505@redhat.com> References: <56E29266.8000501@redhat.com> <56E69B01.6000108@redhat.com> <56E6A589.4050207@redhat.com> <56E6A739.3000505@redhat.com> Message-ID: <56E6D821.7090200@redhat.com> On 03/14/2016 12:57 PM, Jan Cholasta wrote: > On 14.3.2016 12:50, Martin Basti wrote: >> >> >> On 14.03.2016 12:05, Jan Cholasta wrote: >>> Hi, >>> >>> On 11.3.2016 10:39, Stanislav Laznicka wrote: >>>> Hi, >>>> >>>> Please see the patch attached. Contrary to the discussion at >>>> https://fedorahosted.org/freeipa/ticket/4987 I also added the suffix >>>> option for clean_ruv command. If this command is available for normal >>>> RUVs, it should probably be available for CS-RUVs as well (or >>>> deprecated >>>> for both with advised use of clean_dangling_ruv). >>> >>> ipa-csreplica-manage is used to manage the CA suffix, so >>> ipa-csreplica-manage should be extended instead of adding --suffix >>> option to ipa-replica-manage. Having half of the CA suffix managed by >>> ipa-replica-manage and the other half by ipa-replica-manage is >>> confusing. >>> >>> Honza >>> >> There is a design document about deprecating ipa-csreplica-manage and >> move part of its responsibilities to ipa-replica-manage. >> >> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4#ipa.28cs.29replica_manange_changes >> >> >> >> So patch is compatible with design. > > The design is wrong then. I don't agree. > > Either do it in ipa-csreplica-manage, or make *all* ipa-replica-manage > sub-commands respect the --suffix option. Anything else is inconsistent > mess. That's the idea for domain level 1. There is little value in extending behavior(managing replication agreements) in domain level 0. Main idea is to not care about suffixes and work with all suffixes right away. This is reflected in clean-dangling-ruv command and these extensions are its counterpart - to enable disabling the run. We mostly care about replica IDs not suffixes they belong to. IMO --suffix option is not necessary and is mostly for debugging. One of the reasons why we have all the RUV commands is a mess after uninstallation when somebody forgets/ignores to run `ipa-csreplica-manage del $server` or also `ipa-replica-manage del $server` before uninstallation of replica. Users then usually run `ipa-replica-manage del $server` --force --clean` but `ipa-csreplica-manage del $server` can't be run after it. Changes in 4.3 and 4.4 tries to prevent this situation (e.g. by calling equivalent of `ipa-cs+replica-manage del` from `ipa-server-install --uninstall`). But until then mess is cleaned on all servers, we should deal with it with the most convenient way - hiding implementation details. -- Petr Vobornik From jcholast at redhat.com Mon Mar 14 15:55:01 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 14 Mar 2016 16:55:01 +0100 Subject: [Freeipa-devel] [PATCH 0024] ipa-replica-manage: added --suffix option for certain commands In-Reply-To: <56E6D821.7090200@redhat.com> References: <56E29266.8000501@redhat.com> <56E69B01.6000108@redhat.com> <56E6A589.4050207@redhat.com> <56E6A739.3000505@redhat.com> <56E6D821.7090200@redhat.com> Message-ID: <56E6DED5.3080905@redhat.com> On 14.3.2016 16:26, Petr Vobornik wrote: > On 03/14/2016 12:57 PM, Jan Cholasta wrote: >> On 14.3.2016 12:50, Martin Basti wrote: >>> >>> >>> On 14.03.2016 12:05, Jan Cholasta wrote: >>>> Hi, >>>> >>>> On 11.3.2016 10:39, Stanislav Laznicka wrote: >>>>> Hi, >>>>> >>>>> Please see the patch attached. Contrary to the discussion at >>>>> https://fedorahosted.org/freeipa/ticket/4987 I also added the suffix >>>>> option for clean_ruv command. If this command is available for normal >>>>> RUVs, it should probably be available for CS-RUVs as well (or >>>>> deprecated >>>>> for both with advised use of clean_dangling_ruv). >>>> >>>> ipa-csreplica-manage is used to manage the CA suffix, so >>>> ipa-csreplica-manage should be extended instead of adding --suffix >>>> option to ipa-replica-manage. Having half of the CA suffix managed by >>>> ipa-replica-manage and the other half by ipa-replica-manage is >>>> confusing. >>>> >>>> Honza >>>> >>> There is a design document about deprecating ipa-csreplica-manage and >>> move part of its responsibilities to ipa-replica-manage. >>> >>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4#ipa.28cs.29replica_manange_changes >>> >>> >>> >>> >>> So patch is compatible with design. >> >> The design is wrong then. > > I don't agree. > >> >> Either do it in ipa-csreplica-manage, or make *all* ipa-replica-manage >> sub-commands respect the --suffix option. Anything else is inconsistent >> mess. > > That's the idea for domain level 1. There is little value in extending > behavior(managing replication agreements) in domain level 0. Domain level 0 is still relevant, it won't go away anytime soon. > > Main idea is to not care about suffixes and work with all suffixes right > away. This is reflected in clean-dangling-ruv command and these > extensions are its counterpart - to enable disabling the run. We mostly > care about replica IDs not suffixes they belong to. IMO --suffix option > is not necessary and is mostly for debugging. > > One of the reasons why we have all the RUV commands is a mess after > uninstallation when somebody forgets/ignores to run > `ipa-csreplica-manage del $server` or also `ipa-replica-manage del > $server` before uninstallation of replica. Users then usually run > `ipa-replica-manage del $server` --force --clean` but > `ipa-csreplica-manage del $server` can't be run after it. Changes in > 4.3 and 4.4 tries to prevent this situation (e.g. by calling equivalent > of `ipa-cs+replica-manage del` from `ipa-server-install --uninstall`). > But until then mess is cleaned on all servers, we should deal with it > with the most convenient way - hiding implementation details. > This is actually exposing implementation details by forcing the user to use a different command based on the domain level. Please explain to me how any of the above requires us to introduce additional inconsistencies and bad UX to IPA. -- Jan Cholasta From pvoborni at redhat.com Mon Mar 14 16:18:03 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 14 Mar 2016 17:18:03 +0100 Subject: [Freeipa-devel] [PATCH 0024] ipa-replica-manage: added --suffix option for certain commands In-Reply-To: <56E6DED5.3080905@redhat.com> References: <56E29266.8000501@redhat.com> <56E69B01.6000108@redhat.com> <56E6A589.4050207@redhat.com> <56E6A739.3000505@redhat.com> <56E6D821.7090200@redhat.com> <56E6DED5.3080905@redhat.com> Message-ID: <56E6E43B.4050805@redhat.com> On 03/14/2016 04:55 PM, Jan Cholasta wrote: > On 14.3.2016 16:26, Petr Vobornik wrote: >> On 03/14/2016 12:57 PM, Jan Cholasta wrote: >>> On 14.3.2016 12:50, Martin Basti wrote: >>>> >>>> >>>> On 14.03.2016 12:05, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> On 11.3.2016 10:39, Stanislav Laznicka wrote: >>>>>> Hi, >>>>>> >>>>>> Please see the patch attached. Contrary to the discussion at >>>>>> https://fedorahosted.org/freeipa/ticket/4987 I also added the suffix >>>>>> option for clean_ruv command. If this command is available for normal >>>>>> RUVs, it should probably be available for CS-RUVs as well (or >>>>>> deprecated >>>>>> for both with advised use of clean_dangling_ruv). >>>>> >>>>> ipa-csreplica-manage is used to manage the CA suffix, so >>>>> ipa-csreplica-manage should be extended instead of adding --suffix >>>>> option to ipa-replica-manage. Having half of the CA suffix managed by >>>>> ipa-replica-manage and the other half by ipa-replica-manage is >>>>> confusing. >>>>> >>>>> Honza >>>>> >>>> There is a design document about deprecating ipa-csreplica-manage and >>>> move part of its responsibilities to ipa-replica-manage. >>>> >>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4#ipa.28cs.29replica_manange_changes >>>> >>>> >>>> >>>> >>>> >>>> So patch is compatible with design. >>> >>> The design is wrong then. >> >> I don't agree. >> >>> >>> Either do it in ipa-csreplica-manage, or make *all* ipa-replica-manage >>> sub-commands respect the --suffix option. Anything else is inconsistent >>> mess. >> >> That's the idea for domain level 1. There is little value in extending >> behavior(managing replication agreements) in domain level 0. > > Domain level 0 is still relevant, it won't go away anytime soon. > >> >> Main idea is to not care about suffixes and work with all suffixes right >> away. This is reflected in clean-dangling-ruv command and these >> extensions are its counterpart - to enable disabling the run. We mostly >> care about replica IDs not suffixes they belong to. IMO --suffix option >> is not necessary and is mostly for debugging. >> >> One of the reasons why we have all the RUV commands is a mess after >> uninstallation when somebody forgets/ignores to run >> `ipa-csreplica-manage del $server` or also `ipa-replica-manage del >> $server` before uninstallation of replica. Users then usually run >> `ipa-replica-manage del $server` --force --clean` but >> `ipa-csreplica-manage del $server` can't be run after it. Changes in >> 4.3 and 4.4 tries to prevent this situation (e.g. by calling equivalent >> of `ipa-cs+replica-manage del` from `ipa-server-install --uninstall`). >> But until then mess is cleaned on all servers, we should deal with it >> with the most convenient way - hiding implementation details. >> > > This is actually exposing implementation details by forcing the user to > use a different command based on the domain level. What different commands? > Please explain to me how any of the above requires us to introduce > additional inconsistencies and bad UX to IPA. What bad UX? It is supposed to be used in following way: ipa-replica-manage clean-dangling-ruvs If from whatever reason some clean ruv task is not finished then: ipa-replica-manage list-clean-ruv [all running task for all suffixes] ipa-replica-manage abort-clean-ruv REPLICATION_ID Nothing else. Works for both domain levels and suffixes from a single tool. Again, --suffix option is not important. Note: clean-ruv subcommand could be probably marked as deprecated or be discouraged to use. If the patch doesn't implement it, then it's wrong. -- Petr Vobornik From cfu at redhat.com Mon Mar 14 16:29:37 2016 From: cfu at redhat.com (Christina Fu) Date: Mon, 14 Mar 2016 09:29:37 -0700 Subject: [Freeipa-devel] [Pki-devel] Design review request: RFC 2818 certificate compliance In-Reply-To: <20160313075117.GD12127@dhcp-40-8.bne.redhat.com> References: <20160229065915.GC21191@dhcp-40-8.bne.redhat.com> <56DD20D0.50706@redhat.com> <20160311010629.GC12127@dhcp-40-8.bne.redhat.com> <56E30C81.2020609@redhat.com> <20160313075117.GD12127@dhcp-40-8.bne.redhat.com> Message-ID: <56E6E6F1.3090100@redhat.com> On 03/12/2016 11:51 PM, Fraser Tweedale wrote: > On Fri, Mar 11, 2016 at 10:20:49AM -0800, Christina Fu wrote: >> Hi Fraser, >> >> I think the general idea looks good. If tested to work, I actually think >> you should have it replace the current caServerCert.cfg and make it the >> default server cert profile for Dogtag. So I'd suggest you name things more >> generically. >> > Thanks Christina for the feedback. W.r.t naming, can you clarify > what you think should be more generic and why? Actually it was more of a preemptive comment that was not specifically directed towards anything in your current design. I just took a closer look, and I think your new profile plugin name (|SubjectAltNameCopyCNDefault|) sounds good. About replacing existing caServerCert.cfg, consider keeping it, but 1. name the new profile something like caServerSANCert.cfg 2. make caServerSANCert.cfg default (enable it), and disable caServerCert.cfg by default Anyway, you get the idea. The point is that I think we should fundamentally adhere to the standard in Dogtag, so such a fix should be part of the Dogtag default. thanks, Christina > >> Just for your reference, there is an implementation that injects SAN(s) into >> server certs at time of Dogtag instance creation. It also allows one to put >> multiple SANs in one ssl server cert: >> https://fedorahosted.org/pki/ticket/1316#comment:14 >> again, it's only limited to pkispawn option so it serves a different >> purpose. >> >> Christina >> >> On 03/10/2016 05:06 PM, Fraser Tweedale wrote: >>> On Mon, Mar 07, 2016 at 07:33:52AM +0100, Jan Cholasta wrote: >>>> Hi, >>>> >>>> On 29.2.2016 07:59, Fraser Tweedale wrote: >>>>> Hi all (especially those interested in certificates), >>>>> >>>>> Please provide early review of my design for RFC 2818 compliance >>>>> which will address the following tickets: >>>>> >>>>> - #4970 Server certificate profile should always include a Subject Alternate name for the host >>>>> - #5706 [RFE] Support SAN-only certificates >>>>> >>>>> http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance >>>>> >>>>> The design is a WIP and there is no code for it yet. Looking for >>>>> feedback and (hopefully) validation of the approach before >>>>> committing cycles to implementing new profile components in Dogtag. >>>> 1) Do wildcard certificates need special handling? There is no mention of >>>> them in the design doc. >>>> >>> No special handling of wildcard certs is needed but I've added some >>> commentary to the design page. >>> >>>> 2) Should we accept invalid CSR where CN length is greater than 64? I >>>> wouldn't be surprised if these existed in the wild. >>>> >>> Good question. I agree such CSRs probably exist. There are various >>> ways to handle them: >>> >>> a) Reject request (with useful message; instruction to issue >>> SAN-only request instead) >>> >>> b) Issue non-compliant cert with overlong CN. It will be helpful to >>> find out how important clients handle such certs. >>> >>> c) Accept the CSR but "promote" the overlong CN from CSR into a SAN >>> dnsName, and issue a SAN-only cert. Some clients may not handle >>> such certs very well. >>> >>> Personally I like (c), because the user intent is clear but we still >>> issue a valid cert, however, I expect there are clients out there >>> (particularly in "enterprise" environments?) that will not handle it >>> well. >>> >>> I've copied pki-devel@ to solicit additional insights here :) >>> >>>> 3) Sometimes it is not clear which parts belong to Dogtag and which to IPA >>>> itself. For example the upgrade section - I assume Dogtag should update >>>> registry.cfg and IPA caIPAserviceCert profile, but it is not clearly stated >>>> anywhere. >>>> >>> Thanks, I've added clarifying remarks. In brief: yes Dogtag should >>> update registry.cfg, but FreeIPA should update the profile. >>> >>> Thank you for your feedback, Jan. >>> Fraser >>> >>> _______________________________________________ >>> Pki-devel mailing list >>> Pki-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-devel >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Mar 14 17:26:08 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 14 Mar 2016 18:26:08 +0100 Subject: [Freeipa-devel] [PATCH 0141] ipa-replica-manage: print traceback on unexpected error when in verbose mode In-Reply-To: <56E18BC8.1000700@redhat.com> References: <56E18BC8.1000700@redhat.com> Message-ID: <56E6F430.4020900@redhat.com> On 10.03.2016 15:59, Martin Babinsky wrote: > https://fedorahosted.org/freeipa/ticket/5380 > > > NACK 1) Maybe we should print traceback in verbose mode for RuntimeError as well. 2) IMO would be better to print traceback first and then, print error Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Mon Mar 14 21:59:57 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 15 Mar 2016 07:59:57 +1000 Subject: [Freeipa-devel] [Pki-devel] Design review request: RFC 2818 certificate compliance In-Reply-To: <56E6E6F1.3090100@redhat.com> References: <20160229065915.GC21191@dhcp-40-8.bne.redhat.com> <56DD20D0.50706@redhat.com> <20160311010629.GC12127@dhcp-40-8.bne.redhat.com> <56E30C81.2020609@redhat.com> <20160313075117.GD12127@dhcp-40-8.bne.redhat.com> <56E6E6F1.3090100@redhat.com> Message-ID: <20160314215957.GI12127@dhcp-40-8.bne.redhat.com> On Mon, Mar 14, 2016 at 09:29:37AM -0700, Christina Fu wrote: > > > On 03/12/2016 11:51 PM, Fraser Tweedale wrote: > >On Fri, Mar 11, 2016 at 10:20:49AM -0800, Christina Fu wrote: > >>Hi Fraser, > >> > >>I think the general idea looks good. If tested to work, I actually think > >>you should have it replace the current caServerCert.cfg and make it the > >>default server cert profile for Dogtag. So I'd suggest you name things more > >>generically. > >> > >Thanks Christina for the feedback. W.r.t naming, can you clarify > >what you think should be more generic and why? > Actually it was more of a preemptive comment that was not specifically > directed towards anything in your current design. > I just took a closer look, and I think your new profile plugin name > (|SubjectAltNameCopyCNDefault|) sounds good. > > About replacing existing caServerCert.cfg, consider keeping it, but > 1. name the new profile something like caServerSANCert.cfg > 2. make caServerSANCert.cfg default (enable it), and disable > caServerCert.cfg by default > > Anyway, you get the idea. The point is that I think we should fundamentally > adhere to the standard in Dogtag, so such a fix should be part of the Dogtag > default. > > thanks, > Christina > Understood; thanks. I'll file a ticket for the Dogtag profile change. > > > >>Just for your reference, there is an implementation that injects SAN(s) into > >>server certs at time of Dogtag instance creation. It also allows one to put > >>multiple SANs in one ssl server cert: > >>https://fedorahosted.org/pki/ticket/1316#comment:14 > >>again, it's only limited to pkispawn option so it serves a different > >>purpose. > >> > >>Christina > >> > >>On 03/10/2016 05:06 PM, Fraser Tweedale wrote: > >>>On Mon, Mar 07, 2016 at 07:33:52AM +0100, Jan Cholasta wrote: > >>>>Hi, > >>>> > >>>>On 29.2.2016 07:59, Fraser Tweedale wrote: > >>>>>Hi all (especially those interested in certificates), > >>>>> > >>>>>Please provide early review of my design for RFC 2818 compliance > >>>>>which will address the following tickets: > >>>>> > >>>>>- #4970 Server certificate profile should always include a Subject Alternate name for the host > >>>>>- #5706 [RFE] Support SAN-only certificates > >>>>> > >>>>>http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance > >>>>> > >>>>>The design is a WIP and there is no code for it yet. Looking for > >>>>>feedback and (hopefully) validation of the approach before > >>>>>committing cycles to implementing new profile components in Dogtag. > >>>>1) Do wildcard certificates need special handling? There is no mention of > >>>>them in the design doc. > >>>> > >>>No special handling of wildcard certs is needed but I've added some > >>>commentary to the design page. > >>> > >>>>2) Should we accept invalid CSR where CN length is greater than 64? I > >>>>wouldn't be surprised if these existed in the wild. > >>>> > >>>Good question. I agree such CSRs probably exist. There are various > >>>ways to handle them: > >>> > >>>a) Reject request (with useful message; instruction to issue > >>> SAN-only request instead) > >>> > >>>b) Issue non-compliant cert with overlong CN. It will be helpful to > >>> find out how important clients handle such certs. > >>> > >>>c) Accept the CSR but "promote" the overlong CN from CSR into a SAN > >>> dnsName, and issue a SAN-only cert. Some clients may not handle > >>> such certs very well. > >>> > >>>Personally I like (c), because the user intent is clear but we still > >>>issue a valid cert, however, I expect there are clients out there > >>>(particularly in "enterprise" environments?) that will not handle it > >>>well. > >>> > >>>I've copied pki-devel@ to solicit additional insights here :) > >>> > >>>>3) Sometimes it is not clear which parts belong to Dogtag and which to IPA > >>>>itself. For example the upgrade section - I assume Dogtag should update > >>>>registry.cfg and IPA caIPAserviceCert profile, but it is not clearly stated > >>>>anywhere. > >>>> > >>>Thanks, I've added clarifying remarks. In brief: yes Dogtag should > >>>update registry.cfg, but FreeIPA should update the profile. > >>> > >>>Thank you for your feedback, Jan. > >>>Fraser > >>> > >>>_______________________________________________ > >>>Pki-devel mailing list > >>>Pki-devel at redhat.com > >>>https://www.redhat.com/mailman/listinfo/pki-devel > >>-- > >>Manage your subscription for the Freeipa-devel mailing list: > >>https://www.redhat.com/mailman/listinfo/freeipa-devel > >>Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > From ftweedal at redhat.com Tue Mar 15 01:31:00 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 15 Mar 2016 11:31:00 +1000 Subject: [Freeipa-devel] [PATCH] 0050 caacl: correctly handle full user principal name In-Reply-To: <56E6C66F.90605@redhat.com> References: <20160314040417.GH12127@dhcp-40-8.bne.redhat.com> <20160314051824.GX4492@redhat.com> <56E6C66F.90605@redhat.com> Message-ID: <20160315013100.GM12127@dhcp-40-8.bne.redhat.com> On Mon, Mar 14, 2016 at 03:10:55PM +0100, Martin Kosek wrote: > On 03/14/2016 06:18 AM, Alexander Bokovoy wrote: > > On Mon, 14 Mar 2016, Fraser Tweedale wrote: > >> The attached patch fixes > >> https://fedorahosted.org/freeipa/ticket/5733. Thanks to Alexander > >> for finding and reporting. > >> > >> Cheers, > >> Fraser > > > >> From 9bd7b74d9c928f386bd7dae59588580881ed1a9d Mon Sep 17 00:00:00 2001 > >> From: Fraser Tweedale > >> Date: Mon, 14 Mar 2016 14:49:47 +1100 > >> Subject: [PATCH] caacl: correctly handle full user principal name > >> > >> The caacl HBAC request is correct when just the username is given, > >> but the full 'user at REALM' form was not handled correctly. > >> > >> Fixes: https://fedorahosted.org/freeipa/ticket/5733 > > A context might be helpful here: if you are using certmonger's -K option > > to specify a user principal name to add to certificate, the name will > > get normalized to include the realm. This is how it gets to caacl check. > > > > ACK. > > Seeing the patch, I am curious - is the realm validated anywhere pr is it just > dropped and we just assume it is FreeIPA one? > > I mean, do we make sure that REALM matches FreeIPA REALM and it is not trusted > AD realm for example? > Martin, glad you asked. We catch that situation elsewhere: ftweedal% ipa cert-request --principal alice at NOTMYDOMAIN.ORG alice.csr ipa: ERROR: The realm for the principal does not match the realm for this IPA server Cheers, Fraser From jcholast at redhat.com Tue Mar 15 06:25:32 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 15 Mar 2016 07:25:32 +0100 Subject: [Freeipa-devel] [PATCH 0024] ipa-replica-manage: added --suffix option for certain commands In-Reply-To: <56E6E43B.4050805@redhat.com> References: <56E29266.8000501@redhat.com> <56E69B01.6000108@redhat.com> <56E6A589.4050207@redhat.com> <56E6A739.3000505@redhat.com> <56E6D821.7090200@redhat.com> <56E6DED5.3080905@redhat.com> <56E6E43B.4050805@redhat.com> Message-ID: <56E7AADC.3060407@redhat.com> On 14.3.2016 17:18, Petr Vobornik wrote: > On 03/14/2016 04:55 PM, Jan Cholasta wrote: >> On 14.3.2016 16:26, Petr Vobornik wrote: >>> On 03/14/2016 12:57 PM, Jan Cholasta wrote: >>>> On 14.3.2016 12:50, Martin Basti wrote: >>>>> >>>>> >>>>> On 14.03.2016 12:05, Jan Cholasta wrote: >>>>>> Hi, >>>>>> >>>>>> On 11.3.2016 10:39, Stanislav Laznicka wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Please see the patch attached. Contrary to the discussion at >>>>>>> https://fedorahosted.org/freeipa/ticket/4987 I also added the suffix >>>>>>> option for clean_ruv command. If this command is available for >>>>>>> normal >>>>>>> RUVs, it should probably be available for CS-RUVs as well (or >>>>>>> deprecated >>>>>>> for both with advised use of clean_dangling_ruv). >>>>>> >>>>>> ipa-csreplica-manage is used to manage the CA suffix, so >>>>>> ipa-csreplica-manage should be extended instead of adding --suffix >>>>>> option to ipa-replica-manage. Having half of the CA suffix managed by >>>>>> ipa-replica-manage and the other half by ipa-replica-manage is >>>>>> confusing. >>>>>> >>>>>> Honza >>>>>> >>>>> There is a design document about deprecating ipa-csreplica-manage and >>>>> move part of its responsibilities to ipa-replica-manage. >>>>> >>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4#ipa.28cs.29replica_manange_changes >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> So patch is compatible with design. >>>> >>>> The design is wrong then. >>> >>> I don't agree. >>> >>>> >>>> Either do it in ipa-csreplica-manage, or make *all* ipa-replica-manage >>>> sub-commands respect the --suffix option. Anything else is inconsistent >>>> mess. >>> >>> That's the idea for domain level 1. There is little value in extending >>> behavior(managing replication agreements) in domain level 0. >> >> Domain level 0 is still relevant, it won't go away anytime soon. >> >>> >>> Main idea is to not care about suffixes and work with all suffixes right >>> away. This is reflected in clean-dangling-ruv command and these >>> extensions are its counterpart - to enable disabling the run. We mostly >>> care about replica IDs not suffixes they belong to. IMO --suffix option >>> is not necessary and is mostly for debugging. >>> >>> One of the reasons why we have all the RUV commands is a mess after >>> uninstallation when somebody forgets/ignores to run >>> `ipa-csreplica-manage del $server` or also `ipa-replica-manage del >>> $server` before uninstallation of replica. Users then usually run >>> `ipa-replica-manage del $server` --force --clean` but >>> `ipa-csreplica-manage del $server` can't be run after it. Changes in >>> 4.3 and 4.4 tries to prevent this situation (e.g. by calling equivalent >>> of `ipa-cs+replica-manage del` from `ipa-server-install --uninstall`). >>> But until then mess is cleaned on all servers, we should deal with it >>> with the most convenient way - hiding implementation details. >>> >> >> This is actually exposing implementation details by forcing the user to >> use a different command based on the domain level. > > What different commands? ipa-replica-manage vs ipa-csreplica-manage cs API commands. > >> Please explain to me how any of the above requires us to introduce >> additional inconsistencies and bad UX to IPA. > > What bad UX? This is how replicas are managed in domain level 0 without the patch: suffix both domain ca list - i-r-m i-c-m list-ruv - i-r-m - connect - i-r-m i-c-m diconnect - i-r-m i-c-m del - i-r-m i-c-m re-initialize - i-r-m i-c-m force-sync - i-r-m i-c-m clean-ruv - i-r-m - abort-clean-ruv - i-r-m - list-clean-ruv i-r-m - - clean-dangling-ruv i-r-m - - (i-r-m == ipa-replica-manage, etc.) This is how replicas are managed in domain level 1 with the patch: suffix both domain ca list - i-r-m i-c-m s-f s-f -ts=d s-f -ts=c list-ruv i-r-m i-r-m -s=d i-r-m -s=c connect - ts-a d ts-a c diconnect - ts-d d ts-d c del i-r-m - - s-d - - re-initialize - i-r-m i-c-m - ts-r d ts-r c force-sync - i-r-m i-c-m clean-ruv i-r-m i-r-m -s=d i-r-m -s=c abort-clean-ruv i-r-m i-r-m -s=d i-r-m -s=c list-clean-ruv i-r-m - - clean-dangling-ruv i-r-m - - (s-f -ts=d == server-find --topologysuffixes=domain, etc.) Maybe it's just me, but I fail to see the pattern here and find this very confusing. (Note that I'm not trying to blame this particular patch for this, I'm just frustrated from the overall state.) > > It is supposed to be used in following way: > ipa-replica-manage clean-dangling-ruvs > > If from whatever reason some clean ruv task is not finished then: > ipa-replica-manage list-clean-ruv > [all running task for all suffixes] > ipa-replica-manage abort-clean-ruv REPLICATION_ID > > Nothing else. Works for both domain levels and suffixes from a single > tool. Again, --suffix option is not important. This changes the default behavior in domain level 0. I though we are not extending domain level 0 anymore, you said it yourself in a comment above. > > Note: clean-ruv subcommand could be probably marked as deprecated or be > discouraged to use. If the commands are deprecated, why further extend them? > > If the patch doesn't implement it, then it's wrong. The patch changes the default behavior of the sub-commands and extends them even in domain level 0. I would think at least that should be fixed. -- Jan Cholasta From dkupka at redhat.com Tue Mar 15 06:26:04 2016 From: dkupka at redhat.com (David Kupka) Date: Tue, 15 Mar 2016 07:26:04 +0100 Subject: [Freeipa-devel] [PATCH 550] certdb: never use the -r option of certutil In-Reply-To: <56E67663.3030405@redhat.com> References: <56E67663.3030405@redhat.com> Message-ID: <56E7AAFC.2000007@redhat.com> On 14/03/16 09:29, Jan Cholasta wrote: > Hi, > > the attached patch fixes > and . > > Honza > > > Hi, thanks for the patch. I haven't found any distortion of affected use cases, ACK. -- David Kupka From dkupka at redhat.com Tue Mar 15 06:43:20 2016 From: dkupka at redhat.com (David Kupka) Date: Tue, 15 Mar 2016 07:43:20 +0100 Subject: [Freeipa-devel] [PATCH 0432] use platform path for SSSD log directory In-Reply-To: <56DEEFEE.3080507@redhat.com> References: <56DEEFEE.3080507@redhat.com> Message-ID: <56E7AF08.6030402@redhat.com> On 08/03/16 16:29, Martin Basti wrote: > /var/log/SSSD is platform specific, thus should be added to ipaplatform > module > > Patch attached. > > Works for me, ACK. -- David Kupka From dkupka at redhat.com Tue Mar 15 09:46:33 2016 From: dkupka at redhat.com (David Kupka) Date: Tue, 15 Mar 2016 10:46:33 +0100 Subject: [Freeipa-devel] [PATCH 0432] stageuser-activate: noralize manager value In-Reply-To: <56DEB130.3030005@redhat.com> References: <56DEB130.3030005@redhat.com> Message-ID: <56E7D9F9.9030907@redhat.com> On 08/03/16 12:02, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5481 > > Patch attached. > > Works for me, ACK. -- David Kupka From pvoborni at redhat.com Tue Mar 15 11:47:14 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 15 Mar 2016 12:47:14 +0100 Subject: [Freeipa-devel] [PATCH 0024] ipa-replica-manage: added --suffix option for certain commands In-Reply-To: <56E7AADC.3060407@redhat.com> References: <56E29266.8000501@redhat.com> <56E69B01.6000108@redhat.com> <56E6A589.4050207@redhat.com> <56E6A739.3000505@redhat.com> <56E6D821.7090200@redhat.com> <56E6DED5.3080905@redhat.com> <56E6E43B.4050805@redhat.com> <56E7AADC.3060407@redhat.com> Message-ID: <56E7F642.8010109@redhat.com> On 03/15/2016 07:25 AM, Jan Cholasta wrote: > On 14.3.2016 17:18, Petr Vobornik wrote: >> On 03/14/2016 04:55 PM, Jan Cholasta wrote: >>> On 14.3.2016 16:26, Petr Vobornik wrote: >>>> On 03/14/2016 12:57 PM, Jan Cholasta wrote: >>>>> On 14.3.2016 12:50, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 14.03.2016 12:05, Jan Cholasta wrote: >>>>>>> Hi, >>>>>>> >>>>>>> On 11.3.2016 10:39, Stanislav Laznicka wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> Please see the patch attached. Contrary to the discussion at >>>>>>>> https://fedorahosted.org/freeipa/ticket/4987 I also added the >>>>>>>> suffix >>>>>>>> option for clean_ruv command. If this command is available for >>>>>>>> normal >>>>>>>> RUVs, it should probably be available for CS-RUVs as well (or >>>>>>>> deprecated >>>>>>>> for both with advised use of clean_dangling_ruv). >>>>>>> >>>>>>> ipa-csreplica-manage is used to manage the CA suffix, so >>>>>>> ipa-csreplica-manage should be extended instead of adding --suffix >>>>>>> option to ipa-replica-manage. Having half of the CA suffix >>>>>>> managed by >>>>>>> ipa-replica-manage and the other half by ipa-replica-manage is >>>>>>> confusing. >>>>>>> >>>>>>> Honza >>>>>>> >>>>>> There is a design document about deprecating ipa-csreplica-manage and >>>>>> move part of its responsibilities to ipa-replica-manage. >>>>>> >>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4#ipa.28cs.29replica_manange_changes >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> So patch is compatible with design. >>>>> >>>>> The design is wrong then. >>>> >>>> I don't agree. >>>> >>>>> >>>>> Either do it in ipa-csreplica-manage, or make *all* ipa-replica-manage >>>>> sub-commands respect the --suffix option. Anything else is >>>>> inconsistent >>>>> mess. >>>> >>>> That's the idea for domain level 1. There is little value in extending >>>> behavior(managing replication agreements) in domain level 0. >>> >>> Domain level 0 is still relevant, it won't go away anytime soon. >>> >>>> >>>> Main idea is to not care about suffixes and work with all suffixes >>>> right >>>> away. This is reflected in clean-dangling-ruv command and these >>>> extensions are its counterpart - to enable disabling the run. We mostly >>>> care about replica IDs not suffixes they belong to. IMO --suffix option >>>> is not necessary and is mostly for debugging. >>>> >>>> One of the reasons why we have all the RUV commands is a mess after >>>> uninstallation when somebody forgets/ignores to run >>>> `ipa-csreplica-manage del $server` or also `ipa-replica-manage del >>>> $server` before uninstallation of replica. Users then usually run >>>> `ipa-replica-manage del $server` --force --clean` but >>>> `ipa-csreplica-manage del $server` can't be run after it. Changes in >>>> 4.3 and 4.4 tries to prevent this situation (e.g. by calling equivalent >>>> of `ipa-cs+replica-manage del` from `ipa-server-install --uninstall`). >>>> But until then mess is cleaned on all servers, we should deal with it >>>> with the most convenient way - hiding implementation details. >>>> >>> >>> This is actually exposing implementation details by forcing the user to >>> use a different command based on the domain level. >> >> What different commands? > > ipa-replica-manage vs ipa-csreplica-manage cs API commands. > >> >>> Please explain to me how any of the above requires us to introduce >>> additional inconsistencies and bad UX to IPA. >> >> What bad UX? > > This is how replicas are managed in domain level 0 without the patch: > > suffix both domain ca > > list - i-r-m i-c-m > > list-ruv - i-r-m - > > connect - i-r-m i-c-m > > diconnect - i-r-m i-c-m > > del - i-r-m i-c-m > > re-initialize - i-r-m i-c-m > > force-sync - i-r-m i-c-m > > clean-ruv - i-r-m - > > abort-clean-ruv - i-r-m - > > list-clean-ruv i-r-m - - isnt' it?: - i-r-m - > > clean-dangling-ruv i-r-m - - > > (i-r-m == ipa-replica-manage, etc.) > > > This is how replicas are managed in domain level 1 with the patch: > > suffix both domain ca > > list - i-r-m i-c-m > s-f s-f -ts=d s-f -ts=c > > list-ruv i-r-m i-r-m -s=d i-r-m -s=c > > connect - ts-a d ts-a c > > diconnect - ts-d d ts-d c > > del i-r-m - - > s-d - - > > re-initialize - i-r-m i-c-m > - ts-r d ts-r c > > force-sync - i-r-m i-c-m > > clean-ruv i-r-m i-r-m -s=d i-r-m -s=c > > abort-clean-ruv i-r-m i-r-m -s=d i-r-m -s=c > > list-clean-ruv i-r-m - - > > clean-dangling-ruv i-r-m - - > > (s-f -ts=d == server-find --topologysuffixes=domain, etc.) > > > Maybe it's just me, but I fail to see the pattern here and find this > very confusing. (Note that I'm not trying to blame this particular patch > for this, I'm just frustrated from the overall state.) Yes, backwards compatibility(bc) makes a mess there. But look at the state in following way (bc hidden): suffix both domain ca == Normal operations (i.e. all in API) == list s-f s-f -ts=d s-f -ts=c connect - ts-a d ts-a c diconnect - ts-d d ts-d c del s-d - - == Debugging & Fixing == re-initialize ts-r d ts-r c - i-r-m i-c-m force-sync - i-r-m i-c-m list-ruv i-r-m clean-ruv i-r-m abort-clean-ruv i-r-m list-clean-ruv i-r-m - - clean-dangling-ruv i-r-m - - Then we can see that only issue is force-sync operations which use case I don't really understand and with re-initialize which should be improved in API to be more usable (currently there is no progress status). Note: "debugging and fixing" is basically the same on both domain levels. > >> >> It is supposed to be used in following way: >> ipa-replica-manage clean-dangling-ruvs >> >> If from whatever reason some clean ruv task is not finished then: >> ipa-replica-manage list-clean-ruv >> [all running task for all suffixes] >> ipa-replica-manage abort-clean-ruv REPLICATION_ID >> >> Nothing else. Works for both domain levels and suffixes from a single >> tool. Again, --suffix option is not important. > > This changes the default behavior in domain level 0. I though we are not > extending domain level 0 anymore, you said it yourself in a comment above. I meant that we don't need to invest into new features in domain level 0 but RUV commands doesn't need to behave differently on various domain levels. There is no reason. > >> >> Note: clean-ruv subcommand could be probably marked as deprecated or be >> discouraged to use. > > If the commands are deprecated, why further extend them? No reason, clean-ruv subcommand doesn't need to be extended. Maybe to have similar behavior as rest of ruv commands. > >> >> If the patch doesn't implement it, then it's wrong. > > The patch changes the default behavior of the sub-commands and extends > them even in domain level 0. I would think at least that should be fixed. Why? -- Petr Vobornik From pvomacka at redhat.com Tue Mar 15 12:23:04 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Tue, 15 Mar 2016 13:23:04 +0100 Subject: [Freeipa-devel] [PATCH] 0009 webui: Show certificates in useful format Message-ID: <56E7FEA8.3010404@redhat.com> Hello, patch for https://fedorahosted.org/freeipa/ticket/5311 is attached. -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0009-Show-certificate-in-useful-format.patch Type: text/x-patch Size: 2556 bytes Desc: not available URL: From mbasti at redhat.com Tue Mar 15 12:48:36 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 15 Mar 2016 13:48:36 +0100 Subject: [Freeipa-devel] [PATCH 0439] Do not do extra search for ipasshpubkey Message-ID: <56E804A4.4000505@redhat.com> https://fedorahosted.org/freeipa/ticket/3376 Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0439-Do-not-do-extra-search-for-ipasshpubkey-to-generate-.patch Type: text/x-patch Size: 9771 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Mar 15 14:36:17 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 15 Mar 2016 15:36:17 +0100 Subject: [Freeipa-devel] [PATCH 0139] otptoken-add: improve the robustness of QR code printing to tty In-Reply-To: <56DFBD6F.8010100@redhat.com> References: <56DEEDEF.6020105@redhat.com> <56DEFF59.7020907@redhat.com> <56DF01C0.2010207@redhat.com> <56DFBD6F.8010100@redhat.com> Message-ID: <56E81DE1.4020904@redhat.com> On 03/09/2016 07:06 AM, Jan Cholasta wrote: > On 8.3.2016 17:45, Martin Babinsky wrote: >> On 03/08/2016 05:35 PM, Jan Cholasta wrote: >>> Hi, >>> >>> On 8.3.2016 16:21, Martin Babinsky wrote: >>>> https://fedorahosted.org/freeipa/ticket/5700 >>> >>> 1) Instead of checking for utf-8 in particular, I would prefer a more >>> robust approach: >>> >>> try: >>> qr = qrcode.QRCode() >>> qr.add_data('test') >>> qr.make() >>> qr.print_ascii(tty=True) >>> except UnicodeError: >>> # it is not printable >>> else: >>> # it is printable >>> >> Now you mean the check in the _check_qrcode_capability() or the >> _print_qrcode() method itself? > > _check_qrcode_capability() of course. > >>> >>> 2) There is no os.isatty() check to see if stdout is actually a tty. >>> >> This check is performed inside both print_ascii() and print_tty() >> methods of QRCode object, but you probably mean that I should put the >> check also into _check_qrcode_capability() method, right? > > Yes. If stdout is not a tty, we should at least not tty=True in > print_ascii(). > >>> >>> Honza >>> >> >> > > Attaching updated patch. After the discussion with other developers we decided to just print warnings when non-UTF-8 encoding is used and tty width is smaller that the QR code size. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-3-mbabinsk-0139.1-otptoken-add-improve-the-robustness-of-QR-code-print.patch Type: text/x-patch Size: 4896 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0139.1-otptoken-add-improve-the-robustness-of-QR-code-print.patch Type: text/x-patch Size: 4862 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Mar 15 15:03:21 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 15 Mar 2016 16:03:21 +0100 Subject: [Freeipa-devel] [PATCH 0141] ipa-replica-manage: print traceback on unexpected error when in verbose mode In-Reply-To: <56E6F430.4020900@redhat.com> References: <56E18BC8.1000700@redhat.com> <56E6F430.4020900@redhat.com> Message-ID: <56E82439.2040108@redhat.com> On 03/14/2016 06:26 PM, Martin Basti wrote: > > > On 10.03.2016 15:59, Martin Babinsky wrote: >> https://fedorahosted.org/freeipa/ticket/5380 >> >> >> > NACK > > 1) > Maybe we should print traceback in verbose mode for RuntimeError as well. > > 2) > IMO would be better to print traceback first and then, print error > > Martin^2 Attaching updated patch. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0141.1-ipa-replica-manage-print-traceback-on-unexpected-err.patch Type: text/x-patch Size: 2240 bytes Desc: not available URL: From mbasti at redhat.com Tue Mar 15 15:40:34 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 15 Mar 2016 16:40:34 +0100 Subject: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings Message-ID: <56E82CF2.2070902@redhat.com> https://fedorahosted.org/freeipa/ticket/5737 Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0440-Fix-broken-trust-warnings.patch Type: text/x-patch Size: 4204 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Mar 15 16:54:55 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 15 Mar 2016 17:54:55 +0100 Subject: [Freeipa-devel] [PATCH 0139] otptoken-add: improve the robustness of QR code printing to tty In-Reply-To: <56E81DE1.4020904@redhat.com> References: <56DEEDEF.6020105@redhat.com> <56DEFF59.7020907@redhat.com> <56DF01C0.2010207@redhat.com> <56DFBD6F.8010100@redhat.com> <56E81DE1.4020904@redhat.com> Message-ID: <56E83E5F.8060601@redhat.com> On 03/15/2016 03:36 PM, Martin Babinsky wrote: > On 03/09/2016 07:06 AM, Jan Cholasta wrote: >> On 8.3.2016 17:45, Martin Babinsky wrote: >>> On 03/08/2016 05:35 PM, Jan Cholasta wrote: >>>> Hi, >>>> >>>> On 8.3.2016 16:21, Martin Babinsky wrote: >>>>> https://fedorahosted.org/freeipa/ticket/5700 >>>> >>>> 1) Instead of checking for utf-8 in particular, I would prefer a more >>>> robust approach: >>>> >>>> try: >>>> qr = qrcode.QRCode() >>>> qr.add_data('test') >>>> qr.make() >>>> qr.print_ascii(tty=True) >>>> except UnicodeError: >>>> # it is not printable >>>> else: >>>> # it is printable >>>> >>> Now you mean the check in the _check_qrcode_capability() or the >>> _print_qrcode() method itself? >> >> _check_qrcode_capability() of course. >> >>>> >>>> 2) There is no os.isatty() check to see if stdout is actually a tty. >>>> >>> This check is performed inside both print_ascii() and print_tty() >>> methods of QRCode object, but you probably mean that I should put the >>> check also into _check_qrcode_capability() method, right? >> >> Yes. If stdout is not a tty, we should at least not tty=True in >> print_ascii(). >> >>>> >>>> Honza >>>> >>> >>> >> >> > Attaching updated patch. After the discussion with other developers we > decided to just print warnings when non-UTF-8 encoding is used and tty > width is smaller that the QR code size. > > > Found some minor errors in the patch, attaching updated version. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-3-mbabinsk-0139.2-otptoken-add-improve-the-robustness-of-QR-code-print.patch Type: text/x-patch Size: 4938 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0139.2-otptoken-add-improve-the-robustness-of-QR-code-print.patch Type: text/x-patch Size: 4904 bytes Desc: not available URL: From npmccallum at redhat.com Tue Mar 15 21:22:53 2016 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Tue, 15 Mar 2016 17:22:53 -0400 Subject: [Freeipa-devel] [PATCH 0139] otptoken-add: improve the robustness of QR code printing to tty In-Reply-To: <56E83E5F.8060601@redhat.com> References: <56DEEDEF.6020105@redhat.com> <56DEFF59.7020907@redhat.com> <56DF01C0.2010207@redhat.com> <56DFBD6F.8010100@redhat.com> <56E81DE1.4020904@redhat.com> <56E83E5F.8060601@redhat.com> Message-ID: <1458076973.21679.20.camel@redhat.com> On Tue, 2016-03-15 at 17:54 +0100, Martin Babinsky wrote: > On 03/15/2016 03:36 PM, Martin Babinsky wrote: > > > > On 03/09/2016 07:06 AM, Jan Cholasta wrote: > > > > > > On 8.3.2016 17:45, Martin Babinsky wrote: > > > > > > > > On 03/08/2016 05:35 PM, Jan Cholasta wrote: > > > > > > > > > > Hi, > > > > > > > > > > On 8.3.2016 16:21, Martin Babinsky wrote: > > > > > > > > > > > > https://fedorahosted.org/freeipa/ticket/5700 > > > > > 1) Instead of checking for utf-8 in particular, I would > > > > > prefer a more > > > > > robust approach: > > > > > > > > > > try: > > > > > ?????qr = qrcode.QRCode() > > > > > ?????qr.add_data('test') > > > > > ?????qr.make() > > > > > ?????qr.print_ascii(tty=True) > > > > > except UnicodeError: > > > > > ?????# it is not printable > > > > > else: > > > > > ?????# it is printable > > > > > > > > > Now you mean the check in the _check_qrcode_capability() or the > > > > _print_qrcode() method itself? > > > _check_qrcode_capability() of course. > > > > > > > > > > > > > > > > > > > > > > 2) There is no os.isatty() check to see if stdout is actually > > > > > a tty. > > > > > > > > > This check is performed inside both print_ascii() and > > > > print_tty() > > > > methods of QRCode object, but you probably mean that I should > > > > put the > > > > check also into _check_qrcode_capability() method, right? > > > Yes. If stdout is not a tty, we should at least not tty=True in > > > print_ascii(). > > > > > > > > > > > > > > > > > > > > > > Honza > > > > > > > > > > > > > > Attaching updated patch. After the discussion with other developers > > we > > decided to just print warnings when non-UTF-8 encoding is used and > > tty > > width is smaller that the QR code size. > > > > > > > Found some minor errors in the patch, attaching updated version. NACK This patch has the major problem that tokens are added but then unusable because they can't be provisioned to the devices. You need to check if qrcode output is possible before the token is added to LDAP. From jcholast at redhat.com Wed Mar 16 06:25:06 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 16 Mar 2016 07:25:06 +0100 Subject: [Freeipa-devel] [PATCH 0139] otptoken-add: improve the robustness of QR code printing to tty In-Reply-To: <1458076973.21679.20.camel@redhat.com> References: <56DEEDEF.6020105@redhat.com> <56DEFF59.7020907@redhat.com> <56DF01C0.2010207@redhat.com> <56DFBD6F.8010100@redhat.com> <56E81DE1.4020904@redhat.com> <56E83E5F.8060601@redhat.com> <1458076973.21679.20.camel@redhat.com> Message-ID: <56E8FC42.1000605@redhat.com> On 15.3.2016 22:22, Nathaniel McCallum wrote: > On Tue, 2016-03-15 at 17:54 +0100, Martin Babinsky wrote: >> On 03/15/2016 03:36 PM, Martin Babinsky wrote: >>> >>> On 03/09/2016 07:06 AM, Jan Cholasta wrote: >>>> >>>> On 8.3.2016 17:45, Martin Babinsky wrote: >>>>> >>>>> On 03/08/2016 05:35 PM, Jan Cholasta wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> On 8.3.2016 16:21, Martin Babinsky wrote: >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/5700 >>>>>> 1) Instead of checking for utf-8 in particular, I would >>>>>> prefer a more >>>>>> robust approach: >>>>>> >>>>>> try: >>>>>> qr = qrcode.QRCode() >>>>>> qr.add_data('test') >>>>>> qr.make() >>>>>> qr.print_ascii(tty=True) >>>>>> except UnicodeError: >>>>>> # it is not printable >>>>>> else: >>>>>> # it is printable >>>>>> >>>>> Now you mean the check in the _check_qrcode_capability() or the >>>>> _print_qrcode() method itself? >>>> _check_qrcode_capability() of course. >>>> >>>>> >>>>>> >>>>>> >>>>>> 2) There is no os.isatty() check to see if stdout is actually >>>>>> a tty. >>>>>> >>>>> This check is performed inside both print_ascii() and >>>>> print_tty() >>>>> methods of QRCode object, but you probably mean that I should >>>>> put the >>>>> check also into _check_qrcode_capability() method, right? >>>> Yes. If stdout is not a tty, we should at least not tty=True in >>>> print_ascii(). >>>> >>>>> >>>>>> >>>>>> >>>>>> Honza >>>>>> >>>>> >>>> >>> Attaching updated patch. After the discussion with other developers >>> we >>> decided to just print warnings when non-UTF-8 encoding is used and >>> tty >>> width is smaller that the QR code size. >>> >>> >>> >> Found some minor errors in the patch, attaching updated version. > > NACK > > This patch has the major problem that tokens are added but then > unusable because they can't be provisioned to the devices. You need to > check if qrcode output is possible before the token is added to LDAP. We discussed this on the IPA devel meeting and the decision was that since the otpauth URI is always displayed, a warning is sufficient when the QR code cannot be printed. If you disagree, could you explain why the URI is not sufficient for provisioning the token? -- Jan Cholasta From slaznick at redhat.com Wed Mar 16 07:33:48 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Wed, 16 Mar 2016 08:33:48 +0100 Subject: [Freeipa-devel] [PATCH 0024] ipa-replica-manage: added --suffix option for certain commands In-Reply-To: <56E7F642.8010109@redhat.com> References: <56E29266.8000501@redhat.com> <56E69B01.6000108@redhat.com> <56E6A589.4050207@redhat.com> <56E6A739.3000505@redhat.com> <56E6D821.7090200@redhat.com> <56E6DED5.3080905@redhat.com> <56E6E43B.4050805@redhat.com> <56E7AADC.3060407@redhat.com> <56E7F642.8010109@redhat.com> Message-ID: <56E90C5C.2020703@redhat.com> On 03/15/2016 12:47 PM, Petr Vobornik wrote: > On 03/15/2016 07:25 AM, Jan Cholasta wrote: >> On 14.3.2016 17:18, Petr Vobornik wrote: >>> On 03/14/2016 04:55 PM, Jan Cholasta wrote: >>>> On 14.3.2016 16:26, Petr Vobornik wrote: >>>>> On 03/14/2016 12:57 PM, Jan Cholasta wrote: >>>>>> On 14.3.2016 12:50, Martin Basti wrote: >>>>>>> >>>>>>> >>>>>>> On 14.03.2016 12:05, Jan Cholasta wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> On 11.3.2016 10:39, Stanislav Laznicka wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> Please see the patch attached. Contrary to the discussion at >>>>>>>>> https://fedorahosted.org/freeipa/ticket/4987 I also added the >>>>>>>>> suffix >>>>>>>>> option for clean_ruv command. If this command is available for >>>>>>>>> normal >>>>>>>>> RUVs, it should probably be available for CS-RUVs as well (or >>>>>>>>> deprecated >>>>>>>>> for both with advised use of clean_dangling_ruv). >>>>>>>> >>>>>>>> ipa-csreplica-manage is used to manage the CA suffix, so >>>>>>>> ipa-csreplica-manage should be extended instead of adding --suffix >>>>>>>> option to ipa-replica-manage. Having half of the CA suffix >>>>>>>> managed by >>>>>>>> ipa-replica-manage and the other half by ipa-replica-manage is >>>>>>>> confusing. >>>>>>>> >>>>>>>> Honza >>>>>>>> >>>>>>> There is a design document about deprecating >>>>>>> ipa-csreplica-manage and >>>>>>> move part of its responsibilities to ipa-replica-manage. >>>>>>> >>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4#ipa.28cs.29replica_manange_changes >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> So patch is compatible with design. >>>>>> >>>>>> The design is wrong then. >>>>> >>>>> I don't agree. >>>>> >>>>>> >>>>>> Either do it in ipa-csreplica-manage, or make *all* >>>>>> ipa-replica-manage >>>>>> sub-commands respect the --suffix option. Anything else is >>>>>> inconsistent >>>>>> mess. >>>>> >>>>> That's the idea for domain level 1. There is little value in >>>>> extending >>>>> behavior(managing replication agreements) in domain level 0. >>>> >>>> Domain level 0 is still relevant, it won't go away anytime soon. >>>>> >>>>> Main idea is to not care about suffixes and work with all suffixes >>>>> right >>>>> away. This is reflected in clean-dangling-ruv command and these >>>>> extensions are its counterpart - to enable disabling the run. We >>>>> mostly >>>>> care about replica IDs not suffixes they belong to. IMO --suffix >>>>> option >>>>> is not necessary and is mostly for debugging. >>>>> >>>>> One of the reasons why we have all the RUV commands is a mess after >>>>> uninstallation when somebody forgets/ignores to run >>>>> `ipa-csreplica-manage del $server` or also `ipa-replica-manage del >>>>> $server` before uninstallation of replica. Users then usually run >>>>> `ipa-replica-manage del $server` --force --clean` but >>>>> `ipa-csreplica-manage del $server` can't be run after it. Changes in >>>>> 4.3 and 4.4 tries to prevent this situation (e.g. by calling >>>>> equivalent >>>>> of `ipa-cs+replica-manage del` from `ipa-server-install >>>>> --uninstall`). >>>>> But until then mess is cleaned on all servers, we should deal with it >>>>> with the most convenient way - hiding implementation details. >>>>> >>>> >>>> This is actually exposing implementation details by forcing the >>>> user to >>>> use a different command based on the domain level. >>> >>> What different commands? >> >> ipa-replica-manage vs ipa-csreplica-manage cs API commands. >> >>> >>>> Please explain to me how any of the above requires us to introduce >>>> additional inconsistencies and bad UX to IPA. >>> >>> What bad UX? >> >> This is how replicas are managed in domain level 0 without the patch: >> >> suffix both domain ca >> >> list - i-r-m i-c-m >> >> list-ruv - i-r-m - >> >> connect - i-r-m i-c-m >> >> diconnect - i-r-m i-c-m >> >> del - i-r-m i-c-m >> >> re-initialize - i-r-m i-c-m >> >> force-sync - i-r-m i-c-m >> >> clean-ruv - i-r-m - >> >> abort-clean-ruv - i-r-m - >> >> list-clean-ruv i-r-m - - > > isnt' it?: > - i-r-m - > It is AFAIK. > >> >> clean-dangling-ruv i-r-m - - >> >> (i-r-m == ipa-replica-manage, etc.) >> >> >> This is how replicas are managed in domain level 1 with the patch: >> >> suffix both domain ca >> >> list - i-r-m i-c-m >> s-f s-f -ts=d s-f -ts=c >> >> list-ruv i-r-m i-r-m -s=d i-r-m -s=c >> >> connect - ts-a d ts-a c >> >> diconnect - ts-d d ts-d c >> >> del i-r-m - - >> s-d - - >> >> re-initialize - i-r-m i-c-m >> - ts-r d ts-r c >> >> force-sync - i-r-m i-c-m >> >> clean-ruv i-r-m i-r-m -s=d i-r-m -s=c >> >> abort-clean-ruv i-r-m i-r-m -s=d i-r-m -s=c >> >> list-clean-ruv i-r-m - - >> >> clean-dangling-ruv i-r-m - - >> >> (s-f -ts=d == server-find --topologysuffixes=domain, etc.) >> >> >> Maybe it's just me, but I fail to see the pattern here and find this >> very confusing. (Note that I'm not trying to blame this particular patch >> for this, I'm just frustrated from the overall state.) > > Yes, backwards compatibility(bc) makes a mess there. But look at the > state in following way (bc hidden): > > suffix both domain ca > > == Normal operations (i.e. all in API) == > > list s-f s-f -ts=d s-f -ts=c > > > > connect - ts-a d ts-a c > > diconnect - ts-d d ts-d c > > del s-d - - > > == Debugging & Fixing == > > re-initialize ts-r d ts-r c > - i-r-m i-c-m > > force-sync - i-r-m i-c-m > > > list-ruv i-r-m > > clean-ruv i-r-m > > abort-clean-ruv i-r-m > > list-clean-ruv i-r-m - - > > clean-dangling-ruv i-r-m - - > > > Then we can see that only issue is force-sync operations which use > case I don't really understand and with re-initialize which should be > improved in API to be more usable (currently there is no progress > status). > > Note: "debugging and fixing" is basically the same on both domain levels. > > >> >>> >>> It is supposed to be used in following way: >>> ipa-replica-manage clean-dangling-ruvs >>> >>> If from whatever reason some clean ruv task is not finished then: >>> ipa-replica-manage list-clean-ruv >>> [all running task for all suffixes] >>> ipa-replica-manage abort-clean-ruv REPLICATION_ID >>> >>> Nothing else. Works for both domain levels and suffixes from a single >>> tool. Again, --suffix option is not important. >> >> This changes the default behavior in domain level 0. I though we are not >> extending domain level 0 anymore, you said it yourself in a comment >> above. > > I meant that we don't need to invest into new features in domain level > 0 but RUV commands doesn't need to behave differently on various > domain levels. There is no reason. > >> >>> >>> Note: clean-ruv subcommand could be probably marked as deprecated or be >>> discouraged to use. >> >> If the commands are deprecated, why further extend them? > > No reason, clean-ruv subcommand doesn't need to be extended. Maybe to > have similar behavior as rest of ruv commands. > It was exactly for that reason. If there's abort-clean-ruv which allows aborting the clean operation for both suffixes, it seems rather natural to have its counterpart to be able to do the same (as long as it's not deprecated, which we might do right now if it seems like a good thing to do). >> >>> >>> If the patch doesn't implement it, then it's wrong. >> >> The patch changes the default behavior of the sub-commands and extends >> them even in domain level 0. I would think at least that should be >> fixed. > > Why? > > Given the question of deprecating clean-ruv is answered by now, I should also ask why. From mbasti at redhat.com Wed Mar 16 08:13:44 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 16 Mar 2016 09:13:44 +0100 Subject: [Freeipa-devel] [PATCH 0432] stageuser-activate: noralize manager value In-Reply-To: <56E7D9F9.9030907@redhat.com> References: <56DEB130.3030005@redhat.com> <56E7D9F9.9030907@redhat.com> Message-ID: <56E915B8.8060601@redhat.com> On 15.03.2016 10:46, David Kupka wrote: > On 08/03/16 12:02, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5481 >> >> Patch attached. >> >> > Works for me, ACK. > Pushed to master: 4871cb5b549042f383ee883e527e773c0abe9d87 Pushed to ipa-4-3: 03743ba1d9191bf0d786116808dba4d7a3522b1f From mbasti at redhat.com Wed Mar 16 08:29:08 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 16 Mar 2016 09:29:08 +0100 Subject: [Freeipa-devel] [PATCH 0437] dogtag: remove redundant parameters from CS.cfg In-Reply-To: <56E11D5B.6070603@redhat.com> References: <56E01749.2070609@redhat.com> <20160310023501.GA12127@dhcp-40-8.bne.redhat.com> <56E1111F.8030708@redhat.com> <20160310065758.GB12127@dhcp-40-8.bne.redhat.com> <56E11D5B.6070603@redhat.com> Message-ID: <56E91954.6000201@redhat.com> On 10.03.2016 08:08, Jan Cholasta wrote: > On 10.3.2016 07:57, Fraser Tweedale wrote: >> On Thu, Mar 10, 2016 at 07:15:59AM +0100, Jan Cholasta wrote: >>> On 10.3.2016 03:35, Fraser Tweedale wrote: >>>> On Wed, Mar 09, 2016 at 01:30:01PM +0100, Martin Basti wrote: >>>>> https://fedorahosted.org/freeipa/ticket/5298 >>>>> >>>>> Patch attached. >>>>> >>>> ACK >>> >>> Shouldn't we remove these on upgrade as well? >>> >> The parameters are doing no harm in existing installations, so it is >> a tradeoff between ensuring consistency between existing and new >> installations, or adding more steps to upgrade script. What is the >> guiding principle here? > > Install and upgrade should result in the same configuration, but given > we have no sane infrastructure for that and the parameters are > harmless as you pointed out, I think we are fine here. So ACK. > Pushed to: master: 0cb870e5657a5e30d66e967644ab54bfa9bf54b4 ipa-4-3: beb2b4cb90e68cfa36e880dc9654756944b731c4 From mbasti at redhat.com Wed Mar 16 08:31:23 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 16 Mar 2016 09:31:23 +0100 Subject: [Freeipa-devel] [PATCH 0432] use platform path for SSSD log directory In-Reply-To: <56E7AF08.6030402@redhat.com> References: <56DEEFEE.3080507@redhat.com> <56E7AF08.6030402@redhat.com> Message-ID: <56E919DB.9030206@redhat.com> On 15.03.2016 07:43, David Kupka wrote: > On 08/03/16 16:29, Martin Basti wrote: >> /var/log/SSSD is platform specific, thus should be added to ipaplatform >> module >> >> Patch attached. >> >> > Works for me, ACK. > Pushed to master: fb3a5d5a9cad4355c3d7db5a789d1f6342cccaa0 From mbasti at redhat.com Wed Mar 16 08:40:21 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 16 Mar 2016 09:40:21 +0100 Subject: [Freeipa-devel] [PATCH 550] certdb: never use the -r option of certutil In-Reply-To: <56E7AAFC.2000007@redhat.com> References: <56E67663.3030405@redhat.com> <56E7AAFC.2000007@redhat.com> Message-ID: <56E91BF5.6080402@redhat.com> On 15.03.2016 07:26, David Kupka wrote: > On 14/03/16 09:29, Jan Cholasta wrote: >> Hi, >> >> the attached patch fixes >> and . >> >> Honza >> >> >> > Hi, thanks for the patch. I haven't found any distortion of affected > use cases, ACK. > Pushed to: ipa-4-2: 00097c1dd82f55b1e004b9d6eb4f6ed7fb6ffca8 ipa-4-3: b7bf55e951cabf77aa72b4b795396b52b801f8ba master: 54a59475f301267c7263a649df1b992e9b3e08aa From jcholast at redhat.com Wed Mar 16 09:22:24 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 16 Mar 2016 10:22:24 +0100 Subject: [Freeipa-devel] [PATCH 0024] ipa-replica-manage: added --suffix option for certain commands In-Reply-To: <56E90C5C.2020703@redhat.com> References: <56E29266.8000501@redhat.com> <56E69B01.6000108@redhat.com> <56E6A589.4050207@redhat.com> <56E6A739.3000505@redhat.com> <56E6D821.7090200@redhat.com> <56E6DED5.3080905@redhat.com> <56E6E43B.4050805@redhat.com> <56E7AADC.3060407@redhat.com> <56E7F642.8010109@redhat.com> <56E90C5C.2020703@redhat.com> Message-ID: <56E925D0.2080305@redhat.com> On 16.3.2016 08:33, Stanislav Laznicka wrote: > On 03/15/2016 12:47 PM, Petr Vobornik wrote: >> On 03/15/2016 07:25 AM, Jan Cholasta wrote: >>> On 14.3.2016 17:18, Petr Vobornik wrote: >>>> On 03/14/2016 04:55 PM, Jan Cholasta wrote: >>>>> On 14.3.2016 16:26, Petr Vobornik wrote: >>>>>> On 03/14/2016 12:57 PM, Jan Cholasta wrote: >>>>>>> On 14.3.2016 12:50, Martin Basti wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 14.03.2016 12:05, Jan Cholasta wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> On 11.3.2016 10:39, Stanislav Laznicka wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> Please see the patch attached. Contrary to the discussion at >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4987 I also added the >>>>>>>>>> suffix >>>>>>>>>> option for clean_ruv command. If this command is available for >>>>>>>>>> normal >>>>>>>>>> RUVs, it should probably be available for CS-RUVs as well (or >>>>>>>>>> deprecated >>>>>>>>>> for both with advised use of clean_dangling_ruv). >>>>>>>>> >>>>>>>>> ipa-csreplica-manage is used to manage the CA suffix, so >>>>>>>>> ipa-csreplica-manage should be extended instead of adding --suffix >>>>>>>>> option to ipa-replica-manage. Having half of the CA suffix >>>>>>>>> managed by >>>>>>>>> ipa-replica-manage and the other half by ipa-replica-manage is >>>>>>>>> confusing. >>>>>>>>> >>>>>>>>> Honza >>>>>>>>> >>>>>>>> There is a design document about deprecating >>>>>>>> ipa-csreplica-manage and >>>>>>>> move part of its responsibilities to ipa-replica-manage. >>>>>>>> >>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4#ipa.28cs.29replica_manange_changes >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> So patch is compatible with design. >>>>>>> >>>>>>> The design is wrong then. >>>>>> >>>>>> I don't agree. >>>>>> >>>>>>> >>>>>>> Either do it in ipa-csreplica-manage, or make *all* >>>>>>> ipa-replica-manage >>>>>>> sub-commands respect the --suffix option. Anything else is >>>>>>> inconsistent >>>>>>> mess. >>>>>> >>>>>> That's the idea for domain level 1. There is little value in >>>>>> extending >>>>>> behavior(managing replication agreements) in domain level 0. >>>>> >>>>> Domain level 0 is still relevant, it won't go away anytime soon. >>>>>> >>>>>> Main idea is to not care about suffixes and work with all suffixes >>>>>> right >>>>>> away. This is reflected in clean-dangling-ruv command and these >>>>>> extensions are its counterpart - to enable disabling the run. We >>>>>> mostly >>>>>> care about replica IDs not suffixes they belong to. IMO --suffix >>>>>> option >>>>>> is not necessary and is mostly for debugging. >>>>>> >>>>>> One of the reasons why we have all the RUV commands is a mess after >>>>>> uninstallation when somebody forgets/ignores to run >>>>>> `ipa-csreplica-manage del $server` or also `ipa-replica-manage del >>>>>> $server` before uninstallation of replica. Users then usually run >>>>>> `ipa-replica-manage del $server` --force --clean` but >>>>>> `ipa-csreplica-manage del $server` can't be run after it. Changes in >>>>>> 4.3 and 4.4 tries to prevent this situation (e.g. by calling >>>>>> equivalent >>>>>> of `ipa-cs+replica-manage del` from `ipa-server-install >>>>>> --uninstall`). >>>>>> But until then mess is cleaned on all servers, we should deal with it >>>>>> with the most convenient way - hiding implementation details. >>>>>> >>>>> >>>>> This is actually exposing implementation details by forcing the >>>>> user to >>>>> use a different command based on the domain level. >>>> >>>> What different commands? >>> >>> ipa-replica-manage vs ipa-csreplica-manage cs API commands. >>> >>>> >>>>> Please explain to me how any of the above requires us to introduce >>>>> additional inconsistencies and bad UX to IPA. >>>> >>>> What bad UX? >>> >>> This is how replicas are managed in domain level 0 without the patch: >>> >>> suffix both domain ca >>> >>> list - i-r-m i-c-m >>> >>> list-ruv - i-r-m - >>> >>> connect - i-r-m i-c-m >>> >>> diconnect - i-r-m i-c-m >>> >>> del - i-r-m i-c-m >>> >>> re-initialize - i-r-m i-c-m >>> >>> force-sync - i-r-m i-c-m >>> >>> clean-ruv - i-r-m - >>> >>> abort-clean-ruv - i-r-m - >>> >>> list-clean-ruv i-r-m - - >> >> isnt' it?: >> - i-r-m - >> > It is AFAIK. It's not, the command searches all 'cleanallruv' and 'abort cleanallruv' tasks without filtering by suffix. >> >>> >>> clean-dangling-ruv i-r-m - - >>> >>> (i-r-m == ipa-replica-manage, etc.) >>> >>> >>> This is how replicas are managed in domain level 1 with the patch: >>> >>> suffix both domain ca >>> >>> list - i-r-m i-c-m >>> s-f s-f -ts=d s-f -ts=c >>> >>> list-ruv i-r-m i-r-m -s=d i-r-m -s=c >>> >>> connect - ts-a d ts-a c >>> >>> diconnect - ts-d d ts-d c >>> >>> del i-r-m - - >>> s-d - - >>> >>> re-initialize - i-r-m i-c-m >>> - ts-r d ts-r c >>> >>> force-sync - i-r-m i-c-m >>> >>> clean-ruv i-r-m i-r-m -s=d i-r-m -s=c >>> >>> abort-clean-ruv i-r-m i-r-m -s=d i-r-m -s=c >>> >>> list-clean-ruv i-r-m - - >>> >>> clean-dangling-ruv i-r-m - - >>> >>> (s-f -ts=d == server-find --topologysuffixes=domain, etc.) >>> >>> >>> Maybe it's just me, but I fail to see the pattern here and find this >>> very confusing. (Note that I'm not trying to blame this particular patch >>> for this, I'm just frustrated from the overall state.) >> >> Yes, backwards compatibility(bc) makes a mess there. But look at the >> state in following way (bc hidden): >> >> suffix both domain ca >> >> == Normal operations (i.e. all in API) == >> >> list s-f s-f -ts=d s-f -ts=c >> >> >> >> connect - ts-a d ts-a c >> >> diconnect - ts-d d ts-d c >> >> del s-d - - >> >> == Debugging & Fixing == >> >> re-initialize ts-r d ts-r c >> - i-r-m i-c-m >> >> force-sync - i-r-m i-c-m >> >> >> list-ruv i-r-m >> >> clean-ruv i-r-m >> >> abort-clean-ruv i-r-m >> >> list-clean-ruv i-r-m - - >> >> clean-dangling-ruv i-r-m - - >> >> >> Then we can see that only issue is force-sync operations which use >> case I don't really understand and with re-initialize which should be >> improved in API to be more usable (currently there is no progress >> status). >> >> Note: "debugging and fixing" is basically the same on both domain levels. >> >> >>> >>>> >>>> It is supposed to be used in following way: >>>> ipa-replica-manage clean-dangling-ruvs >>>> >>>> If from whatever reason some clean ruv task is not finished then: >>>> ipa-replica-manage list-clean-ruv >>>> [all running task for all suffixes] >>>> ipa-replica-manage abort-clean-ruv REPLICATION_ID >>>> >>>> Nothing else. Works for both domain levels and suffixes from a single >>>> tool. Again, --suffix option is not important. >>> >>> This changes the default behavior in domain level 0. I though we are not >>> extending domain level 0 anymore, you said it yourself in a comment >>> above. >> >> I meant that we don't need to invest into new features in domain level >> 0 but RUV commands doesn't need to behave differently on various >> domain levels. There is no reason. >> >>> >>>> >>>> Note: clean-ruv subcommand could be probably marked as deprecated or be >>>> discouraged to use. >>> >>> If the commands are deprecated, why further extend them? >> >> No reason, clean-ruv subcommand doesn't need to be extended. Maybe to >> have similar behavior as rest of ruv commands. >> > It was exactly for that reason. If there's abort-clean-ruv which allows > aborting the clean operation for both suffixes, it seems rather natural > to have its counterpart to be able to do the same (as long as it's not > deprecated, which we might do right now if it seems like a good thing to > do). >>> >>>> >>>> If the patch doesn't implement it, then it's wrong. >>> >>> The patch changes the default behavior of the sub-commands and extends >>> them even in domain level 0. I would think at least that should be >>> fixed. >> >> Why? >> >> > Given the question of deprecating clean-ruv is answered by now, I should > also ask why. We discussed this with Petr offline. We agreed that it's actually desirable to make all clean-ruv commands behave the same on all domain levels. We also agreed that it's desirable to make the normal operation commands behave the same on all domain levels, which is currently not true for the connect and disconnect commands, but that's unrelated to this patch. Therefore, I'm OK with the approach, as long as you either remove the --suffix option altogether, or add it to the remaining clean-ruv commands (list-clean-ruv and clean-dangling-ruv). I would personally just remove it, because as Petr pointed out, it's not actually necessary for anything. -- Jan Cholasta From ofayans at redhat.com Wed Mar 16 09:59:25 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 16 Mar 2016 10:59:25 +0100 Subject: [Freeipa-devel] [TEST][Patch-0027] Fixed test failure during in-tree session, ticket N 5736 Message-ID: <56E92E7D.7030205@redhat.com> With this patch applied integration tests pass and in-tree tests are gracefully skipped. @mkubik, It is not possible to put the decorator to util.py as per our discussion, because it uses tasks, so tasks must be imported. But tasks already import util, which leads to circular imports. So I've put it to tasks.py -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0027-rewrote-a-misprocessed-teardown_method-method.patch Type: text/x-patch Size: 4654 bytes Desc: not available URL: From mbasti at redhat.com Wed Mar 16 12:26:54 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 16 Mar 2016 13:26:54 +0100 Subject: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings In-Reply-To: <56E82CF2.2070902@redhat.com> References: <56E82CF2.2070902@redhat.com> Message-ID: <56E9510E.5010209@redhat.com> On 15.03.2016 16:40, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5737 > > Patch attached. > > Sekf NACK, fix should be just oneliner, I found out that domain are stored hierarchically so extra finding of parents zone is needed. -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Mar 16 12:32:16 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 16 Mar 2016 14:32:16 +0200 Subject: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings In-Reply-To: <56E9510E.5010209@redhat.com> References: <56E82CF2.2070902@redhat.com> <56E9510E.5010209@redhat.com> Message-ID: <20160316123216.GO4492@redhat.com> On Wed, 16 Mar 2016, Martin Basti wrote: > > >On 15.03.2016 16:40, Martin Basti wrote: >>https://fedorahosted.org/freeipa/ticket/5737 >> >>Patch attached. >> >> >Sekf NACK, > >fix should be just oneliner, I found out that domain are stored >hierarchically so extra finding of parents zone is needed. you meant 'not needed', I'd guess. -- / Alexander Bokovoy From mbasti at redhat.com Wed Mar 16 12:32:49 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 16 Mar 2016 13:32:49 +0100 Subject: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings In-Reply-To: <20160316123216.GO4492@redhat.com> References: <56E82CF2.2070902@redhat.com> <56E9510E.5010209@redhat.com> <20160316123216.GO4492@redhat.com> Message-ID: <56E95271.10100@redhat.com> On 16.03.2016 13:32, Alexander Bokovoy wrote: > On Wed, 16 Mar 2016, Martin Basti wrote: >> >> >> On 15.03.2016 16:40, Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/5737 >>> >>> Patch attached. >>> >>> >> Sekf NACK, >> >> fix should be just oneliner, I found out that domain are stored >> hierarchically so extra finding of parents zone is needed. > you meant 'not needed', I'd guess. > Yes, I meant that, sorry :) From npmccallum at redhat.com Wed Mar 16 12:35:10 2016 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Wed, 16 Mar 2016 08:35:10 -0400 Subject: [Freeipa-devel] [PATCH 0139] otptoken-add: improve the robustness of QR code printing to tty In-Reply-To: <56E8FC42.1000605@redhat.com> References: <56DEEDEF.6020105@redhat.com> <56DEFF59.7020907@redhat.com> <56DF01C0.2010207@redhat.com> <56DFBD6F.8010100@redhat.com> <56E81DE1.4020904@redhat.com> <56E83E5F.8060601@redhat.com> <1458076973.21679.20.camel@redhat.com> <56E8FC42.1000605@redhat.com> Message-ID: <1458131710.2518.0.camel@redhat.com> On Wed, 2016-03-16 at 07:25 +0100, Jan Cholasta wrote: > On 15.3.2016 22:22, Nathaniel McCallum wrote: > > > > On Tue, 2016-03-15 at 17:54 +0100, Martin Babinsky wrote: > > > > > > On 03/15/2016 03:36 PM, Martin Babinsky wrote: > > > > > > > > > > > > On 03/09/2016 07:06 AM, Jan Cholasta wrote: > > > > > > > > > > > > > > > On 8.3.2016 17:45, Martin Babinsky wrote: > > > > > > > > > > > > > > > > > > On 03/08/2016 05:35 PM, Jan Cholasta wrote: > > > > > > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > On 8.3.2016 16:21, Martin Babinsky wrote: > > > > > > > > > > > > > > > > > > > > > > > > https://fedorahosted.org/freeipa/ticket/5700 > > > > > > > 1) Instead of checking for utf-8 in particular, I would > > > > > > > prefer a more > > > > > > > robust approach: > > > > > > > > > > > > > > try: > > > > > > > ??????qr = qrcode.QRCode() > > > > > > > ??????qr.add_data('test') > > > > > > > ??????qr.make() > > > > > > > ??????qr.print_ascii(tty=True) > > > > > > > except UnicodeError: > > > > > > > ??????# it is not printable > > > > > > > else: > > > > > > > ??????# it is printable > > > > > > > > > > > > > Now you mean the check in the _check_qrcode_capability() or > > > > > > the > > > > > > _print_qrcode() method itself? > > > > > _check_qrcode_capability() of course. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 2) There is no os.isatty() check to see if stdout is > > > > > > > actually > > > > > > > a tty. > > > > > > > > > > > > > This check is performed inside both print_ascii() and > > > > > > print_tty() > > > > > > methods of QRCode object, but you probably mean that I > > > > > > should > > > > > > put the > > > > > > check also into _check_qrcode_capability() method, right? > > > > > Yes. If stdout is not a tty, we should at least not tty=True > > > > > in > > > > > print_ascii(). > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Honza > > > > > > > > > > > Attaching updated patch. After the discussion with other > > > > developers > > > > we > > > > decided to just print warnings when non-UTF-8 encoding is used > > > > and > > > > tty > > > > width is smaller that the QR code size. > > > > > > > > > > > > > > > Found some minor errors in the patch, attaching updated version. > > NACK > > > > This patch has the major problem that tokens are added but then > > unusable because they can't be provisioned to the devices. You need > > to > > check if qrcode output is possible before the token is added to > > LDAP. > We discussed this on the IPA devel meeting and the decision was that? > since the otpauth URI is always displayed, a warning is sufficient > when? > the QR code cannot be printed. > > If you disagree, could you explain why the URI is not sufficient for? > provisioning the token? I guess that is okay. From mbasti at redhat.com Wed Mar 16 12:43:38 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 16 Mar 2016 13:43:38 +0100 Subject: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings In-Reply-To: <56E95271.10100@redhat.com> References: <56E82CF2.2070902@redhat.com> <56E9510E.5010209@redhat.com> <20160316123216.GO4492@redhat.com> <56E95271.10100@redhat.com> Message-ID: <56E954FA.4030906@redhat.com> On 16.03.2016 13:32, Martin Basti wrote: > > > On 16.03.2016 13:32, Alexander Bokovoy wrote: >> On Wed, 16 Mar 2016, Martin Basti wrote: >>> >>> >>> On 15.03.2016 16:40, Martin Basti wrote: >>>> https://fedorahosted.org/freeipa/ticket/5737 >>>> >>>> Patch attached. >>>> >>>> >>> Sekf NACK, >>> >>> fix should be just oneliner, I found out that domain are stored >>> hierarchically so extra finding of parents zone is needed. >> you meant 'not needed', I'd guess. >> > Yes, I meant that, sorry :) > Updated patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0440.2-Fix-broken-trust-warnings.patch Type: text/x-patch Size: 1143 bytes Desc: not available URL: From abokovoy at redhat.com Wed Mar 16 12:45:48 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 16 Mar 2016 14:45:48 +0200 Subject: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings In-Reply-To: <56E954FA.4030906@redhat.com> References: <56E82CF2.2070902@redhat.com> <56E9510E.5010209@redhat.com> <20160316123216.GO4492@redhat.com> <56E95271.10100@redhat.com> <56E954FA.4030906@redhat.com> Message-ID: <20160316124548.GP4492@redhat.com> On Wed, 16 Mar 2016, Martin Basti wrote: > > >On 16.03.2016 13:32, Martin Basti wrote: >> >> >>On 16.03.2016 13:32, Alexander Bokovoy wrote: >>>On Wed, 16 Mar 2016, Martin Basti wrote: >>>> >>>> >>>>On 15.03.2016 16:40, Martin Basti wrote: >>>>>https://fedorahosted.org/freeipa/ticket/5737 >>>>> >>>>>Patch attached. >>>>> >>>>> >>>>Sekf NACK, >>>> >>>>fix should be just oneliner, I found out that domain are stored >>>>hierarchically so extra finding of parents zone is needed. >>>you meant 'not needed', I'd guess. >>> >>Yes, I meant that, sorry :) >> > >Updated patch attached. >From 74c55e5048af4b582469b1668a9dd592f868cf4b Mon Sep 17 00:00:00 2001 >From: Martin Basti >Date: Wed, 16 Mar 2016 13:41:51 +0100 >Subject: [PATCH] Fix broken trust warnings > >Warning should be shown only for parent entries of trust domain. Sub >domains do not contain SIDs at all. > >https://fedorahosted.org/freeipa/ticket/5737 >--- > ipalib/plugins/trust.py | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > >diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py >index ba0c98e2f3711924dace395b7becf2977ca8e35c..7d815fd6118586a4a75a1eeff7457103fe4c331c 100644 >--- a/ipalib/plugins/trust.py >+++ b/ipalib/plugins/trust.py >@@ -597,7 +597,9 @@ class trust(LDAPObject): > > try: > entries, truncated = ldap.find_entries( >- base_dn=DN(self.container_dn, self.api.env.basedn), >+ base_dn=DN(self.api.env.container_adtrusts, >+ self.api.env.basedn), >+ scope=ldap.SCOPE_ONELEVEL, > attrs_list=['cn'], > filter='(&(ipaNTTrustPartner=*)' > '(!(ipaNTSecurityIdentifier=*)))', ACK if you change the commit message to say that subdomains do not contain ipaNTSecurityIdentifier attribute. -- / Alexander Bokovoy From jcholast at redhat.com Wed Mar 16 12:50:56 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 16 Mar 2016 13:50:56 +0100 Subject: [Freeipa-devel] [PATCHES 551-552] ipalib: add basecert plugins Message-ID: <56E956B0.9000804@redhat.com> Hi, the attached patches implement the server-side part of . Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-551-ldap-fix-handling-of-binary-data-in-search-filters.patch Type: text/x-patch Size: 1201 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-552-api-add-basecert-plugins.patch Type: text/x-patch Size: 16553 bytes Desc: not available URL: From mbasti at redhat.com Wed Mar 16 12:52:13 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 16 Mar 2016 13:52:13 +0100 Subject: [Freeipa-devel] [PATCH 0440] Fix broken trust warnings In-Reply-To: <20160316124548.GP4492@redhat.com> References: <56E82CF2.2070902@redhat.com> <56E9510E.5010209@redhat.com> <20160316123216.GO4492@redhat.com> <56E95271.10100@redhat.com> <56E954FA.4030906@redhat.com> <20160316124548.GP4492@redhat.com> Message-ID: <56E956FD.1060601@redhat.com> On 16.03.2016 13:45, Alexander Bokovoy wrote: > On Wed, 16 Mar 2016, Martin Basti wrote: >> >> >> On 16.03.2016 13:32, Martin Basti wrote: >>> >>> >>> On 16.03.2016 13:32, Alexander Bokovoy wrote: >>>> On Wed, 16 Mar 2016, Martin Basti wrote: >>>>> >>>>> >>>>> On 15.03.2016 16:40, Martin Basti wrote: >>>>>> https://fedorahosted.org/freeipa/ticket/5737 >>>>>> >>>>>> Patch attached. >>>>>> >>>>>> >>>>> Sekf NACK, >>>>> >>>>> fix should be just oneliner, I found out that domain are stored >>>>> hierarchically so extra finding of parents zone is needed. >>>> you meant 'not needed', I'd guess. >>>> >>> Yes, I meant that, sorry :) >>> >> >> Updated patch attached. > >> From 74c55e5048af4b582469b1668a9dd592f868cf4b Mon Sep 17 00:00:00 2001 >> From: Martin Basti >> Date: Wed, 16 Mar 2016 13:41:51 +0100 >> Subject: [PATCH] Fix broken trust warnings >> >> Warning should be shown only for parent entries of trust domain. Sub >> domains do not contain SIDs at all. >> >> https://fedorahosted.org/freeipa/ticket/5737 >> --- >> ipalib/plugins/trust.py | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py >> index >> ba0c98e2f3711924dace395b7becf2977ca8e35c..7d815fd6118586a4a75a1eeff7457103fe4c331c >> 100644 >> --- a/ipalib/plugins/trust.py >> +++ b/ipalib/plugins/trust.py >> @@ -597,7 +597,9 @@ class trust(LDAPObject): >> >> try: >> entries, truncated = ldap.find_entries( >> - base_dn=DN(self.container_dn, self.api.env.basedn), >> + base_dn=DN(self.api.env.container_adtrusts, >> + self.api.env.basedn), >> + scope=ldap.SCOPE_ONELEVEL, >> attrs_list=['cn'], >> filter='(&(ipaNTTrustPartner=*)' >> '(!(ipaNTSecurityIdentifier=*)))', > > ACK if you change the commit message to say that subdomains do not > contain ipaNTSecurityIdentifier attribute. > Thanks, changed Pushed to: master: de8c6d81fd5d0f759ac0201e2c517bcb8b43d960 ipa-4-3: 1e0208612087e80f673e7ec1f8e050b57b5f1fb7 ipa-4-2: fb11384e65d74b6a027bf8cfe9f93e003bba5236 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0440.3-Fix-broken-trust-warnings.patch Type: text/x-patch Size: 1171 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Mar 16 13:17:30 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 16 Mar 2016 14:17:30 +0100 Subject: [Freeipa-devel] [PATCH 0139] otptoken-add: improve the robustness of QR code printing to tty In-Reply-To: <1458131710.2518.0.camel@redhat.com> References: <56DEEDEF.6020105@redhat.com> <56DEFF59.7020907@redhat.com> <56DF01C0.2010207@redhat.com> <56DFBD6F.8010100@redhat.com> <56E81DE1.4020904@redhat.com> <56E83E5F.8060601@redhat.com> <1458076973.21679.20.camel@redhat.com> <56E8FC42.1000605@redhat.com> <1458131710.2518.0.camel@redhat.com> Message-ID: <56E95CEA.3070509@redhat.com> On 03/16/2016 01:35 PM, Nathaniel McCallum wrote: > On Wed, 2016-03-16 at 07:25 +0100, Jan Cholasta wrote: >> On 15.3.2016 22:22, Nathaniel McCallum wrote: >>> >>> On Tue, 2016-03-15 at 17:54 +0100, Martin Babinsky wrote: >>>> >>>> On 03/15/2016 03:36 PM, Martin Babinsky wrote: >>>>> >>>>> >>>>> On 03/09/2016 07:06 AM, Jan Cholasta wrote: >>>>>> >>>>>> >>>>>> On 8.3.2016 17:45, Martin Babinsky wrote: >>>>>>> >>>>>>> >>>>>>> On 03/08/2016 05:35 PM, Jan Cholasta wrote: >>>>>>>> >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> On 8.3.2016 16:21, Martin Babinsky wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> https://fedorahosted.org/freeipa/ticket/5700 >>>>>>>> 1) Instead of checking for utf-8 in particular, I would >>>>>>>> prefer a more >>>>>>>> robust approach: >>>>>>>> >>>>>>>> try: >>>>>>>> qr = qrcode.QRCode() >>>>>>>> qr.add_data('test') >>>>>>>> qr.make() >>>>>>>> qr.print_ascii(tty=True) >>>>>>>> except UnicodeError: >>>>>>>> # it is not printable >>>>>>>> else: >>>>>>>> # it is printable >>>>>>>> >>>>>>> Now you mean the check in the _check_qrcode_capability() or >>>>>>> the >>>>>>> _print_qrcode() method itself? >>>>>> _check_qrcode_capability() of course. >>>>>> >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> 2) There is no os.isatty() check to see if stdout is >>>>>>>> actually >>>>>>>> a tty. >>>>>>>> >>>>>>> This check is performed inside both print_ascii() and >>>>>>> print_tty() >>>>>>> methods of QRCode object, but you probably mean that I >>>>>>> should >>>>>>> put the >>>>>>> check also into _check_qrcode_capability() method, right? >>>>>> Yes. If stdout is not a tty, we should at least not tty=True >>>>>> in >>>>>> print_ascii(). >>>>>> >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Honza >>>>>>>> >>>>> Attaching updated patch. After the discussion with other >>>>> developers >>>>> we >>>>> decided to just print warnings when non-UTF-8 encoding is used >>>>> and >>>>> tty >>>>> width is smaller that the QR code size. >>>>> >>>>> >>>>> >>>> Found some minor errors in the patch, attaching updated version. >>> NACK >>> >>> This patch has the major problem that tokens are added but then >>> unusable because they can't be provisioned to the devices. You need >>> to >>> check if qrcode output is possible before the token is added to >>> LDAP. >> We discussed this on the IPA devel meeting and the decision was that >> since the otpauth URI is always displayed, a warning is sufficient >> when >> the QR code cannot be printed. >> >> If you disagree, could you explain why the URI is not sufficient for >> provisioning the token? > > I guess that is okay. > Thank you Nathaniel. Jan had some offline comments to the patch. Attaching updated version. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-3-mbabinsk-0139.3-otptoken-add-improve-the-robustness-of-QR-code-print.patch Type: text/x-patch Size: 4912 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0139.3-otptoken-add-improve-the-robustness-of-QR-code-print.patch Type: text/x-patch Size: 4878 bytes Desc: not available URL: From mbasti at redhat.com Wed Mar 16 13:39:32 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 16 Mar 2016 14:39:32 +0100 Subject: [Freeipa-devel] [TEST][Patch-0027] Fixed test failure during in-tree session, ticket N 5736 In-Reply-To: <56E92E7D.7030205@redhat.com> References: <56E92E7D.7030205@redhat.com> Message-ID: <56E96214.7050609@redhat.com> On 16.03.2016 10:59, Oleg Fayans wrote: > With this patch applied integration tests pass and in-tree tests are > gracefully skipped. > > @mkubik, It is not possible to put the decorator to util.py as per our > discussion, because it uses tasks, so tasks must be imported. But tasks > already import util, which leads to circular imports. So I've put it to > tasks.py > > > NACK 1) Use right ticket in commit message (#5723) 2) Link to ticket should be last in the commit message 3) dereplicafy 3a) wrong doc string, it removes *only* replicas not clients 3b) can we rename it to something different? (replicas_cleanup, replicas_uninstall, replicas_teardown) 4) Please fix commit message - Wile trated correctly - followiong - rewrote -> rewrite 5) decorator + def wrapped(*args): + func(*args) + for host in args[0].replicas: Shouldn't be there try-finally around func() call, or something? Are you sure that there is no need to return result of func()? *) Please create additional patch that will add licence there -------------- next part -------------- An HTML attachment was scrubbed... URL: From slaznick at redhat.com Wed Mar 16 13:45:31 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Wed, 16 Mar 2016 14:45:31 +0100 Subject: [Freeipa-devel] [PATCH 0024] ipa-replica-manage: added --suffix option for certain commands In-Reply-To: <56E925D0.2080305@redhat.com> References: <56E29266.8000501@redhat.com> <56E69B01.6000108@redhat.com> <56E6A589.4050207@redhat.com> <56E6A739.3000505@redhat.com> <56E6D821.7090200@redhat.com> <56E6DED5.3080905@redhat.com> <56E6E43B.4050805@redhat.com> <56E7AADC.3060407@redhat.com> <56E7F642.8010109@redhat.com> <56E90C5C.2020703@redhat.com> <56E925D0.2080305@redhat.com> Message-ID: <56E9637B.5080307@redhat.com> On 03/16/2016 10:22 AM, Jan Cholasta wrote: > On 16.3.2016 08:33, Stanislav Laznicka wrote: >> On 03/15/2016 12:47 PM, Petr Vobornik wrote: >>> On 03/15/2016 07:25 AM, Jan Cholasta wrote: >>>> On 14.3.2016 17:18, Petr Vobornik wrote: >>>>> On 03/14/2016 04:55 PM, Jan Cholasta wrote: >>>>>> On 14.3.2016 16:26, Petr Vobornik wrote: >>>>>>> On 03/14/2016 12:57 PM, Jan Cholasta wrote: >>>>>>>> On 14.3.2016 12:50, Martin Basti wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> On 14.03.2016 12:05, Jan Cholasta wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> On 11.3.2016 10:39, Stanislav Laznicka wrote: >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> Please see the patch attached. Contrary to the discussion at >>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4987 I also added the >>>>>>>>>>> suffix >>>>>>>>>>> option for clean_ruv command. If this command is available for >>>>>>>>>>> normal >>>>>>>>>>> RUVs, it should probably be available for CS-RUVs as well (or >>>>>>>>>>> deprecated >>>>>>>>>>> for both with advised use of clean_dangling_ruv). >>>>>>>>>> >>>>>>>>>> ipa-csreplica-manage is used to manage the CA suffix, so >>>>>>>>>> ipa-csreplica-manage should be extended instead of adding >>>>>>>>>> --suffix >>>>>>>>>> option to ipa-replica-manage. Having half of the CA suffix >>>>>>>>>> managed by >>>>>>>>>> ipa-replica-manage and the other half by ipa-replica-manage is >>>>>>>>>> confusing. >>>>>>>>>> >>>>>>>>>> Honza >>>>>>>>>> >>>>>>>>> There is a design document about deprecating >>>>>>>>> ipa-csreplica-manage and >>>>>>>>> move part of its responsibilities to ipa-replica-manage. >>>>>>>>> >>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4#ipa.28cs.29replica_manange_changes >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> So patch is compatible with design. >>>>>>>> >>>>>>>> The design is wrong then. >>>>>>> >>>>>>> I don't agree. >>>>>>> >>>>>>>> >>>>>>>> Either do it in ipa-csreplica-manage, or make *all* >>>>>>>> ipa-replica-manage >>>>>>>> sub-commands respect the --suffix option. Anything else is >>>>>>>> inconsistent >>>>>>>> mess. >>>>>>> >>>>>>> That's the idea for domain level 1. There is little value in >>>>>>> extending >>>>>>> behavior(managing replication agreements) in domain level 0. >>>>>> >>>>>> Domain level 0 is still relevant, it won't go away anytime soon. >>>>>>> >>>>>>> Main idea is to not care about suffixes and work with all suffixes >>>>>>> right >>>>>>> away. This is reflected in clean-dangling-ruv command and these >>>>>>> extensions are its counterpart - to enable disabling the run. We >>>>>>> mostly >>>>>>> care about replica IDs not suffixes they belong to. IMO --suffix >>>>>>> option >>>>>>> is not necessary and is mostly for debugging. >>>>>>> >>>>>>> One of the reasons why we have all the RUV commands is a mess after >>>>>>> uninstallation when somebody forgets/ignores to run >>>>>>> `ipa-csreplica-manage del $server` or also `ipa-replica-manage del >>>>>>> $server` before uninstallation of replica. Users then usually run >>>>>>> `ipa-replica-manage del $server` --force --clean` but >>>>>>> `ipa-csreplica-manage del $server` can't be run after it. >>>>>>> Changes in >>>>>>> 4.3 and 4.4 tries to prevent this situation (e.g. by calling >>>>>>> equivalent >>>>>>> of `ipa-cs+replica-manage del` from `ipa-server-install >>>>>>> --uninstall`). >>>>>>> But until then mess is cleaned on all servers, we should deal >>>>>>> with it >>>>>>> with the most convenient way - hiding implementation details. >>>>>>> >>>>>> >>>>>> This is actually exposing implementation details by forcing the >>>>>> user to >>>>>> use a different command based on the domain level. >>>>> >>>>> What different commands? >>>> >>>> ipa-replica-manage vs ipa-csreplica-manage cs API commands. >>>> >>>>> >>>>>> Please explain to me how any of the above requires us to introduce >>>>>> additional inconsistencies and bad UX to IPA. >>>>> >>>>> What bad UX? >>>> >>>> This is how replicas are managed in domain level 0 without the patch: >>>> >>>> suffix both domain ca >>>> >>>> list - i-r-m i-c-m >>>> >>>> list-ruv - i-r-m - >>>> >>>> connect - i-r-m i-c-m >>>> >>>> diconnect - i-r-m i-c-m >>>> >>>> del - i-r-m i-c-m >>>> >>>> re-initialize - i-r-m i-c-m >>>> >>>> force-sync - i-r-m i-c-m >>>> >>>> clean-ruv - i-r-m - >>>> >>>> abort-clean-ruv - i-r-m - >>>> >>>> list-clean-ruv i-r-m - - >>> >>> isnt' it?: >>> - i-r-m - >>> >> It is AFAIK. > > It's not, the command searches all 'cleanallruv' and 'abort > cleanallruv' tasks without filtering by suffix. My bad, misread it and thought it was list-ruv. > >>> >>>> >>>> clean-dangling-ruv i-r-m - - >>>> >>>> (i-r-m == ipa-replica-manage, etc.) >>>> >>>> >>>> This is how replicas are managed in domain level 1 with the patch: >>>> >>>> suffix both domain ca >>>> >>>> list - i-r-m i-c-m >>>> s-f s-f -ts=d s-f -ts=c >>>> >>>> list-ruv i-r-m i-r-m -s=d i-r-m -s=c >>>> >>>> connect - ts-a d ts-a c >>>> >>>> diconnect - ts-d d ts-d c >>>> >>>> del i-r-m - - >>>> s-d - - >>>> >>>> re-initialize - i-r-m i-c-m >>>> - ts-r d ts-r c >>>> >>>> force-sync - i-r-m i-c-m >>>> >>>> clean-ruv i-r-m i-r-m -s=d i-r-m -s=c >>>> >>>> abort-clean-ruv i-r-m i-r-m -s=d i-r-m -s=c >>>> >>>> list-clean-ruv i-r-m - - >>>> >>>> clean-dangling-ruv i-r-m - - >>>> >>>> (s-f -ts=d == server-find --topologysuffixes=domain, etc.) >>>> >>>> >>>> Maybe it's just me, but I fail to see the pattern here and find this >>>> very confusing. (Note that I'm not trying to blame this particular >>>> patch >>>> for this, I'm just frustrated from the overall state.) >>> >>> Yes, backwards compatibility(bc) makes a mess there. But look at the >>> state in following way (bc hidden): >>> >>> suffix both domain ca >>> >>> == Normal operations (i.e. all in API) == >>> >>> list s-f s-f -ts=d s-f -ts=c >>> >>> >>> >>> connect - ts-a d ts-a c >>> >>> diconnect - ts-d d ts-d c >>> >>> del s-d - - >>> >>> == Debugging & Fixing == >>> >>> re-initialize ts-r d ts-r c >>> - i-r-m i-c-m >>> >>> force-sync - i-r-m i-c-m >>> >>> >>> list-ruv i-r-m >>> >>> clean-ruv i-r-m >>> >>> abort-clean-ruv i-r-m >>> >>> list-clean-ruv i-r-m - - >>> >>> clean-dangling-ruv i-r-m - - >>> >>> >>> Then we can see that only issue is force-sync operations which use >>> case I don't really understand and with re-initialize which should be >>> improved in API to be more usable (currently there is no progress >>> status). >>> >>> Note: "debugging and fixing" is basically the same on both domain >>> levels. >>> >>> >>>> >>>>> >>>>> It is supposed to be used in following way: >>>>> ipa-replica-manage clean-dangling-ruvs >>>>> >>>>> If from whatever reason some clean ruv task is not finished then: >>>>> ipa-replica-manage list-clean-ruv >>>>> [all running task for all suffixes] >>>>> ipa-replica-manage abort-clean-ruv REPLICATION_ID >>>>> >>>>> Nothing else. Works for both domain levels and suffixes from a single >>>>> tool. Again, --suffix option is not important. >>>> >>>> This changes the default behavior in domain level 0. I though we >>>> are not >>>> extending domain level 0 anymore, you said it yourself in a comment >>>> above. >>> >>> I meant that we don't need to invest into new features in domain level >>> 0 but RUV commands doesn't need to behave differently on various >>> domain levels. There is no reason. >>> >>>> >>>>> >>>>> Note: clean-ruv subcommand could be probably marked as deprecated >>>>> or be >>>>> discouraged to use. >>>> >>>> If the commands are deprecated, why further extend them? >>> >>> No reason, clean-ruv subcommand doesn't need to be extended. Maybe to >>> have similar behavior as rest of ruv commands. >>> >> It was exactly for that reason. If there's abort-clean-ruv which allows >> aborting the clean operation for both suffixes, it seems rather natural >> to have its counterpart to be able to do the same (as long as it's not >> deprecated, which we might do right now if it seems like a good thing to >> do). >>>> >>>>> >>>>> If the patch doesn't implement it, then it's wrong. >>>> >>>> The patch changes the default behavior of the sub-commands and extends >>>> them even in domain level 0. I would think at least that should be >>>> fixed. >>> >>> Why? >>> >>> >> Given the question of deprecating clean-ruv is answered by now, I should >> also ask why. > > We discussed this with Petr offline. We agreed that it's actually > desirable to make all clean-ruv commands behave the same on all domain > levels. We also agreed that it's desirable to make the normal > operation commands behave the same on all domain levels, which is > currently not true for the connect and disconnect commands, but that's > unrelated to this patch. > > Therefore, I'm OK with the approach, as long as you either remove the > --suffix option altogether, or add it to the remaining clean-ruv > commands (list-clean-ruv and clean-dangling-ruv). I would personally > just remove it, because as Petr pointed out, it's not actually > necessary for anything. > Modified the patch (removed the --suffix option) and added password check for clean_dangling_ruv command to be in the same spot as for the other commands. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0024-1-abort-clean-list-clean-ruv-now-work-for-both-suffixe.patch Type: text/x-patch Size: 11306 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0025-Moved-password-check-from-clean_dangling_ruv.patch Type: text/x-patch Size: 2478 bytes Desc: not available URL: From rcritten at redhat.com Wed Mar 16 13:45:34 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 16 Mar 2016 09:45:34 -0400 Subject: [Freeipa-devel] [PATCH 550] certdb: never use the -r option of certutil In-Reply-To: <56E91BF5.6080402@redhat.com> References: <56E67663.3030405@redhat.com> <56E7AAFC.2000007@redhat.com> <56E91BF5.6080402@redhat.com> Message-ID: <56E9637E.9070802@redhat.com> Martin Basti wrote: > > > On 15.03.2016 07:26, David Kupka wrote: >> On 14/03/16 09:29, Jan Cholasta wrote: >>> Hi, >>> >>> the attached patch fixes >>> and . >>> >>> Honza >>> >>> >>> >> Hi, thanks for the patch. I haven't found any distortion of affected >> use cases, ACK. >> > Pushed to: > ipa-4-2: 00097c1dd82f55b1e004b9d6eb4f6ed7fb6ffca8 > ipa-4-3: b7bf55e951cabf77aa72b4b795396b52b801f8ba > master: 54a59475f301267c7263a649df1b992e9b3e08aa > Hmm, I'm unable to reproduce this behavior. I have a database with two server certs, same nickname: $ certutil -L -d /tmp/db -n Server-Cert -a -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- $ certutil -L -d /tmp/db -n Server-Cert |grep Serial Serial Number: 7 (0x7) Serial Number: 6 (0x6) $ certutil -L -d /tmp/db -n Server-Cert -r -o /tmp/server.der $ /usr/lib64/nss/unsupported-tools/derdump -i /tmp/server.der |grep -C 2 Integer C-Sequence (554) C-[0] (3) Integer (1) 02 Integer (1) 07 C-Sequence (13) -- C-Sequence (554) C-[0] (3) Integer (1) 02 Integer (1) 06 C-Sequence (13) $ openssl x509 -text -in /tmp/server.der -inform der |grep Serial Serial Number: 7 (0x7) I guess it's something else, python-nss perhaps, that can't handle a DER with multiple certs in it. So no need to file a mozilla bug I suppose. rob From ofayans at redhat.com Wed Mar 16 13:59:16 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 16 Mar 2016 14:59:16 +0100 Subject: [Freeipa-devel] [TEST][Patch-0027] Fixed test failure during in-tree session, ticket N 5736 In-Reply-To: <56E96214.7050609@redhat.com> References: <56E92E7D.7030205@redhat.com> <56E96214.7050609@redhat.com> Message-ID: <56E966B4.2030709@redhat.com> Hi Martin On 03/16/2016 02:39 PM, Martin Basti wrote: > > > On 16.03.2016 10:59, Oleg Fayans wrote: >> With this patch applied integration tests pass and in-tree tests are >> gracefully skipped. >> >> @mkubik, It is not possible to put the decorator to util.py as per our >> discussion, because it uses tasks, so tasks must be imported. But tasks >> already import util, which leads to circular imports. So I've put it to >> tasks.py >> >> >> > NACK > > 1) > Use right ticket in commit message (#5723) But (#5736) is exactly the issue that is being addressed. Probably note both tickets in the commit message? > > 2) > Link to ticket should be last in the commit message > > 3) > dereplicafy > > 3a) > wrong doc string, it removes *only* replicas not clients No, in fact it removes both: uninstall_replica(args[0].master, host) uninstall_client(host) Both tasks have raiseonerr set to False, which means that even if replica was not installed but the client was - it will also be removed > > 3b) > can we rename it to something different? (replicas_cleanup, > replicas_uninstall, replicas_teardown) replicas_cleanup, or even topo_cleanup sounds OK to me. > > 4) > Please fix commit message > - Wile trated correctly > - followiong > - rewrote -> rewrite Will do > > 5) > decorator > + def wrapped(*args): > + func(*args) > + for host in args[0].replicas: > > Shouldn't be there try-finally around func() call, or something? No, the wrapped function is a test_* method: if it fails we need to see the original failure > Are you sure that there is no need to return result of func()? The same applies here: we never return results from test_* methods > > *) Please create additional patch that will add licence there > > Will do :) -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From mbasti at redhat.com Wed Mar 16 14:13:57 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 16 Mar 2016 15:13:57 +0100 Subject: [Freeipa-devel] [TEST][Patch-0027] Fixed test failure during in-tree session, ticket N 5736 In-Reply-To: <56E966B4.2030709@redhat.com> References: <56E92E7D.7030205@redhat.com> <56E96214.7050609@redhat.com> <56E966B4.2030709@redhat.com> Message-ID: <56E96A25.7080504@redhat.com> On 16.03.2016 14:59, Oleg Fayans wrote: > Hi Martin > > On 03/16/2016 02:39 PM, Martin Basti wrote: >> >> On 16.03.2016 10:59, Oleg Fayans wrote: >>> With this patch applied integration tests pass and in-tree tests are >>> gracefully skipped. >>> >>> @mkubik, It is not possible to put the decorator to util.py as per our >>> discussion, because it uses tasks, so tasks must be imported. But tasks >>> already import util, which leads to circular imports. So I've put it to >>> tasks.py >>> >>> >>> >> NACK >> >> 1) >> Use right ticket in commit message (#5723) > But (#5736) is exactly the issue that is being addressed. Probably note > both tickets in the commit message? But as I wrote in ticket #5736, this ticket should be closed, because issue is caused by ticket which is not finished yet, so we should continue just with original ticket. > >> 2) >> Link to ticket should be last in the commit message >> >> 3) >> dereplicafy >> >> 3a) >> wrong doc string, it removes *only* replicas not clients > No, in fact it removes both: > uninstall_replica(args[0].master, host) > uninstall_client(host) > > Both tasks have raiseonerr set to False, which means that even if > replica was not installed but the client was - it will also be removed I see just for host in args[0].replicas I don't see any for host in args[0].clients there Also uninstall_client should not be there. ipa-server-install --uninstall removes client too. The extra call of uninstall client is IMO there just because an ancient bug that is already fixed. > >> 3b) >> can we rename it to something different? (replicas_cleanup, >> replicas_uninstall, replicas_teardown) > replicas_cleanup, or even topo_cleanup sounds OK to me. > >> 4) >> Please fix commit message >> - Wile trated correctly >> - followiong >> - rewrote -> rewrite > Will do > >> 5) >> decorator >> + def wrapped(*args): >> + func(*args) >> + for host in args[0].replicas: >> >> Shouldn't be there try-finally around func() call, or something? > No, the wrapped function is a test_* method: if it fails we need to see > the original failure but if something raise an exception in func(), cleanup will not be executed. You can do In [4]: try: ...: raise ValueError('Hello') ...: finally: ...: try: ...: raise ValueError('Cleanup') ...: except Exception: ...: pass ...: --------------------------------------------------------------------------- ValueError Traceback (most recent call last) in () 1 try: ----> 2 raise ValueError('Hello') 3 finally: 4 try: 5 raise ValueError('Cleanup') ValueError: Hello > >> Are you sure that there is no need to return result of func()? > The same applies here: we never return results from test_* methods ok > >> *) Please create additional patch that will add licence there >> >> > Will do :) > > From mbasti at redhat.com Wed Mar 16 14:35:12 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 16 Mar 2016 15:35:12 +0100 Subject: [Freeipa-devel] [TEST][Patch-0027] Fixed test failure during in-tree session, ticket N 5736 In-Reply-To: <56E96A25.7080504@redhat.com> References: <56E92E7D.7030205@redhat.com> <56E96214.7050609@redhat.com> <56E966B4.2030709@redhat.com> <56E96A25.7080504@redhat.com> Message-ID: <56E96F20.6080009@redhat.com> On 16.03.2016 15:13, Martin Basti wrote: > > > On 16.03.2016 14:59, Oleg Fayans wrote: >> Hi Martin >> >> On 03/16/2016 02:39 PM, Martin Basti wrote: >>> >>> On 16.03.2016 10:59, Oleg Fayans wrote: >>>> With this patch applied integration tests pass and in-tree tests are >>>> gracefully skipped. >>>> >>>> @mkubik, It is not possible to put the decorator to util.py as per our >>>> discussion, because it uses tasks, so tasks must be imported. But >>>> tasks >>>> already import util, which leads to circular imports. So I've put >>>> it to >>>> tasks.py >>>> >>>> >>>> >>> NACK >>> >>> 1) >>> Use right ticket in commit message (#5723) >> But (#5736) is exactly the issue that is being addressed. Probably note >> both tickets in the commit message? > But as I wrote in ticket #5736, this ticket should be closed, because > issue is caused by ticket which is not finished yet, so we should > continue just with original ticket. > >> >>> 2) >>> Link to ticket should be last in the commit message >>> >>> 3) >>> dereplicafy >>> >>> 3a) >>> wrong doc string, it removes *only* replicas not clients >> No, in fact it removes both: >> uninstall_replica(args[0].master, host) >> uninstall_client(host) >> >> Both tasks have raiseonerr set to False, which means that even if >> replica was not installed but the client was - it will also be removed > I see just > for host in args[0].replicas > > I don't see any > for host in args[0].clients > there > > Also uninstall_client should not be there. ipa-server-install > --uninstall removes client too. The extra call of uninstall client is > IMO there just because an ancient bug that is already fixed. > >> >>> 3b) >>> can we rename it to something different? (replicas_cleanup, >>> replicas_uninstall, replicas_teardown) >> replicas_cleanup, or even topo_cleanup sounds OK to me. >> >>> 4) >>> Please fix commit message >>> - Wile trated correctly >>> - followiong >>> - rewrote -> rewrite >> Will do >> >>> 5) >>> decorator >>> + def wrapped(*args): >>> + func(*args) >>> + for host in args[0].replicas: >>> >>> Shouldn't be there try-finally around func() call, or something? >> No, the wrapped function is a test_* method: if it fails we need to see >> the original failure > but if something raise an exception in func(), cleanup will not be > executed. > > You can do > In [4]: try: > ...: raise ValueError('Hello') > ...: finally: > ...: try: > ...: raise ValueError('Cleanup') > ...: except Exception: > ...: pass > ...: > --------------------------------------------------------------------------- > > ValueError Traceback (most recent call > last) > in () > 1 try: > ----> 2 raise ValueError('Hello') > 3 finally: > 4 try: > 5 raise ValueError('Cleanup') > > ValueError: Hello On the other hand, I do not want cleanup with --pdb option, so maybe it should just fail > >> >>> Are you sure that there is no need to return result of func()? >> The same applies here: we never return results from test_* methods > ok >> >>> *) Please create additional patch that will add licence there >>> >>> >> Will do :) >> >> > From pvoborni at redhat.com Wed Mar 16 16:16:02 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 16 Mar 2016 17:16:02 +0100 Subject: [Freeipa-devel] [PATCH] 955 sessions: use unique mod_auth_gssapi ccaches In-Reply-To: <1457619952.8257.306.camel@redhat.com> References: <56E17EC4.4040500@redhat.com> <1457619952.8257.306.camel@redhat.com> Message-ID: <56E986C2.3010301@redhat.com> On 03/10/2016 03:25 PM, Simo Sorce wrote: > On Thu, 2016-03-10 at 15:03 +0100, Petr Vobornik wrote: >> Attaching also mod_auth_gssapi patch. If the approach is good, then I'd >> send it as a push request to upstream git repo. >> >> Copr build of mod_auth_gssapi with the patch: >> https://copr.fedorainfracloud.org/coprs/pvoborni/freeipa-4-3/build/167157/ >> >> IPA patch attached uses the functionality. >> >> https://fedorahosted.org/freeipa/ticket/5653 > > I think the mod_auth_gssapi patch needs more work. New iteration, but not a final patch, mostly because of reaping of the files, but there are also some debug prints. > > For one you are not storing the generated ccname in the cookie, which > means any following request using mod_auth_gssapi sessions will not be > able to point to the ccache file. Do you mean session? Cookie should contain only session ID, right? > > It is also not clear to me why you are using a timestamp and not just > call something like mkstemp() with a template, and add an option called > GssapiDelegCcacheTemplate instead. I didn't think about that. > > The templated part would have to be saved in the session so that > following requests can keep using the same ccache file. Fixed (but not tested yet) > > There are other minor niticks around naming stuff, but those can be > handled in the PR. > > One thing I am still undecided about is deletion of the files, I'd like > to have a better option than "application must delete them", I was > thinking about keeping a record of the expiration time (not sure where > yet), and then provide a cron job or a systemd timer to clean up all > expired stuff. I thought we won't need it and that it could be handled by apps, but that won't work. Case 1: ipa kerberize entire /ipa directory so a request to a random resource might leave a ccache behind, e.g.: curl -v --negotiate -u : --cacert /etc/ipa/ca.crt https://$(hostname)/ipa/foo leaves: ls /var/run/httpd/ipa/clientcaches/ ipacchache-sgwB9v Case 2: custodia, it doesn't clean anything as well. When sessions are not it play then, the plugin can remove the ccache at the end of request. AFAIK mod_auth_kerb does it. With sessions, there needs to be a reaper. > > Simo. > -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Support-unique-credential-cache-names.patch Type: text/x-patch Size: 12207 bytes Desc: not available URL: From pvoborni at redhat.com Wed Mar 16 17:34:55 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 16 Mar 2016 18:34:55 +0100 Subject: [Freeipa-devel] [PATCH] 0005 webui: topology graph: canvas resizes itself according to the window size In-Reply-To: <56E28B54.8090204@redhat.com> References: <56BC7105.3020609@redhat.com> <56BDD5A6.8010108@redhat.com> <56C1ECA4.2070900@redhat.com> <56C4ADF0.4080702@redhat.com> <56CF1498.8080302@redhat.com> <56E1AA07.5040102@redhat.com> <56E28B54.8090204@redhat.com> Message-ID: <56E9993F.6000705@redhat.com> On 03/11/2016 10:09 AM, Pavel Vomacka wrote: > > > On 03/10/2016 06:08 PM, Petr Vobornik wrote: >> On 02/25/2016 03:50 PM, Pavel Vomacka wrote: >>> >>> >>> On 02/17/2016 06:29 PM, Petr Vobornik wrote: >>>> On 02/15/2016 04:20 PM, Pavel Vomacka wrote: >>>>> >>>>> >>>>> On 02/12/2016 01:52 PM, Pavel Vomacka wrote: >>>>>> >>>>>> >>>>>> On 02/11/2016 12:31 PM, Pavel Vomacka wrote: >>>>>>> Hello, >>>>>>> >>>>>>> The canvas of the graph had static size. This patch fixes this issue >>>>>>> and from now the graph canvas is resized according to the window >>>>>>> size. >>>>>>> >>>>>>> Pavel Vomacka >>>>>>> >>>>>>> >>>>>> Because of changes in previous patch I'm sending also this one again. >>>>>> Plus I fixed some jslint warnings. >>>>>> >>>>>> And again a link to the ticket: >>>>>> https://fedorahosted.org/freeipa/ticket/5647 . >>>>>> >>>>>> -- >>>>>> Pavel^3 Vomacka >>>>>> >>>>>> >>>>> And another change in the code. This patch adds checking whether a svg >>>>> element even exists. And don't add 'col-sm-12' class to the svg >>>>> element >>>>> any more. This class just added useless paddings to the element. >>>>> >>>>> -- >>>>> Pavel^3 Vomacka >>>>> >>>> >>>> Hi, >>>> >>>> thanks for the patch. >>> Hi, >>> >>> thank you for reviewing. >>>> >>>> 1. I don't like the fact that the resize handler registered in >>>> initialize method is active forever, even when viewing other facets. >>> I moved the handler to the topology graph facet. It is also removed >>> after hide event is emited. >>>> 2. The code will probably fail if there is other svg element present >>>> on the page. >>>> >>>> $('svg') searches for all svg elements in DOM, such search is usually >>>> slow and undeterministic. It is better to use a stored reference(if >>>> possible) or limit the search to some parent element, e.g. TopoGraph >>>> can store and then use its container. >>>> >>>> Would be funny if there were 2 graphs. >>> Yep, you are right. I avoid using this type of searching in this patch. >>> >>>> >>>> 3. Why is there the toFixed(1) call? Or more specifically on that >>>> position? It hides the fact that toFixed transforms Number to String >>>> and then '-' operator with Number on the right casts it back to Number. >>> The toFixed(1) was used just because we don't need so accurate numbers, >>> but in this patch this function is not used any more. >>>> >>>> 4. width could be just: this._svg.parent().width() >>> The width is now solved by using this.content.width() in topology graph >>> facet. I think that the calculating of width and height should be at the >>> same place. That is why I didn't put calculating of width into the >>> TopoGraph. >>>> >>>> 5. Your approach for bottom padding works well but I don't like that >>>> the component assumes that there is some col-sm-12 element on a page >>>> whose right padding is actually equal to space on the left of the svg. >>> I agree, fixed. >>>> >>>> #1 and #5 makes me think that the resize logic should be moved >>>> topology facet. Something like: >>>> >>>> * register resize handler on facet's 'show' event >>>> * unregister resize handler on facet's 'hide' event (will solve #1) >>>> * on window resize, compute the size in topology facet, call new >>>> .resize(width, height) method of TopoGraph >>>> >>>> Then, we wouldn't have to search whole DOM for 'svg' elements to check >>>> if page is visible. The bottom padding can be obtained by: >>>> parseInt(this.content.css('paddingLeft')) where 'this' is facet. >>>> >>> I followed these tips and here is a new patch. >>> >>> -- >>> Pavel^3 Vomacka >> >> >> 1. >> - width: 960, >> - height: 500, >> >> Graph even without this patch allows to set initial size in a >> constructor, e.g.: >> >> E.g. so he could also use: >> this.graph = new topology_graph.TopoGraph({ >> nodes: data.nodes, >> links: data.links, >> suffixes: data.suffixes >> height: height, >> width: width >> }); >> >> IMO we should leave some default size there, e.g. the old 960x500 so >> that the graph is shown even without explicit configuration. >> > Ok, I put the default size back, but into graph specification as you > write here. Ah, I badly expressed myself, sorry. I wanted to leave the original code on its place(TopoGraph). The above was just example what is possible with or without the change because it is not obvious from code. > >> 2. >> - update: function() { >> + update: function(height, width) { >> >> Update method should not required size params. E.g. if it should >> trigger only data update. So it should contain at least a doc string >> that the values are optional. Maybe it should be a single param. >> >> > These parameters are not required so I add doc string and also changed > them to single param. Looks good. > > -- > Pavel^3 Vomacka -- Petr Vobornik From pvoborni at redhat.com Wed Mar 16 17:56:10 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 16 Mar 2016 18:56:10 +0100 Subject: [Freeipa-devel] [PATCH] 0009 webui: Show certificates in useful format In-Reply-To: <56E7FEA8.3010404@redhat.com> References: <56E7FEA8.3010404@redhat.com> Message-ID: <56E99E3A.3040200@redhat.com> On 03/15/2016 01:23 PM, Pavel Vomacka wrote: > Hello, > > patch for https://fedorahosted.org/freeipa/ticket/5311 is attached. > > -- > Pavel^3 Vomacka > Not tested, but can we avoid using
s with "white-space: pre" and therefore use only IPA.cert.pem_cert_format(text). Also, it should be displayed in monospaced, so probably add: .certificate-widget .certificate { font-family: monospace; overflow-x: auto; white-space: pre; } Probably as a separate patch or ticket: we can add "download" button which would offer the certificate in form of data uri[1] with 'download' attribute of 'a' element [2]. So user will get pem encoded file without any hassle. [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/data_URIs [2] https://developer.mozilla.org/en/docs/Web/HTML/Element/a -- Petr Vobornik From simo at redhat.com Wed Mar 16 18:32:00 2016 From: simo at redhat.com (Simo Sorce) Date: Wed, 16 Mar 2016 14:32:00 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] 955 sessions: use unique mod_auth_gssapi ccaches In-Reply-To: <56E986C2.3010301@redhat.com> References: <56E17EC4.4040500@redhat.com> <1457619952.8257.306.camel@redhat.com> <56E986C2.3010301@redhat.com> Message-ID: <1631307870.10399818.1458153120625.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Petr Vobornik" > To: "Simo Sorce" > Cc: "freeipa-devel" > Sent: Wednesday, March 16, 2016 12:16:02 PM > Subject: Re: [PATCH] 955 sessions: use unique mod_auth_gssapi ccaches > > On 03/10/2016 03:25 PM, Simo Sorce wrote: > > On Thu, 2016-03-10 at 15:03 +0100, Petr Vobornik wrote: > >> Attaching also mod_auth_gssapi patch. If the approach is good, then I'd > >> send it as a push request to upstream git repo. > >> > >> Copr build of mod_auth_gssapi with the patch: > >> https://copr.fedorainfracloud.org/coprs/pvoborni/freeipa-4-3/build/167157/ > >> > >> IPA patch attached uses the functionality. > >> > >> https://fedorahosted.org/freeipa/ticket/5653 > > > > I think the mod_auth_gssapi patch needs more work. > > New iteration, but not a final patch, mostly because of reaping of the > files, but there are also some debug prints. > > > > > For one you are not storing the generated ccname in the cookie, which > > means any following request using mod_auth_gssapi sessions will not be > > able to point to the ccache file. > > Do you mean session? Cookie should contain only session ID, right? No, in other to avoid having to keep state on the server we create a session storage structure, encrypt it in a key known only to the server, and send it as a cookie. This way we do not have to store anything on the server side. > > > > It is also not clear to me why you are using a timestamp and not just > > call something like mkstemp() with a template, and add an option called > > GssapiDelegCcacheTemplate instead. > > I didn't think about that. > > > > > The templated part would have to be saved in the session so that > > following requests can keep using the same ccache file. > > Fixed (but not tested yet) > > > > > There are other minor niticks around naming stuff, but those can be > > handled in the PR. > > > > One thing I am still undecided about is deletion of the files, I'd like > > to have a better option than "application must delete them", I was > > thinking about keeping a record of the expiration time (not sure where > > yet), and then provide a cron job or a systemd timer to clean up all > > expired stuff. > > I thought we won't need it and that it could be handled by apps, but > that won't work. > > Case 1: ipa kerberize entire /ipa directory so a request to a random > resource might leave a ccache behind, e.g.: > curl -v --negotiate -u : --cacert /etc/ipa/ca.crt > https://$(hostname)/ipa/foo > > leaves: > ls /var/run/httpd/ipa/clientcaches/ > ipacchache-sgwB9v > > Case 2: custodia, it doesn't clean anything as well. > > When sessions are not it play then, the plugin can remove the ccache at > the end of request. AFAIK mod_auth_kerb does it. > > With sessions, there needs to be a reaper. Exactly. Simo. From stijn.deweirdt at ugent.be Thu Mar 17 08:41:53 2016 From: stijn.deweirdt at ugent.be (Stijn De Weirdt) Date: Thu, 17 Mar 2016 09:41:53 +0100 Subject: [Freeipa-devel] perl Net::FreeIPA Message-ID: <56EA6DD1.4040900@ugent.be> hi all, i have been working on FreeIPA perl bindings, i've made them available on https://github.com/stdweird/p5-net-freeipa (and thanks to Alexander Bokovoy for the very useful remarks and hints). comments/issues/PRs welcome stijn From abokovoy at redhat.com Thu Mar 17 09:44:43 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 17 Mar 2016 11:44:43 +0200 Subject: [Freeipa-devel] perl Net::FreeIPA In-Reply-To: <56EA6DD1.4040900@ugent.be> References: <56EA6DD1.4040900@ugent.be> Message-ID: <20160317094443.GG4492@redhat.com> On Thu, 17 Mar 2016, Stijn De Weirdt wrote: >hi all, > >i have been working on FreeIPA perl bindings, i've made them available >on https://github.com/stdweird/p5-net-freeipa > >(and thanks to Alexander Bokovoy for the very useful remarks and hints). > >comments/issues/PRs welcome Thanks, Stijn. As I said to you already, please work on adding dynamic retrieval and caching of the server API. You can always use 'ipa env' command to retrieve api_version value to invalidate the cache. This will give you a way to support all possible extensions in future. -- / Alexander Bokovoy From lslebodn at redhat.com Thu Mar 17 10:28:36 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 17 Mar 2016 11:28:36 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <56E1F09D.10405@redhat.com> References: <56D6E0E7.8020503@redhat.com> <56D87699.6030305@redhat.com> <56D93B28.2020302@redhat.com> <56D93B98.4090307@redhat.com> <56D9AA4B.103@redhat.com> <56D9B8CB.3040507@redhat.com> <56DEB998.3070501@redhat.com> <56DF0ABD.4040603@redhat.com> <56DF256E.8010000@redhat.com> <56E1F09D.10405@redhat.com> Message-ID: <20160317102835.GB19342@mail.corp.redhat.com> On (10/03/16 23:09), Oleg Fayans wrote: >Hi Martin, > > > >On 03/08/2016 08:18 PM, Martin Basti wrote: >> >> >> On 08.03.2016 18:24, Martin Basti wrote: >>> >>> >>> On 08.03.2016 12:38, Oleg Fayans wrote: >>>> The patches were rebased against the current master >>>> >>>> On 03/04/2016 05:33 PM, Martin Basti wrote: >>>>> * old messages have been removed * >>>>>>>>> 1) >>>>>>>>> this method is unused please remove it >>>>>>>>> >>>>>>>>> def test_kra_install_master(self): >>>>>> Well, in fact it is used twice: in both domain levels, so I'd better >>>>>> keep it: >>>>>> >>>>>> -bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py >>>>>> --collect-only >>>>>> ==================================================================================== >>>>>> >>>>>> >>>>>> test session starts >>>>>> ===================================================================================== >>>>>> >>>>>> >>>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>> pytest.ini >>>>>> plugins: sourceorder, multihost >>>>>> collected 8 items >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> aah my bad, I forgot that pytest executes it when it begins with test_* >>>>> even in parent class >>>>>>>>> 2) >>>>>>>>> Why are these there? I do not see any usage >>>>>>>>> >>>>>>>>> from env_config import get_global_config >>>>>>>>> config = get_global_config() >>>>>> Removed >>>>>> >>>>>>>>> 3) nitpick >>>>>>>>> + num_clients = 0 >>>>>>>>> this is set by default >>>>>> Removed >>>>>> >>>>>>>>> otherwise LGTM >>>>>>>>> >>>>>>>>> Results of testing tomorrow. >>>>>>>>> >>>>>>>>> Martin^2 >>>>>>>>> >>>>>>>> I applied all patches including workarounds, but test failed. >>>>>>>> >>>>>>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] RUN >>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>>>> '--setup-ca', '--ip-address', '192.168.144.102', >>>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] The host >>>>>>>> replica1.ipa.test already exists on the master server. >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] You should >>>>>>>> remove it before proceeding: >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] % ipa >>>>>>>> host-del replica1.ipa.test >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>>> ipa-replica-install command failed. See >>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] Exit >>>>>>>> code: 3 >>>>>>>> FAILED >>>>>> this is exactly the error that happens when a workaround for 5627 >>>>>> is not >>>>>> applied. I have re-run the tests with all the patches and everything >>>>>> passed. Could you please double-check, whether patch 0027 was applied >>>>>> correctly? >>>>>> >>>>>> bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py >>>>>> --pdb >>>>>> ==================================================================================== >>>>>> >>>>>> >>>>>> test session starts >>>>>> ===================================================================================== >>>>>> >>>>>> >>>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>> pytest.ini >>>>>> plugins: sourceorder, multihost >>>>>> collected 8 items >>>>>> >>>>>> test_integration/test_replica_promotion.py ........ >>>>>> >>>>>> ================================================================================ >>>>>> >>>>>> >>>>>> 8 passed in 7561.93 seconds >>>>>> ================================================================================= >>>>>> >>>>>> >>>>>> >>>>> I will >>>>> >>>>>>> And it needs ticket, otherwise it will not be in 4-3 branch. >>>>>> https://fedorahosted.org/freeipa/ticket/5723 >>> NACK >>> >>> 1) >>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>> >>> >>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', >>> 'IPA.TEST'] >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] RUN >>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>> '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] IPA client is >>> already configured on this system, ignoring the --domain, --server, >>> --realm, --hostname, --password and --keytab options. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Your system >>> may be partly configured. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Run >>> /usr/sbin/ipa-server-install --uninstall to clean up. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>> provide a file generated by ipa-replica-prepare to create a replica >>> when the domain is at level 0. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>> ipa-replica-install command failed. See >>> /var/log/ipareplica-install.log for more information >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Exit code: 1 >>> FAILED >>> >>> 2) >>> ipatests.test_integration.test_replica_promotion.TestKRAInstall >>> >>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', >>> 'IPA.TEST'] >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>> '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA client is >>> already configured on this system, ignoring the --domain, --server, >>> --realm, --hostname, --password and --keytab options. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your system >>> may be partly configured. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >>> /usr/sbin/ipa-server-install --uninstall to clean up. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>> provide a file generated by ipa-replica-prepare to create a replica >>> when the domain is at level 0. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>> ipa-replica-install command failed. See >>> /var/log/ipareplica-install.log for more information >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit code: 1 >>> FAILED >>> >>> >>> 3) >>> ipatests.test_integration.test_replica_promotion.TestCAInstall >>> >>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>> 'Secret123', '--setup-dns', '--forwarder', '10.34.78.1', >>> '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>> '--setup-dns', '--forwarder', '10.34.78.1', '--ip-address', >>> '192.168.200.103', '-r', 'IPA.TEST'] >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA client is >>> already configured on this system, ignoring the --domain, --server, >>> --realm, --hostname, --password and --keytab options. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your system >>> may be partly configured. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >>> /usr/sbin/ipa-server-install --uninstall to clean up. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>> provide a file generated by ipa-replica-prepare to create a replica >>> when the domain is at level 0. >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>> ipa-replica-install command failed. See >>> /var/log/ipareplica-install.log for more information >>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit code: 1 >>> FAILED >>> >>> >>> Reason: >>> >>> def install_replica(master, replica, setup_ca=True, setup_dns=False, >>> - setup_kra=False, extra_args=()): >>> + setup_kra=False, extra_args=(), domain_level=None): >>> + if domain_level is None: >>> + domain_level = domainlevel(master) > >Oops. Sorry, must have been a result of inaccurate rebase. Fixed >The successful run is attached > >>> >>> - if domainlevel(master) == DOMAIN_LEVEL_0: >>> + if domainlevel == DOMAIN_LEVEL_0: >>> >>> domain_level variable is actually unused >>> >> Also with your patch that removes host_prepare, I see many following >> errors in test debug output >> >> [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: line 1: >> cd: /root/ipatests: No such file or directory >> [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: line 2: >> /root/ipatests/env.sh: No such file or directory >> >> >> I do not see these errors in current tests, so the patch does not seem >> right to me. > >http://jenkins.idm.lab.eng.brq.redhat.com:8080/job/freeipa-integration-f23master-customized_ds_config_install-domlevel-1/23/consoleFull > >I've been experimenting a lot to find get rid of it but was >unsuccessful. Seemingly it does not affect the tests. > Oleg it looks like you broke something in the test_integration/test_external_ca.py _______________________ TestExternalCA.test_external_ca ________________________ self = def test_external_ca(self): # Step 1 of ipa-server-install self.master.run_command([ 'ipa-server-install', '-U', '-a', self.master.config.admin_password, '-p', self.master.config.dirman_password, '--setup-dns', '--no-forwarders', '-n', self.master.domain.name, '-r', self.master.domain.realm, '--domain-level=%i' % self.master.config.domain_level, '--external-ca' ]) nss_db = os.path.join(self.master.config.test_dir, 'testdb') external_cert_file = os.path.join(nss_db, 'ipa.crt') external_ca_file = os.path.join(nss_db, 'ca.crt') noisefile = os.path.join(self.master.config.test_dir, 'noise.txt') pwdfile = os.path.join(self.master.config.test_dir, 'pwdfile.txt') # Create noise and password files for NSS database > self.master.run_command('date | sha256sum > %s' % noisefile) test_integration/test_external_ca.py:49: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ../pytest_multihost/host.py:246: in run_command command.wait(raiseonerr=raiseonerr) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ self = raiseonerr = True def wait(self, raiseonerr=True): """Wait for the remote process to exit Raises an excption if the exit code is not 0, unless raiseonerr is true. """ if self._done: return self.returncode self._end_process() self._done = True if raiseonerr and self.returncode: self.log.error('Exit code: %s', self.returncode) > raise subprocess.CalledProcessError(self.returncode, self.argv) E CalledProcessError: Command 'date | sha256sum > /root/ipatests/noise.txt' returned non-zero exit status 1 ../pytest_multihost/transport.py:159: CalledProcessError ---------------------------- Captured stdout setup ----------------------------- ========================== 1 failed in 32.25 seconds =========================== The command "date | sha256sum > /root/ipatests/noise.txt" The only explanation is that the directory /root/ipatests/ does not exist. LS From mbabinsk at redhat.com Thu Mar 17 13:39:06 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 17 Mar 2016 14:39:06 +0100 Subject: [Freeipa-devel] server_del (re)implementation in domain level 1 topology management Message-ID: <56EAB37A.5070606@redhat.com> Hi list, I would like to discuss the merge of `del_master_managed()` function from `ipa-replica-manage` command into the server_del API call that is a part of the managed replication topology design update[1] (see also the corresponding upstream ticket [2]). Before I head down into coding I want to be sure that everyone is one the same page regarding the expected use-cases which govern the API design. IIUC, there are two main uses of the new functionality according to design document: 1.) run 'server_del' when 'ipa-replica-manage del' is run in domain-level 1 2.) during 'ipa-server-install --uninstall', 'server_del' should be called on one of remote masters to remove the uninstalled server from the managed topology What I didn't get from the design document is whether the method should have some kind of 'force' option which should bypass all topology connectivity checks. Currently both `ipa-replica-manage del` and server uninstaller have options which will force the removal even if it disconnects the topology ('--force' in the former, '--ignore-disconnected-topology' in the latter). I guess the 'server_del' method should inherit this flag so that we retain the original functionality (for better or worse). I propose to name this option 'ignore_topology_disconnect' because it is more descriptive than plain 'force'. I would also like to ask whether 'server_del' (which is currently NO_CLI) should be usable also from command line. [1] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 [2] https://fedorahosted.org/freeipa/ticket/5588 -- Martin^3 Babinsky From pvoborni at redhat.com Thu Mar 17 13:55:48 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 17 Mar 2016 14:55:48 +0100 Subject: [Freeipa-devel] server_del (re)implementation in domain level 1 topology management In-Reply-To: <56EAB37A.5070606@redhat.com> References: <56EAB37A.5070606@redhat.com> Message-ID: <56EAB764.5060200@redhat.com> On 03/17/2016 02:39 PM, Martin Babinsky wrote: > Hi list, > > I would like to discuss the merge of `del_master_managed()` function > from `ipa-replica-manage` command into the server_del API call that is a > part of the managed replication topology design update[1] (see also the > corresponding upstream ticket [2]). > > Before I head down into coding I want to be sure that everyone is one > the same page regarding the expected use-cases which govern the API design. > > IIUC, there are two main uses of the new functionality according to > design document: > > 1.) run 'server_del' when 'ipa-replica-manage del' is run in domain-level 1 Right, this is for backwards compatibility(BC). > > 2.) during 'ipa-server-install --uninstall', 'server_del' should be > called on one of remote masters to remove the uninstalled server from > the managed topology > > What I didn't get from the design document is whether the method should > have some kind of 'force' option which should bypass all topology > connectivity checks. Currently both `ipa-replica-manage del` and server > uninstaller have options which will force the removal even if it > disconnects the topology ('--force' in the former, > '--ignore-disconnected-topology' in the latter). I would say that uninstaller should do checks in validate method therefore the subsequent `server-del` doesn't need to do it again but it shouldn't harm. I.e. it should follow what the user specified. If user wants to skip (--ignore-d..-t..) then skip. If not then it will fail in validate method. Only issue might be error state where servers have different picture of the topology. > > I guess the 'server_del' method should inherit this flag so that we > retain the original functionality (for better or worse). I propose to > name this option 'ignore_topology_disconnect' because it is more > descriptive than plain 'force'. +1 And in BC case, `ipa-replica-manage --force` would call `server-del --ig..-d..-t...` > > I would also like to ask whether 'server_del' (which is currently > NO_CLI) should be usable also from command line. IMO yes, it should mostly as a couterpart of `ipa-replica-manage --force --clean` Which bring us to --clean option and what it should do... > > > [1] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 > [2] https://fedorahosted.org/freeipa/ticket/5588 > -- Petr Vobornik From mbabinsk at redhat.com Thu Mar 17 14:17:52 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 17 Mar 2016 15:17:52 +0100 Subject: [Freeipa-devel] server_del (re)implementation in domain level 1 topology management In-Reply-To: <56EAB764.5060200@redhat.com> References: <56EAB37A.5070606@redhat.com> <56EAB764.5060200@redhat.com> Message-ID: <56EABC90.2080205@redhat.com> On 03/17/2016 02:55 PM, Petr Vobornik wrote: > On 03/17/2016 02:39 PM, Martin Babinsky wrote: >> Hi list, >> >> I would like to discuss the merge of `del_master_managed()` function >> from `ipa-replica-manage` command into the server_del API call that is a >> part of the managed replication topology design update[1] (see also the >> corresponding upstream ticket [2]). >> >> Before I head down into coding I want to be sure that everyone is one >> the same page regarding the expected use-cases which govern the API >> design. >> >> IIUC, there are two main uses of the new functionality according to >> design document: >> >> 1.) run 'server_del' when 'ipa-replica-manage del' is run in >> domain-level 1 > > Right, this is for backwards compatibility(BC). > >> >> 2.) during 'ipa-server-install --uninstall', 'server_del' should be >> called on one of remote masters to remove the uninstalled server from >> the managed topology >> >> What I didn't get from the design document is whether the method should >> have some kind of 'force' option which should bypass all topology >> connectivity checks. Currently both `ipa-replica-manage del` and server >> uninstaller have options which will force the removal even if it >> disconnects the topology ('--force' in the former, >> '--ignore-disconnected-topology' in the latter). > > I would say that uninstaller should do checks in validate method > therefore the subsequent `server-del` doesn't need to do it again but it > shouldn't harm. I.e. it should follow what the user specified. If user > wants to skip (--ignore-d..-t..) then skip. If not then it will fail in > validate method. > > Only issue might be error state where servers have different picture of > the topology. > If the view of the topology is not self-consistent then you have plenty of other issues to take care of and that may include some forced removal and recreation of nodes. >> >> I guess the 'server_del' method should inherit this flag so that we >> retain the original functionality (for better or worse). I propose to >> name this option 'ignore_topology_disconnect' because it is more >> descriptive than plain 'force'. > > +1 > > And in BC case, `ipa-replica-manage --force` would call `server-del > --ig..-d..-t...` > Yes. >> >> I would also like to ask whether 'server_del' (which is currently >> NO_CLI) should be usable also from command line. > > IMO yes, it should mostly as a couterpart of `ipa-replica-manage --force > --clean` > > Which bring us to --clean option and what it should do... > According to the design, '--clean' should be used as a cleanup of leftovers after deleted servers. How I image it from the implementation point of view is that when '--clean' is specified and the server was already deleted, the NotFound error raised from the framework should be ignored and the code should continue in clean up. (I assume that segment/service/dns cleanup will be done in post_callback portion and the topology connectivity/sanity checks in the pre_callback). That means that '--clean' has no additional effect when the server exists. >> >> >> [1] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 >> [2] https://fedorahosted.org/freeipa/ticket/5588 >> > > -- Martin^3 Babinsky From pvoborni at redhat.com Thu Mar 17 14:37:10 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 17 Mar 2016 15:37:10 +0100 Subject: [Freeipa-devel] server_del (re)implementation in domain level 1 topology management In-Reply-To: <56EABC90.2080205@redhat.com> References: <56EAB37A.5070606@redhat.com> <56EAB764.5060200@redhat.com> <56EABC90.2080205@redhat.com> Message-ID: <56EAC116.3000504@redhat.com> On 03/17/2016 03:17 PM, Martin Babinsky wrote: > On 03/17/2016 02:55 PM, Petr Vobornik wrote: >> On 03/17/2016 02:39 PM, Martin Babinsky wrote: >>> Hi list, >>> >>> I would like to discuss the merge of `del_master_managed()` function >>> from `ipa-replica-manage` command into the server_del API call that is a >>> part of the managed replication topology design update[1] (see also the >>> corresponding upstream ticket [2]). >>> >>> Before I head down into coding I want to be sure that everyone is one >>> the same page regarding the expected use-cases which govern the API >>> design. >>> >>> IIUC, there are two main uses of the new functionality according to >>> design document: >>> >>> 1.) run 'server_del' when 'ipa-replica-manage del' is run in >>> domain-level 1 >> >> Right, this is for backwards compatibility(BC). >> >>> >>> 2.) during 'ipa-server-install --uninstall', 'server_del' should be >>> called on one of remote masters to remove the uninstalled server from >>> the managed topology >>> >>> What I didn't get from the design document is whether the method should >>> have some kind of 'force' option which should bypass all topology >>> connectivity checks. Currently both `ipa-replica-manage del` and server >>> uninstaller have options which will force the removal even if it >>> disconnects the topology ('--force' in the former, >>> '--ignore-disconnected-topology' in the latter). >> >> I would say that uninstaller should do checks in validate method >> therefore the subsequent `server-del` doesn't need to do it again but it >> shouldn't harm. I.e. it should follow what the user specified. If user >> wants to skip (--ignore-d..-t..) then skip. If not then it will fail in >> validate method. >> >> Only issue might be error state where servers have different picture of >> the topology. >> > If the view of the topology is not self-consistent then you have plenty > of other issues to take care of and that may include some forced removal > and recreation of nodes. > >>> >>> I guess the 'server_del' method should inherit this flag so that we >>> retain the original functionality (for better or worse). I propose to >>> name this option 'ignore_topology_disconnect' because it is more >>> descriptive than plain 'force'. >> >> +1 >> >> And in BC case, `ipa-replica-manage --force` would call `server-del >> --ig..-d..-t...` >> > Yes. >>> >>> I would also like to ask whether 'server_del' (which is currently >>> NO_CLI) should be usable also from command line. >> >> IMO yes, it should mostly as a couterpart of `ipa-replica-manage --force >> --clean` >> >> Which bring us to --clean option and what it should do... >> > According to the design, '--clean' should be used as a cleanup of > leftovers after deleted servers. How I image it from the implementation > point of view is that when '--clean' is specified and the server was > already deleted, the NotFound error raised from the framework should be > ignored and the code should continue in clean up. (I assume that > segment/service/dns cleanup will be done in post_callback portion and > the topology connectivity/sanity checks in the pre_callback). When thinking about it, clean could be a separate command which would be called internally in post callback of server-del. It would reduce the number of ifs in server-del and simplify it in general. It would work only if server entry doesn't exists. > That means that '--clean' has no additional effect when the server exists. Right >>> >>> >>> [1] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 >>> [2] https://fedorahosted.org/freeipa/ticket/5588 >>> -- Petr Vobornik From ofayans at redhat.com Thu Mar 17 15:00:13 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 17 Mar 2016 16:00:13 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <20160317102835.GB19342@mail.corp.redhat.com> References: <56D6E0E7.8020503@redhat.com> <56D87699.6030305@redhat.com> <56D93B28.2020302@redhat.com> <56D93B98.4090307@redhat.com> <56D9AA4B.103@redhat.com> <56D9B8CB.3040507@redhat.com> <56DEB998.3070501@redhat.com> <56DF0ABD.4040603@redhat.com> <56DF256E.8010000@redhat.com> <56E1F09D.10405@redhat.com> <20160317102835.GB19342@mail.corp.redhat.com> Message-ID: <56EAC67D.8040701@redhat.com> Hi Lukas, On 03/17/2016 11:28 AM, Lukas Slebodnik wrote: > On (10/03/16 23:09), Oleg Fayans wrote: >> Hi Martin, >> >> >> >> On 03/08/2016 08:18 PM, Martin Basti wrote: >>> >>> >>> On 08.03.2016 18:24, Martin Basti wrote: >>>> >>>> >>>> On 08.03.2016 12:38, Oleg Fayans wrote: >>>>> The patches were rebased against the current master >>>>> >>>>> On 03/04/2016 05:33 PM, Martin Basti wrote: >>>>>> * old messages have been removed * >>>>>>>>>> 1) >>>>>>>>>> this method is unused please remove it >>>>>>>>>> >>>>>>>>>> def test_kra_install_master(self): >>>>>>> Well, in fact it is used twice: in both domain levels, so I'd better >>>>>>> keep it: >>>>>>> >>>>>>> -bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py >>>>>>> --collect-only >>>>>>> ==================================================================================== >>>>>>> >>>>>>> >>>>>>> test session starts >>>>>>> ===================================================================================== >>>>>>> >>>>>>> >>>>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>>> pytest.ini >>>>>>> plugins: sourceorder, multihost >>>>>>> collected 8 items >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> aah my bad, I forgot that pytest executes it when it begins with test_* >>>>>> even in parent class >>>>>>>>>> 2) >>>>>>>>>> Why are these there? I do not see any usage >>>>>>>>>> >>>>>>>>>> from env_config import get_global_config >>>>>>>>>> config = get_global_config() >>>>>>> Removed >>>>>>> >>>>>>>>>> 3) nitpick >>>>>>>>>> + num_clients = 0 >>>>>>>>>> this is set by default >>>>>>> Removed >>>>>>> >>>>>>>>>> otherwise LGTM >>>>>>>>>> >>>>>>>>>> Results of testing tomorrow. >>>>>>>>>> >>>>>>>>>> Martin^2 >>>>>>>>>> >>>>>>>>> I applied all patches including workarounds, but test failed. >>>>>>>>> >>>>>>>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] RUN >>>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>>>>> '--setup-ca', '--ip-address', '192.168.144.102', >>>>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] The host >>>>>>>>> replica1.ipa.test already exists on the master server. >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] You should >>>>>>>>> remove it before proceeding: >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] % ipa >>>>>>>>> host-del replica1.ipa.test >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>>>> ipa-replica-install command failed. See >>>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] Exit >>>>>>>>> code: 3 >>>>>>>>> FAILED >>>>>>> this is exactly the error that happens when a workaround for 5627 >>>>>>> is not >>>>>>> applied. I have re-run the tests with all the patches and everything >>>>>>> passed. Could you please double-check, whether patch 0027 was applied >>>>>>> correctly? >>>>>>> >>>>>>> bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py >>>>>>> --pdb >>>>>>> ==================================================================================== >>>>>>> >>>>>>> >>>>>>> test session starts >>>>>>> ===================================================================================== >>>>>>> >>>>>>> >>>>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>>> pytest.ini >>>>>>> plugins: sourceorder, multihost >>>>>>> collected 8 items >>>>>>> >>>>>>> test_integration/test_replica_promotion.py ........ >>>>>>> >>>>>>> ================================================================================ >>>>>>> >>>>>>> >>>>>>> 8 passed in 7561.93 seconds >>>>>>> ================================================================================= >>>>>>> >>>>>>> >>>>>>> >>>>>> I will >>>>>> >>>>>>>> And it needs ticket, otherwise it will not be in 4-3 branch. >>>>>>> https://fedorahosted.org/freeipa/ticket/5723 >>>> NACK >>>> >>>> 1) >>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>> >>>> >>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', >>>> 'IPA.TEST'] >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] RUN >>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>> '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] IPA client is >>>> already configured on this system, ignoring the --domain, --server, >>>> --realm, --hostname, --password and --keytab options. >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Your system >>>> may be partly configured. >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Run >>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>>> provide a file generated by ipa-replica-prepare to create a replica >>>> when the domain is at level 0. >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>> ipa-replica-install command failed. See >>>> /var/log/ipareplica-install.log for more information >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Exit code: 1 >>>> FAILED >>>> >>>> 2) >>>> ipatests.test_integration.test_replica_promotion.TestKRAInstall >>>> >>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', >>>> 'IPA.TEST'] >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>> '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA client is >>>> already configured on this system, ignoring the --domain, --server, >>>> --realm, --hostname, --password and --keytab options. >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your system >>>> may be partly configured. >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>>> provide a file generated by ipa-replica-prepare to create a replica >>>> when the domain is at level 0. >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>> ipa-replica-install command failed. See >>>> /var/log/ipareplica-install.log for more information >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit code: 1 >>>> FAILED >>>> >>>> >>>> 3) >>>> ipatests.test_integration.test_replica_promotion.TestCAInstall >>>> >>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>> 'Secret123', '--setup-dns', '--forwarder', '10.34.78.1', >>>> '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>> '--setup-dns', '--forwarder', '10.34.78.1', '--ip-address', >>>> '192.168.200.103', '-r', 'IPA.TEST'] >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA client is >>>> already configured on this system, ignoring the --domain, --server, >>>> --realm, --hostname, --password and --keytab options. >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your system >>>> may be partly configured. >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>>> provide a file generated by ipa-replica-prepare to create a replica >>>> when the domain is at level 0. >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>> ipa-replica-install command failed. See >>>> /var/log/ipareplica-install.log for more information >>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit code: 1 >>>> FAILED >>>> >>>> >>>> Reason: >>>> >>>> def install_replica(master, replica, setup_ca=True, setup_dns=False, >>>> - setup_kra=False, extra_args=()): >>>> + setup_kra=False, extra_args=(), domain_level=None): >>>> + if domain_level is None: >>>> + domain_level = domainlevel(master) >> >> Oops. Sorry, must have been a result of inaccurate rebase. Fixed >> The successful run is attached >> >>>> >>>> - if domainlevel(master) == DOMAIN_LEVEL_0: >>>> + if domainlevel == DOMAIN_LEVEL_0: >>>> >>>> domain_level variable is actually unused >>>> >>> Also with your patch that removes host_prepare, I see many following >>> errors in test debug output >>> >>> [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: line 1: >>> cd: /root/ipatests: No such file or directory >>> [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: line 2: >>> /root/ipatests/env.sh: No such file or directory >>> >>> >>> I do not see these errors in current tests, so the patch does not seem >>> right to me. >> >> http://jenkins.idm.lab.eng.brq.redhat.com:8080/job/freeipa-integration-f23master-customized_ds_config_install-domlevel-1/23/consoleFull >> >> I've been experimenting a lot to find get rid of it but was >> unsuccessful. Seemingly it does not affect the tests. >> > Oleg it looks like you broke something > in the test_integration/test_external_ca.py > > _______________________ TestExternalCA.test_external_ca ________________________ > > self = > > def test_external_ca(self): > # Step 1 of ipa-server-install > self.master.run_command([ > 'ipa-server-install', '-U', > '-a', self.master.config.admin_password, > '-p', self.master.config.dirman_password, > '--setup-dns', '--no-forwarders', > '-n', self.master.domain.name, > '-r', self.master.domain.realm, > '--domain-level=%i' % self.master.config.domain_level, > '--external-ca' > ]) > > nss_db = os.path.join(self.master.config.test_dir, 'testdb') > external_cert_file = os.path.join(nss_db, 'ipa.crt') > external_ca_file = os.path.join(nss_db, 'ca.crt') > noisefile = os.path.join(self.master.config.test_dir, 'noise.txt') > pwdfile = os.path.join(self.master.config.test_dir, 'pwdfile.txt') > > # Create noise and password files for NSS database >> self.master.run_command('date | sha256sum > %s' % noisefile) > > test_integration/test_external_ca.py:49: > _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ > ../pytest_multihost/host.py:246: in run_command > command.wait(raiseonerr=raiseonerr) > _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ > > self = > raiseonerr = True > > def wait(self, raiseonerr=True): > """Wait for the remote process to exit > > Raises an excption if the exit code is not 0, unless raiseonerr is > true. > """ > if self._done: > return self.returncode > > self._end_process() > > self._done = True > > if raiseonerr and self.returncode: > self.log.error('Exit code: %s', self.returncode) >> raise subprocess.CalledProcessError(self.returncode, self.argv) > E CalledProcessError: Command 'date | sha256sum > /root/ipatests/noise.txt' returned non-zero exit status 1 > > ../pytest_multihost/transport.py:159: CalledProcessError > ---------------------------- Captured stdout setup ----------------------------- > > ========================== 1 failed in 32.25 seconds =========================== > > > > The command "date | sha256sum > /root/ipatests/noise.txt" > > The only explanation is that the directory /root/ipatests/ does not exist. Obviously this is caused by my patch N 0025 freeipa-ofayans-0025-Removed-a-constantly-failing-call-to-prepare_host.patch Without it replica_promotion tests would fail. The only compromise I see is to remove this line in unapply_fixes function in ipatests/test_integration/tasks.py: host.run_command(['rm', '-rvf', host.config.test_dir]) Now the biggest question is: why do we keep removing the config folder anyway? All the files (backups of /etc/hosts, etc) that ever get there get overwritten each time anyway so it's quite safe to just keep the folder throughout the whole test execution. > > LS > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From mbasti at redhat.com Thu Mar 17 15:09:32 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 17 Mar 2016 16:09:32 +0100 Subject: [Freeipa-devel] user-* commands performance issues Message-ID: <56EAC8AC.2030805@redhat.com> Hello all, I would like to discuss the way how we should improve the speed of user-find commands (and other commands too if possible): 0) Do not do extra search for ipasshpubkey. This is clear, patch posted for review. https://fedorahosted.org/freeipa/ticket/3376 commands: user, stageuser, host, idview 1) make --no-members option visible in CLI https://fedorahosted.org/freeipa/ticket/4995 I don't think we should implement also --no-indirect-members, I think that this kind of granularity is not needed. If --no-members is used, then indirect members will be ignored too. commands: all which use members 2) Limit the amount of searches for memberof[indirect] (group, netgroup, role, hbacrule, sudorule) and search for each dn only once in find commands. We can have configurable option in default.conf (for example memberof_search_limit=100 (0 unlimited)). Find commands will get members only for specified amount and if this limit is exceeded a warning message is shown. I do not like this idea much, I think it should be all or nothing, I prefer to not do this. However I like the idea of temporary caching inside find commands, where each memberof DN is resolved just once and results are cached in a map and reused in current context of command. This should be improvement mainly for indirect searches, but cache should be faster for direct members than doing internal calls of framework objects. This part is backward compatible, the first part is not. https://fedorahosted.org/freeipa/ticket/5282 commands: user-find, stageuser-find, possibly all find commands 3) Remove userPassword, krbPrincipalKey from search results This change is not backward compatible, can we do this? https://fedorahosted.org/freeipa/ticket/5281 commands: user-find Martin^2 From mbabinsk at redhat.com Thu Mar 17 15:10:10 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 17 Mar 2016 16:10:10 +0100 Subject: [Freeipa-devel] server_del (re)implementation in domain level 1 topology management In-Reply-To: <56EAC116.3000504@redhat.com> References: <56EAB37A.5070606@redhat.com> <56EAB764.5060200@redhat.com> <56EABC90.2080205@redhat.com> <56EAC116.3000504@redhat.com> Message-ID: <56EAC8D2.5020008@redhat.com> On 03/17/2016 03:37 PM, Petr Vobornik wrote: > On 03/17/2016 03:17 PM, Martin Babinsky wrote: >> On 03/17/2016 02:55 PM, Petr Vobornik wrote: >>> On 03/17/2016 02:39 PM, Martin Babinsky wrote: >>>> Hi list, >>>> >>>> I would like to discuss the merge of `del_master_managed()` function >>>> from `ipa-replica-manage` command into the server_del API call that >>>> is a >>>> part of the managed replication topology design update[1] (see also the >>>> corresponding upstream ticket [2]). >>>> >>>> Before I head down into coding I want to be sure that everyone is one >>>> the same page regarding the expected use-cases which govern the API >>>> design. >>>> >>>> IIUC, there are two main uses of the new functionality according to >>>> design document: >>>> >>>> 1.) run 'server_del' when 'ipa-replica-manage del' is run in >>>> domain-level 1 >>> >>> Right, this is for backwards compatibility(BC). >>> >>>> >>>> 2.) during 'ipa-server-install --uninstall', 'server_del' should be >>>> called on one of remote masters to remove the uninstalled server from >>>> the managed topology >>>> >>>> What I didn't get from the design document is whether the method should >>>> have some kind of 'force' option which should bypass all topology >>>> connectivity checks. Currently both `ipa-replica-manage del` and server >>>> uninstaller have options which will force the removal even if it >>>> disconnects the topology ('--force' in the former, >>>> '--ignore-disconnected-topology' in the latter). >>> >>> I would say that uninstaller should do checks in validate method >>> therefore the subsequent `server-del` doesn't need to do it again but it >>> shouldn't harm. I.e. it should follow what the user specified. If user >>> wants to skip (--ignore-d..-t..) then skip. If not then it will fail in >>> validate method. >>> >>> Only issue might be error state where servers have different picture of >>> the topology. >>> >> If the view of the topology is not self-consistent then you have plenty >> of other issues to take care of and that may include some forced removal >> and recreation of nodes. >> >>>> >>>> I guess the 'server_del' method should inherit this flag so that we >>>> retain the original functionality (for better or worse). I propose to >>>> name this option 'ignore_topology_disconnect' because it is more >>>> descriptive than plain 'force'. >>> >>> +1 >>> >>> And in BC case, `ipa-replica-manage --force` would call `server-del >>> --ig..-d..-t...` >>> >> Yes. >>>> >>>> I would also like to ask whether 'server_del' (which is currently >>>> NO_CLI) should be usable also from command line. >>> >>> IMO yes, it should mostly as a couterpart of `ipa-replica-manage --force >>> --clean` >>> >>> Which bring us to --clean option and what it should do... >>> >> According to the design, '--clean' should be used as a cleanup of >> leftovers after deleted servers. How I image it from the implementation >> point of view is that when '--clean' is specified and the server was >> already deleted, the NotFound error raised from the framework should be >> ignored and the code should continue in clean up. (I assume that >> segment/service/dns cleanup will be done in post_callback portion and >> the topology connectivity/sanity checks in the pre_callback). > > When thinking about it, clean could be a separate command which would be > called internally in post callback of server-del. It would reduce the > number of ifs in server-del and simplify it in general. It would work > only if server entry doesn't exists. > That was my original idea. I also thought that 'check_last_link_managed' could be a separate command, but it is probably not a very good idea to add the overhead of calling two separate commands to a single API call. OTOH it would improve the code organization IMHO. >> That means that '--clean' has no additional effect when the server >> exists. > > Right > >>>> >>>> >>>> [1] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 >>>> [2] https://fedorahosted.org/freeipa/ticket/5588 >>>> -- Martin^3 Babinsky From pvoborni at redhat.com Thu Mar 17 15:15:59 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 17 Mar 2016 16:15:59 +0100 Subject: [Freeipa-devel] server_del (re)implementation in domain level 1 topology management In-Reply-To: <56EAC8D2.5020008@redhat.com> References: <56EAB37A.5070606@redhat.com> <56EAB764.5060200@redhat.com> <56EABC90.2080205@redhat.com> <56EAC116.3000504@redhat.com> <56EAC8D2.5020008@redhat.com> Message-ID: <56EACA2F.6060509@redhat.com> On 03/17/2016 04:10 PM, Martin Babinsky wrote: > On 03/17/2016 03:37 PM, Petr Vobornik wrote: >> On 03/17/2016 03:17 PM, Martin Babinsky wrote: >>> On 03/17/2016 02:55 PM, Petr Vobornik wrote: >>>> On 03/17/2016 02:39 PM, Martin Babinsky wrote: >>>>> Hi list, >>>>> >>>>> I would like to discuss the merge of `del_master_managed()` function >>>>> from `ipa-replica-manage` command into the server_del API call that >>>>> is a >>>>> part of the managed replication topology design update[1] (see also >>>>> the >>>>> corresponding upstream ticket [2]). >>>>> >>>>> Before I head down into coding I want to be sure that everyone is one >>>>> the same page regarding the expected use-cases which govern the API >>>>> design. >>>>> >>>>> IIUC, there are two main uses of the new functionality according to >>>>> design document: >>>>> >>>>> 1.) run 'server_del' when 'ipa-replica-manage del' is run in >>>>> domain-level 1 >>>> >>>> Right, this is for backwards compatibility(BC). >>>> >>>>> >>>>> 2.) during 'ipa-server-install --uninstall', 'server_del' should be >>>>> called on one of remote masters to remove the uninstalled server from >>>>> the managed topology >>>>> >>>>> What I didn't get from the design document is whether the method >>>>> should >>>>> have some kind of 'force' option which should bypass all topology >>>>> connectivity checks. Currently both `ipa-replica-manage del` and >>>>> server >>>>> uninstaller have options which will force the removal even if it >>>>> disconnects the topology ('--force' in the former, >>>>> '--ignore-disconnected-topology' in the latter). >>>> >>>> I would say that uninstaller should do checks in validate method >>>> therefore the subsequent `server-del` doesn't need to do it again >>>> but it >>>> shouldn't harm. I.e. it should follow what the user specified. If user >>>> wants to skip (--ignore-d..-t..) then skip. If not then it will fail in >>>> validate method. >>>> >>>> Only issue might be error state where servers have different picture of >>>> the topology. >>>> >>> If the view of the topology is not self-consistent then you have plenty >>> of other issues to take care of and that may include some forced removal >>> and recreation of nodes. >>> >>>>> >>>>> I guess the 'server_del' method should inherit this flag so that we >>>>> retain the original functionality (for better or worse). I propose to >>>>> name this option 'ignore_topology_disconnect' because it is more >>>>> descriptive than plain 'force'. >>>> >>>> +1 >>>> >>>> And in BC case, `ipa-replica-manage --force` would call `server-del >>>> --ig..-d..-t...` >>>> >>> Yes. >>>>> >>>>> I would also like to ask whether 'server_del' (which is currently >>>>> NO_CLI) should be usable also from command line. >>>> >>>> IMO yes, it should mostly as a couterpart of `ipa-replica-manage >>>> --force >>>> --clean` >>>> >>>> Which bring us to --clean option and what it should do... >>>> >>> According to the design, '--clean' should be used as a cleanup of >>> leftovers after deleted servers. How I image it from the implementation >>> point of view is that when '--clean' is specified and the server was >>> already deleted, the NotFound error raised from the framework should be >>> ignored and the code should continue in clean up. (I assume that >>> segment/service/dns cleanup will be done in post_callback portion and >>> the topology connectivity/sanity checks in the pre_callback). >> >> When thinking about it, clean could be a separate command which would be >> called internally in post callback of server-del. It would reduce the >> number of ifs in server-del and simplify it in general. It would work >> only if server entry doesn't exists. >> > That was my original idea. I also thought that 'check_last_link_managed' > could be a separate command, but it is probably not a very good idea to > add the overhead of calling two separate commands to a single API call. > OTOH it would improve the code organization IMHO. Not sure if check_last_link_managed should be an API command. It is already a separate function. What would be the use case for it as a command? Maybe the function should be moved from ipaserver/install/replication to a more suitable place given that it's used from API - it's up to you. > >>> That means that '--clean' has no additional effect when the server >>> exists. >> >> Right >> >>>>> >>>>> >>>>> [1] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 >>>>> [2] https://fedorahosted.org/freeipa/ticket/5588 >>>>> > > -- Petr Vobornik From mbabinsk at redhat.com Thu Mar 17 15:31:16 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 17 Mar 2016 16:31:16 +0100 Subject: [Freeipa-devel] server_del (re)implementation in domain level 1 topology management In-Reply-To: <56EACA2F.6060509@redhat.com> References: <56EAB37A.5070606@redhat.com> <56EAB764.5060200@redhat.com> <56EABC90.2080205@redhat.com> <56EAC116.3000504@redhat.com> <56EAC8D2.5020008@redhat.com> <56EACA2F.6060509@redhat.com> Message-ID: <56EACDC4.8000203@redhat.com> On 03/17/2016 04:15 PM, Petr Vobornik wrote: > On 03/17/2016 04:10 PM, Martin Babinsky wrote: >> On 03/17/2016 03:37 PM, Petr Vobornik wrote: >>> On 03/17/2016 03:17 PM, Martin Babinsky wrote: >>>> On 03/17/2016 02:55 PM, Petr Vobornik wrote: >>>>> On 03/17/2016 02:39 PM, Martin Babinsky wrote: >>>>>> Hi list, >>>>>> >>>>>> I would like to discuss the merge of `del_master_managed()` function >>>>>> from `ipa-replica-manage` command into the server_del API call that >>>>>> is a >>>>>> part of the managed replication topology design update[1] (see also >>>>>> the >>>>>> corresponding upstream ticket [2]). >>>>>> >>>>>> Before I head down into coding I want to be sure that everyone is one >>>>>> the same page regarding the expected use-cases which govern the API >>>>>> design. >>>>>> >>>>>> IIUC, there are two main uses of the new functionality according to >>>>>> design document: >>>>>> >>>>>> 1.) run 'server_del' when 'ipa-replica-manage del' is run in >>>>>> domain-level 1 >>>>> >>>>> Right, this is for backwards compatibility(BC). >>>>> >>>>>> >>>>>> 2.) during 'ipa-server-install --uninstall', 'server_del' should be >>>>>> called on one of remote masters to remove the uninstalled server from >>>>>> the managed topology >>>>>> >>>>>> What I didn't get from the design document is whether the method >>>>>> should >>>>>> have some kind of 'force' option which should bypass all topology >>>>>> connectivity checks. Currently both `ipa-replica-manage del` and >>>>>> server >>>>>> uninstaller have options which will force the removal even if it >>>>>> disconnects the topology ('--force' in the former, >>>>>> '--ignore-disconnected-topology' in the latter). >>>>> >>>>> I would say that uninstaller should do checks in validate method >>>>> therefore the subsequent `server-del` doesn't need to do it again >>>>> but it >>>>> shouldn't harm. I.e. it should follow what the user specified. If user >>>>> wants to skip (--ignore-d..-t..) then skip. If not then it will >>>>> fail in >>>>> validate method. >>>>> >>>>> Only issue might be error state where servers have different >>>>> picture of >>>>> the topology. >>>>> >>>> If the view of the topology is not self-consistent then you have plenty >>>> of other issues to take care of and that may include some forced >>>> removal >>>> and recreation of nodes. >>>> >>>>>> >>>>>> I guess the 'server_del' method should inherit this flag so that we >>>>>> retain the original functionality (for better or worse). I propose to >>>>>> name this option 'ignore_topology_disconnect' because it is more >>>>>> descriptive than plain 'force'. >>>>> >>>>> +1 >>>>> >>>>> And in BC case, `ipa-replica-manage --force` would call `server-del >>>>> --ig..-d..-t...` >>>>> >>>> Yes. >>>>>> >>>>>> I would also like to ask whether 'server_del' (which is currently >>>>>> NO_CLI) should be usable also from command line. >>>>> >>>>> IMO yes, it should mostly as a couterpart of `ipa-replica-manage >>>>> --force >>>>> --clean` >>>>> >>>>> Which bring us to --clean option and what it should do... >>>>> >>>> According to the design, '--clean' should be used as a cleanup of >>>> leftovers after deleted servers. How I image it from the implementation >>>> point of view is that when '--clean' is specified and the server was >>>> already deleted, the NotFound error raised from the framework should be >>>> ignored and the code should continue in clean up. (I assume that >>>> segment/service/dns cleanup will be done in post_callback portion and >>>> the topology connectivity/sanity checks in the pre_callback). >>> >>> When thinking about it, clean could be a separate command which would be >>> called internally in post callback of server-del. It would reduce the >>> number of ifs in server-del and simplify it in general. It would work >>> only if server entry doesn't exists. >>> >> That was my original idea. I also thought that 'check_last_link_managed' >> could be a separate command, but it is probably not a very good idea to >> add the overhead of calling two separate commands to a single API call. >> OTOH it would improve the code organization IMHO. > > Not sure if check_last_link_managed should be an API command. It is > already a separate function. What would be the use case for it as a > command? > > Maybe the function should be moved from ipaserver/install/replication to > a more suitable place given that it's used from API - it's up to you. > I will move the required code from ipaserver/install/replication anyway since it needs to be usable also for clients, and it also needs substantial modification so that it can fit into API context (prune all prints, etc.). I can't think about any use case so there is probably no point in 'commandifying' it:). >> >>>> That means that '--clean' has no additional effect when the server >>>> exists. >>> >>> Right >>> >>>>>> >>>>>> >>>>>> [1] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 >>>>>> [2] https://fedorahosted.org/freeipa/ticket/5588 >>>>>> >> >> -- Martin^3 Babinsky From mbasti at redhat.com Thu Mar 17 15:41:17 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 17 Mar 2016 16:41:17 +0100 Subject: [Freeipa-devel] [PATCH 0434] log: add timestamp to filename of logs In-Reply-To: <56E6B96C.6030404@redhat.com> References: <56DEF053.4090809@redhat.com> <56DEF1B7.40907@redhat.com> <56DF14D3.5050400@redhat.com> <56E282EC.5060206@redhat.com> <56E28816.50407@redhat.com> <56E29C26.7080806@redhat.com> <56E2CF73.1010409@redhat.com> <56E2D799.3000705@redhat.com> <56E662F3.8010408@redhat.com> <56E6B50F.6050200@redhat.com> <56E6B96C.6030404@redhat.com> Message-ID: <56EAD01D.2040304@redhat.com> On 14.03.2016 14:15, Jan Cholasta wrote: > On 14.3.2016 13:56, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> On 11.3.2016 15:56, Gabe Alford wrote: >>>> On Fri, Mar 11, 2016 at 7:35 AM, Petr Vobornik >>> > wrote: >>>> >>>> On 03/11/2016 03:00 PM, Rob Crittenden wrote: >>>> >>>> Martin Kosek wrote: >>>> >>>> On 03/11/2016 09:55 AM, Jan Cholasta wrote: >>>> >>>> On 11.3.2016 09:33, Martin Kosek wrote: >>>> >>>> On 03/08/2016 07:07 PM, Martin Basti wrote: >>>> >>>> >>>> >>>> On 08.03.2016 16:37, Martin Basti wrote: >>>> >>>> >>>> >>>> On 08.03.2016 16:31, Martin Basti wrote: >>>> >>>> >>>> https://fedorahosted.org/freeipa/ticket/4501 >>>> >>>> Patch attached. >>>> >>>> >>>> Rebased patch attached. >>>> >>>> >>>> >>>> self-NACK >>>> >>>> Scripts print to CLI unformatted strings, it >>>> should not be so easy. >>>> See /var/log/ipaupgrade-{timestamp}.log >>>> for more >>>> information >>>> >>>> >>>> second-NACK. We cannot break existing log file >>>> paths. The paths are mentioned >>>> in a documentation and there may be also >>>> automation >>>> around that (gathering log >>>> files). So there should be always symlink from >>>> the >>>> well known location to the >>>> newest timestampe'd log. >>>> >>>> >>>> Sorry, but this is absurd. What's the point of >>>> maintaining backward >>>> compatibility with obsolete documentation? Following >>>> this logic, we would not >>>> be able to change anything ever. What we should >>>> actually >>>> do is update the >>>> documentation. Ditto for automation. >>>> >>>> >>>> +1 for updating the automation and documentation. But >>>> some >>>> backward >>>> compatibility will need to be retained, at least for the >>>> stable systems like >>>> RHEL where *other* people may have some automation or >>>> documentation around it, >>>> not just us. >>>> >>>> >>>> Or you could just also create a symlink to the old name >>>> and it >>>> will >>>> always just work. >>>> >>>> rob >>>> >>>> >>>> Aren't the symlinks what Martin2 mentioned in second-NACK? >>>> >>>> These new timestamped logs should be combined with the Gabe's >>>> patches: #5728 (renamed to command name) and #5724 (move to >>>> /var/log/ipa directory). >>>> >>>> So that there will be e.g.: >>>> /var/log/ipaserver-install.log -> >>>> /var/log/ipa-server-install-{timestamp}.log >>>> >>>> /var/log/ipa/ipa-server-install.log -> >>>> /var/log/ipa-server-install-{timestamp}.log >>>> >>>> >>>> I wonder if it would be simpler/better to always write to the *.log >>>> file, and then have old logs timestamped rather than write directly >>>> to a >>>> timestamped log file? >>>> Then just symlink the original log file in /var/log/ to the new log >>>> file >>>> name/location in /var/log/ipa. >>>> >>>> For example: >>>> /var/log/ipaserver-install.log -> >>>> /var/log/ipa/ipa-server-install.log <-- We write to >>>> this >>>> log (current) >>>> >>>> /var/log/ipa-server-install-{timestamp}.log <-- Old log with some >>>> date >>>> >>>> /var/log/ipa-server-install-{timestamp}.log <-- Older log with some >>>> date >>>> >>>> /var/log/ipa-server-install-{timestamp}.log <-- Oldest log with some >>>> date >>> >>> This is way too overengineered for something that should actually be >>> really simple. I don't care if it is done this way or not, but IMHO it >>> would be a waste of time. Logs are not API and should not be treated as >>> such. If it needs to be done differently on RHEL, it should be handled >>> downstream. >> >> Sure logs are not API but they have been named the same way since >> inception (nearly 8 years now). I don't think symlinking to the old >> names is a big deal. > > It kind of is, since you have to keep the symlink up to date, handle > the case when there is a regular file in place of the symlink, and > they won't work properly for commands which currently append to their > log files rather than overwrite them anyway. > > To do this properly, you have to add a new FileHandler with proper > options for each old log file. IMHO there is no benefit in doing this > upstream, but it is relatively straightforward and isolated to be done > downstream. > PermaNACK, the ticket has been moved to Future Releases From mbasti at redhat.com Thu Mar 17 16:36:25 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 17 Mar 2016 17:36:25 +0100 Subject: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer Message-ID: <56EADD09.2060109@redhat.com> https://fedorahosted.org/freeipa/ticket/5681 Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0441-Configure-httpd-service-from-installer-instead-of-di.patch Type: text/x-patch Size: 8922 bytes Desc: not available URL: From mbabinsk at redhat.com Thu Mar 17 17:16:01 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 17 Mar 2016 18:16:01 +0100 Subject: [Freeipa-devel] [DESIGN] Server Roles Message-ID: <56EAE651.4040603@redhat.com> Hi list, here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP design document concerning the concept of Server Roles as a user-friendly abstraction of the services running on IPA masters. The main aim of this feature is to provide a higher level interface to query and manipulate service-related information stored in dirsrv backend. I have not touched the design much from the post-Devconf session, mainly because there are some points to clarify and agree upon. I have the following points to discuss: 1.) the design assumes that there is a distinction between roles such as DNS server, CA, etc. and the more specific sub-roles such as DNSSec key master, CRL master, etc. Now in the hindsight I think this distinction is quite artificial and just clutters the interface unnecessarily. We might implement this kind of hierarchy in the code itself but that is something the user needs not be aware of. 2.) I guess the role names should be case insensitive so that users are not hindered by trying to get the case right. 3.) Do we need an internal API call which will add all services belonging to a role to the corresponding master entry? (basically a 'server_add_role' type of command). Currently, each service instance adds its own service entry during service installation so we probably do not need to duplicate this functionality. That is all I can think of right now. I had many more questions popping up during this night's bout of insomnia, but they got lost during the day. Do not be afraid to bring up other questions/remarks/comments. This is my first design documents so I expect them to be plenty. -- Martin^3 Babinsky From pvoborni at redhat.com Thu Mar 17 17:24:43 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 17 Mar 2016 18:24:43 +0100 Subject: [Freeipa-devel] [DRAFT] FreeIPA 4.2.4 release notes Message-ID: <56EAE85B.6010900@redhat.com> Hello all, I prepared the release notes on FreeIPA.org wiki: http://www.freeipa.org/page/Releases/4.2.4 Updates or improvements to release notes page welcome. Particularly if you think some bug fixes/improvements deserves to be noted out as a highlight, please give a suggestion or edit the page directly Thanks, -- Petr Vobornik From mbabinsk at redhat.com Thu Mar 17 17:40:12 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 17 Mar 2016 18:40:12 +0100 Subject: [Freeipa-devel] [PATCH 0142] spec: require python-cryptography newer than 0.9 Message-ID: <56EAEBFC.6050607@redhat.com> https://fedorahosted.org/freeipa/ticket/5744 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0142-spec-require-python-cryptography-newer-than-0.9.patch Type: text/x-patch Size: 1379 bytes Desc: not available URL: From tbordaz at redhat.com Thu Mar 17 18:07:00 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 17 Mar 2016 19:07:00 +0100 Subject: [Freeipa-devel] [PATCH] 0018 DS deadlock when memberof scopes topology plugin updates Message-ID: <56EAF244.9030202@redhat.com> https://fedorahosted.org/freeipa/ticket/5637 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tbordaz-0018-DS-deadlock-when-memberof-scopes-topology-plugin-upda.patch Type: text/x-patch Size: 1538 bytes Desc: not available URL: From lslebodn at redhat.com Thu Mar 17 19:37:47 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 17 Mar 2016 20:37:47 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <56EAC67D.8040701@redhat.com> References: <56D93B28.2020302@redhat.com> <56D93B98.4090307@redhat.com> <56D9AA4B.103@redhat.com> <56D9B8CB.3040507@redhat.com> <56DEB998.3070501@redhat.com> <56DF0ABD.4040603@redhat.com> <56DF256E.8010000@redhat.com> <56E1F09D.10405@redhat.com> <20160317102835.GB19342@mail.corp.redhat.com> <56EAC67D.8040701@redhat.com> Message-ID: <20160317193747.GB23625@mail.corp.redhat.com> On (17/03/16 16:00), Oleg Fayans wrote: >Hi Lukas, > >On 03/17/2016 11:28 AM, Lukas Slebodnik wrote: >> On (10/03/16 23:09), Oleg Fayans wrote: >>> Hi Martin, >>> >>> >>> >>> On 03/08/2016 08:18 PM, Martin Basti wrote: >>>> >>>> >>>> On 08.03.2016 18:24, Martin Basti wrote: >>>>> >>>>> >>>>> On 08.03.2016 12:38, Oleg Fayans wrote: >>>>>> The patches were rebased against the current master >>>>>> >>>>>> On 03/04/2016 05:33 PM, Martin Basti wrote: >>>>>>> * old messages have been removed * >>>>>>>>>>> 1) >>>>>>>>>>> this method is unused please remove it >>>>>>>>>>> >>>>>>>>>>> def test_kra_install_master(self): >>>>>>>> Well, in fact it is used twice: in both domain levels, so I'd better >>>>>>>> keep it: >>>>>>>> >>>>>>>> -bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py >>>>>>>> --collect-only >>>>>>>> ==================================================================================== >>>>>>>> >>>>>>>> >>>>>>>> test session starts >>>>>>>> ===================================================================================== >>>>>>>> >>>>>>>> >>>>>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>>>> pytest.ini >>>>>>>> plugins: sourceorder, multihost >>>>>>>> collected 8 items >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> aah my bad, I forgot that pytest executes it when it begins with test_* >>>>>>> even in parent class >>>>>>>>>>> 2) >>>>>>>>>>> Why are these there? I do not see any usage >>>>>>>>>>> >>>>>>>>>>> from env_config import get_global_config >>>>>>>>>>> config = get_global_config() >>>>>>>> Removed >>>>>>>> >>>>>>>>>>> 3) nitpick >>>>>>>>>>> + num_clients = 0 >>>>>>>>>>> this is set by default >>>>>>>> Removed >>>>>>>> >>>>>>>>>>> otherwise LGTM >>>>>>>>>>> >>>>>>>>>>> Results of testing tomorrow. >>>>>>>>>>> >>>>>>>>>>> Martin^2 >>>>>>>>>>> >>>>>>>>>> I applied all patches including workarounds, but test failed. >>>>>>>>>> >>>>>>>>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] RUN >>>>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>>>>>> '--setup-ca', '--ip-address', '192.168.144.102', >>>>>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] The host >>>>>>>>>> replica1.ipa.test already exists on the master server. >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] You should >>>>>>>>>> remove it before proceeding: >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] % ipa >>>>>>>>>> host-del replica1.ipa.test >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>>>>> ipa-replica-install command failed. See >>>>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] Exit >>>>>>>>>> code: 3 >>>>>>>>>> FAILED >>>>>>>> this is exactly the error that happens when a workaround for 5627 >>>>>>>> is not >>>>>>>> applied. I have re-run the tests with all the patches and everything >>>>>>>> passed. Could you please double-check, whether patch 0027 was applied >>>>>>>> correctly? >>>>>>>> >>>>>>>> bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py >>>>>>>> --pdb >>>>>>>> ==================================================================================== >>>>>>>> >>>>>>>> >>>>>>>> test session starts >>>>>>>> ===================================================================================== >>>>>>>> >>>>>>>> >>>>>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>>>> pytest.ini >>>>>>>> plugins: sourceorder, multihost >>>>>>>> collected 8 items >>>>>>>> >>>>>>>> test_integration/test_replica_promotion.py ........ >>>>>>>> >>>>>>>> ================================================================================ >>>>>>>> >>>>>>>> >>>>>>>> 8 passed in 7561.93 seconds >>>>>>>> ================================================================================= >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> I will >>>>>>> >>>>>>>>> And it needs ticket, otherwise it will not be in 4-3 branch. >>>>>>>> https://fedorahosted.org/freeipa/ticket/5723 >>>>> NACK >>>>> >>>>> 1) >>>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>>> >>>>> >>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', >>>>> 'IPA.TEST'] >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] RUN >>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>> '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] IPA client is >>>>> already configured on this system, ignoring the --domain, --server, >>>>> --realm, --hostname, --password and --keytab options. >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Your system >>>>> may be partly configured. >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Run >>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>>>> provide a file generated by ipa-replica-prepare to create a replica >>>>> when the domain is at level 0. >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>> ipa-replica-install command failed. See >>>>> /var/log/ipareplica-install.log for more information >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Exit code: 1 >>>>> FAILED >>>>> >>>>> 2) >>>>> ipatests.test_integration.test_replica_promotion.TestKRAInstall >>>>> >>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', >>>>> 'IPA.TEST'] >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>> '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA client is >>>>> already configured on this system, ignoring the --domain, --server, >>>>> --realm, --hostname, --password and --keytab options. >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your system >>>>> may be partly configured. >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>>>> provide a file generated by ipa-replica-prepare to create a replica >>>>> when the domain is at level 0. >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>> ipa-replica-install command failed. See >>>>> /var/log/ipareplica-install.log for more information >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit code: 1 >>>>> FAILED >>>>> >>>>> >>>>> 3) >>>>> ipatests.test_integration.test_replica_promotion.TestCAInstall >>>>> >>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>> 'Secret123', '--setup-dns', '--forwarder', '10.34.78.1', >>>>> '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>> '--setup-dns', '--forwarder', '10.34.78.1', '--ip-address', >>>>> '192.168.200.103', '-r', 'IPA.TEST'] >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA client is >>>>> already configured on this system, ignoring the --domain, --server, >>>>> --realm, --hostname, --password and --keytab options. >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your system >>>>> may be partly configured. >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>>>> provide a file generated by ipa-replica-prepare to create a replica >>>>> when the domain is at level 0. >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>> ipa-replica-install command failed. See >>>>> /var/log/ipareplica-install.log for more information >>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit code: 1 >>>>> FAILED >>>>> >>>>> >>>>> Reason: >>>>> >>>>> def install_replica(master, replica, setup_ca=True, setup_dns=False, >>>>> - setup_kra=False, extra_args=()): >>>>> + setup_kra=False, extra_args=(), domain_level=None): >>>>> + if domain_level is None: >>>>> + domain_level = domainlevel(master) >>> >>> Oops. Sorry, must have been a result of inaccurate rebase. Fixed >>> The successful run is attached >>> >>>>> >>>>> - if domainlevel(master) == DOMAIN_LEVEL_0: >>>>> + if domainlevel == DOMAIN_LEVEL_0: >>>>> >>>>> domain_level variable is actually unused >>>>> >>>> Also with your patch that removes host_prepare, I see many following >>>> errors in test debug output >>>> >>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: line 1: >>>> cd: /root/ipatests: No such file or directory >>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: line 2: >>>> /root/ipatests/env.sh: No such file or directory >>>> >>>> >>>> I do not see these errors in current tests, so the patch does not seem >>>> right to me. >>> >>> http://jenkins.idm.lab.eng.brq.redhat.com:8080/job/freeipa-integration-f23master-customized_ds_config_install-domlevel-1/23/consoleFull >>> >>> I've been experimenting a lot to find get rid of it but was >>> unsuccessful. Seemingly it does not affect the tests. >>> >> Oleg it looks like you broke something >> in the test_integration/test_external_ca.py >> >> _______________________ TestExternalCA.test_external_ca ________________________ >> >> self = >> >> def test_external_ca(self): >> # Step 1 of ipa-server-install >> self.master.run_command([ >> 'ipa-server-install', '-U', >> '-a', self.master.config.admin_password, >> '-p', self.master.config.dirman_password, >> '--setup-dns', '--no-forwarders', >> '-n', self.master.domain.name, >> '-r', self.master.domain.realm, >> '--domain-level=%i' % self.master.config.domain_level, >> '--external-ca' >> ]) >> >> nss_db = os.path.join(self.master.config.test_dir, 'testdb') >> external_cert_file = os.path.join(nss_db, 'ipa.crt') >> external_ca_file = os.path.join(nss_db, 'ca.crt') >> noisefile = os.path.join(self.master.config.test_dir, 'noise.txt') >> pwdfile = os.path.join(self.master.config.test_dir, 'pwdfile.txt') >> >> # Create noise and password files for NSS database >>> self.master.run_command('date | sha256sum > %s' % noisefile) >> >> test_integration/test_external_ca.py:49: >> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >> ../pytest_multihost/host.py:246: in run_command >> command.wait(raiseonerr=raiseonerr) >> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >> >> self = >> raiseonerr = True >> >> def wait(self, raiseonerr=True): >> """Wait for the remote process to exit >> >> Raises an excption if the exit code is not 0, unless raiseonerr is >> true. >> """ >> if self._done: >> return self.returncode >> >> self._end_process() >> >> self._done = True >> >> if raiseonerr and self.returncode: >> self.log.error('Exit code: %s', self.returncode) >>> raise subprocess.CalledProcessError(self.returncode, self.argv) >> E CalledProcessError: Command 'date | sha256sum > /root/ipatests/noise.txt' returned non-zero exit status 1 >> >> ../pytest_multihost/transport.py:159: CalledProcessError >> ---------------------------- Captured stdout setup ----------------------------- >> >> ========================== 1 failed in 32.25 seconds =========================== >> >> >> >> The command "date | sha256sum > /root/ipatests/noise.txt" >> >> The only explanation is that the directory /root/ipatests/ does not exist. > >Obviously this is caused by my patch N 0025 >freeipa-ofayans-0025-Removed-a-constantly-failing-call-to-prepare_host.patch > >Without it replica_promotion tests would fail. The only compromise I see >is to remove this line in unapply_fixes function in >ipatests/test_integration/tasks.py: > >host.run_command(['rm', '-rvf', host.config.test_dir]) > >Now the biggest question is: why do we keep removing the config folder >anyway? All the files (backups of /etc/hosts, etc) that ever get there >get overwritten each time anyway so it's quite safe to just keep the >folder throughout the whole test execution. > I do not know why it was removed. IMHO it shoudl be enough to remove just content of this directory. But it will bee godd to fix it ASAP and unblock test test_integration/test_external_ca.py I hope we want to have green test in 4.3 branch. Please also open a ticket so it can be backported to stable branch (if needed) LS From tjaalton at ubuntu.com Fri Mar 18 04:16:47 2016 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Fri, 18 Mar 2016 06:16:47 +0200 Subject: [Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python In-Reply-To: <568E26DF.6090507@redhat.com> References: <568E26DF.6090507@redhat.com> Message-ID: <56EB812F.7060809@ubuntu.com> 07.01.2016, 10:50, Jan Cholasta kirjoitti: > Hi, > > the attached patch ports the _ipap11helper module to python-cffi. > > Combined with my patch 536 [1], this makes ipapython architecture > independent. don't know why it works for you, but ipa-ods-exporter and ipa-dnskeysync-replica both still try to import _ipap11helper, which fails: maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: Traceback (most recent call last): maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: File "/usr/lib/ipa/ipa-ods-exporter", line 4 maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: import _ipap11helper maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: ImportError: No module named _ipap11helper maalis 18 05:45:46 trusty.tyrell systemd[1]: ipa-ods-exporter.service: Main process exited, code=exited maalis 18 05:45:46 trusty.tyrell systemd[1]: ipa-ods-exporter.service: Unit entered failed state. maalis 18 05:45:46 trusty.tyrell systemd[1]: ipa-ods-exporter.service: Failed with result 'exit-code'. maalis 18 05:46:47 trusty.tyrell systemd[1]: ipa-ods-exporter.service: Service hold-off time over, sche maalis 18 05:46:47 trusty.tyrell systemd[1]: Stopped IPA OpenDNSSEC Signer replacement. dropping the import makes it work again here.. this is with fairly current ipa-4-3 branch. -- t From jcholast at redhat.com Fri Mar 18 06:17:19 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 18 Mar 2016 07:17:19 +0100 Subject: [Freeipa-devel] [PATCH 0426] spec: add missing requires to python*-ipalib package In-Reply-To: <56D874FF.4010306@redhat.com> References: <56CF3458.6030304@redhat.com> <56CFEFC1.4060301@redhat.com> <56D874FF.4010306@redhat.com> Message-ID: <56EB9D6F.9090807@redhat.com> On 3.3.2016 18:31, Martin Basti wrote: > > > On 26.02.2016 07:25, Jan Cholasta wrote: >> Hi, >> >> On 25.2.2016 18:05, Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/5680 >>> >>> Patch attached. >> >> NACK. >> >> For python 3, the ldap module is provided by python3-pyldap. >> >> Any reason for the random ordering? The requires are not >> alphabetically ordered, so I would prefer if you just appended the new >> ones. > updated patch attached. Thanks, ACK. Pushed to: master: d6f03da7535565daa936b79c445b835410333974 ipa-4-3: 34ce42cc97fc7014a34179159e5a17690e4cdb34 >> >> There are missing as well as redundant requires in other packages, >> shouldn't we fix these too? > Please file ticket for it. https://fedorahosted.org/freeipa/ticket/5747 -- Jan Cholasta From jcholast at redhat.com Fri Mar 18 07:45:45 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 18 Mar 2016 08:45:45 +0100 Subject: [Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python In-Reply-To: <56EB812F.7060809@ubuntu.com> References: <568E26DF.6090507@redhat.com> <56EB812F.7060809@ubuntu.com> Message-ID: <56EBB229.9040002@redhat.com> On 18.3.2016 05:16, Timo Aaltonen wrote: > 07.01.2016, 10:50, Jan Cholasta kirjoitti: >> Hi, >> >> the attached patch ports the _ipap11helper module to python-cffi. >> >> Combined with my patch 536 [1], this makes ipapython architecture >> independent. > > don't know why it works for you, but ipa-ods-exporter and ipa-dnskeysync-replica both still try to import _ipap11helper, which fails: > > maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: Traceback (most recent call last): > maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: File "/usr/lib/ipa/ipa-ods-exporter", line 4 > maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: import _ipap11helper > maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: ImportError: No module named _ipap11helper > maalis 18 05:45:46 trusty.tyrell systemd[1]: ipa-ods-exporter.service: Main process exited, code=exited > maalis 18 05:45:46 trusty.tyrell systemd[1]: ipa-ods-exporter.service: Unit entered failed state. > maalis 18 05:45:46 trusty.tyrell systemd[1]: ipa-ods-exporter.service: Failed with result 'exit-code'. > maalis 18 05:46:47 trusty.tyrell systemd[1]: ipa-ods-exporter.service: Service hold-off time over, sche > maalis 18 05:46:47 trusty.tyrell systemd[1]: Stopped IPA OpenDNSSEC Signer replacement. > > dropping the import makes it work again here.. this is with fairly current ipa-4-3 branch. Patch attached. Pylint does not detect this obvious error for some reason. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-553.0.4_3-daemons-remove-unused-erroneous-_ipap11helper-import.patch Type: text/x-patch Size: 1486 bytes Desc: not available URL: From tjaalton at ubuntu.com Fri Mar 18 07:45:53 2016 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Fri, 18 Mar 2016 09:45:53 +0200 Subject: [Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python In-Reply-To: <56EBB229.9040002@redhat.com> References: <568E26DF.6090507@redhat.com> <56EB812F.7060809@ubuntu.com> <56EBB229.9040002@redhat.com> Message-ID: <56EBB231.1070700@ubuntu.com> 18.03.2016, 09:45, Jan Cholasta kirjoitti: > On 18.3.2016 05:16, Timo Aaltonen wrote: >> 07.01.2016, 10:50, Jan Cholasta kirjoitti: >>> Hi, >>> >>> the attached patch ports the _ipap11helper module to python-cffi. >>> >>> Combined with my patch 536 [1], this makes ipapython architecture >>> independent. >> >> don't know why it works for you, but ipa-ods-exporter and >> ipa-dnskeysync-replica both still try to import _ipap11helper, which >> fails: >> >> maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: Traceback >> (most recent call last): >> maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: File >> "/usr/lib/ipa/ipa-ods-exporter", line 4 >> maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: import >> _ipap11helper >> maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: ImportError: >> No module named _ipap11helper >> maalis 18 05:45:46 trusty.tyrell systemd[1]: ipa-ods-exporter.service: >> Main process exited, code=exited >> maalis 18 05:45:46 trusty.tyrell systemd[1]: ipa-ods-exporter.service: >> Unit entered failed state. >> maalis 18 05:45:46 trusty.tyrell systemd[1]: ipa-ods-exporter.service: >> Failed with result 'exit-code'. >> maalis 18 05:46:47 trusty.tyrell systemd[1]: ipa-ods-exporter.service: >> Service hold-off time over, sche >> maalis 18 05:46:47 trusty.tyrell systemd[1]: Stopped IPA OpenDNSSEC >> Signer replacement. >> >> dropping the import makes it work again here.. this is with fairly >> current ipa-4-3 branch. > > Patch attached. > > Pylint does not detect this obvious error for some reason. can't beat git grep :) I've tested with essentially the same patch, so it works. -- t From jcholast at redhat.com Fri Mar 18 08:23:27 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 18 Mar 2016 09:23:27 +0100 Subject: [Freeipa-devel] [PATCH 0435] client: enable ChallengeResponseAuthentication in sshd_config In-Reply-To: <56E1B73C.2050805@redhat.com> References: <56E1B73C.2050805@redhat.com> Message-ID: <56EBBAFF.40103@redhat.com> On 10.3.2016 19:04, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5703 > > Patch attached. Works for me, ACK. Pushed to master: 04d4519ed545df6ca156cbccaab059cfc3338bf6 -- Jan Cholasta From jcholast at redhat.com Fri Mar 18 08:33:22 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 18 Mar 2016 09:33:22 +0100 Subject: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns In-Reply-To: <56E282AC.3070306@redhat.com> References: <56DD6A4A.4050004@redhat.com> <56DD73B8.3080705@redhat.com> <56DD8D5D.6090301@redhat.com> <56DD9E19.6010608@redhat.com> <56DFF770.1010208@redhat.com> <56E26496.90500@redhat.com> <56E282AC.3070306@redhat.com> Message-ID: <56EBBD52.8020700@redhat.com> On 11.3.2016 09:32, Martin Babinsky wrote: > On 03/11/2016 07:24 AM, Jan Cholasta wrote: >> On 9.3.2016 11:14, Martin Babinsky wrote: >>> On 03/07/2016 04:28 PM, Martin Kosek wrote: >>>> On 03/07/2016 03:17 PM, Petr Spacek wrote: >>>>> On 7.3.2016 13:27, Jan Cholasta wrote: >>>>>> Hi, >>>>>> >>>>>> On 7.3.2016 12:47, Martin Babinsky wrote: >>>>>>> https://fedorahosted.org/freeipa/ticket/5696 >>>>>> >>>>>> Shouldn't we rather fix IPA to work with bind running in chroot >>>>>> (which is >>>>>> AFAIK considered good security practice)? >>>>> >>>>> I would not invest into it: >>>>> http://www.freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot#NOTE:_Chroot_should_not_be_considered_a_security_feature >>>>> >>>>> >>>>> >>>> >>>> +1 >>>> >>>> Martin >>>> >>> >>> Then the patch should be sufficient, yes? >> >> Yes, but I would prefer if the directive was visually separated from >> requires and had a comment (see how nss-pam-ldapd conflicts in >> freeipa-server is done). >> > Fixed Thanks, ACK. Pushed to: master: 3ab63fa6ba60947b1452c2108c4cf7637f4aacdb ipa-4-3: 2b1b9ad6722e7008a97f09dc4a34019ad250cd4d -- Jan Cholasta From mbasti at redhat.com Fri Mar 18 08:46:00 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 18 Mar 2016 09:46:00 +0100 Subject: [Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python In-Reply-To: <56EBB231.1070700@ubuntu.com> References: <568E26DF.6090507@redhat.com> <56EB812F.7060809@ubuntu.com> <56EBB229.9040002@redhat.com> <56EBB231.1070700@ubuntu.com> Message-ID: <56EBC048.4080706@redhat.com> On 18.03.2016 08:45, Timo Aaltonen wrote: > 18.03.2016, 09:45, Jan Cholasta kirjoitti: >> On 18.3.2016 05:16, Timo Aaltonen wrote: >>> 07.01.2016, 10:50, Jan Cholasta kirjoitti: >>>> Hi, >>>> >>>> the attached patch ports the _ipap11helper module to python-cffi. >>>> >>>> Combined with my patch 536 [1], this makes ipapython architecture >>>> independent. >>> don't know why it works for you, but ipa-ods-exporter and >>> ipa-dnskeysync-replica both still try to import _ipap11helper, which >>> fails: >>> >>> maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: Traceback >>> (most recent call last): >>> maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: File >>> "/usr/lib/ipa/ipa-ods-exporter", line 4 >>> maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: import >>> _ipap11helper >>> maalis 18 05:45:46 trusty.tyrell ipa-ods-exporter[8788]: ImportError: >>> No module named _ipap11helper >>> maalis 18 05:45:46 trusty.tyrell systemd[1]: ipa-ods-exporter.service: >>> Main process exited, code=exited >>> maalis 18 05:45:46 trusty.tyrell systemd[1]: ipa-ods-exporter.service: >>> Unit entered failed state. >>> maalis 18 05:45:46 trusty.tyrell systemd[1]: ipa-ods-exporter.service: >>> Failed with result 'exit-code'. >>> maalis 18 05:46:47 trusty.tyrell systemd[1]: ipa-ods-exporter.service: >>> Service hold-off time over, sche >>> maalis 18 05:46:47 trusty.tyrell systemd[1]: Stopped IPA OpenDNSSEC >>> Signer replacement. >>> >>> dropping the import makes it work again here.. this is with fairly >>> current ipa-4-3 branch. >> Patch attached. >> >> Pylint does not detect this obvious error for some reason. > can't beat git grep :) > > I've tested with essentially the same patch, so it works. > > ACK Pushed to ipa-4-3: 212c4cb671bec5a3d6fe320284136c87a81228ae From mbasti at redhat.com Fri Mar 18 09:18:10 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 18 Mar 2016 10:18:10 +0100 Subject: [Freeipa-devel] [PATCH 0142] spec: require python-cryptography newer than 0.9 In-Reply-To: <56EAEBFC.6050607@redhat.com> References: <56EAEBFC.6050607@redhat.com> Message-ID: <56EBC7D2.5080603@redhat.com> On 17.03.2016 18:40, Martin Babinsky wrote: > https://fedorahosted.org/freeipa/ticket/5744 > > > ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Fri Mar 18 09:21:41 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 18 Mar 2016 10:21:41 +0100 Subject: [Freeipa-devel] [DESIGN] Server Roles In-Reply-To: <56EAE651.4040603@redhat.com> References: <56EAE651.4040603@redhat.com> Message-ID: <56EBC8A5.9080504@redhat.com> On 03/17/2016 06:16 PM, Martin Babinsky wrote: > Hi list, > > here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP design > document concerning the concept of Server Roles as a user-friendly abstraction > of the services running on IPA masters. > > The main aim of this feature is to provide a higher level interface to query > and manipulate service-related information stored in dirsrv backend. > > I have not touched the design much from the post-Devconf session, mainly > because there are some points to clarify and agree upon. Initial thoughts: * Use Cases: these are rather vague points what you want to implement. In Use Case section, I would like to see what specific *user* use cases you are addressing, i.e. what user problems you are solving. Ideally in a form of a user story. Like here: http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Use_Cases or here: http://www.freeipa.org/page/V4/Authentication_Indicators#Use_Cases or here: http://www.freeipa.org/page/V4/External_trust_to_AD#Use_Cases > I have the following points to discuss: > > 1.) the design assumes that there is a distinction between roles such as DNS > server, CA, etc. and the more specific sub-roles such as DNSSec key master, CRL > master, etc. Now in the hindsight I think this distinction is quite artificial > and just clutters the interface unnecessarily. We might implement this kind of > hierarchy in the code itself but that is something the user needs not be aware of. Well, there are dependencies. A server cannot be a CRL master without also being a CA role. I assume same applies to DNSSEC master. I think we need to think more about distinguishing what is role, what is just an attribute of a role, etc. AD for example distinguishes roles, role service and features: https://technet.microsoft.com/en-us/library/cc754923.aspx Martin From mbasti at redhat.com Fri Mar 18 09:22:33 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 18 Mar 2016 10:22:33 +0100 Subject: [Freeipa-devel] [PATCH 0029] Move user/group constants for PKI and DS into ipaplatform In-Reply-To: <1542878923.39274119.1456758177069.JavaMail.zimbra@redhat.com> References: <569E381B.3040104@redhat.com> <20160120015428.GJ31821@dhcp-40-8.bne.redhat.com> <569F6826.2060608@redhat.com> <1542878923.39274119.1456758177069.JavaMail.zimbra@redhat.com> Message-ID: <56EBC8D9.9050501@redhat.com> On 29.02.2016 16:02, David Kupka wrote: > Hello Christian, > sorry for letting this patch rot for so long. I've forget about it the minute Fraser replied. > To compensate a little I've fixed pep8 error, rebased it and attaching two versions for master and for 4.3 branch. > I haven't found any missing cases and it works for me. If you're OK with the modified patches it can be pushed. > > David > > ----- Original Message ----- > From: "Christian Heimes" > To: "Fraser Tweedale" > Cc: "freeipa-devel" > Sent: Wednesday, January 20, 2016 11:57:42 AM > Subject: Re: [Freeipa-devel] [PATCH 0029] Move user/group constants for PKI and DS into ipaplatform > > On 2016-01-20 02:54, Fraser Tweedale wrote: >> On Tue, Jan 19, 2016 at 02:20:27PM +0100, Christian Heimes wrote: >>> ipaplatform.constants has platform specific names for a couple of system >>> users like Apache HTTPD. The user names for PKI_USER, PKI_GROUP, DS_USER >>> and DS_GROUP are defined in other modules. Similar to #5587 the patch my >>> patch moves the constants into the platform module. >>> >>> https://fedorahosted.org/freeipa/ticket/5619 >> I see a few remaining cases: >> >> ipaserver/install/dsinstance.py >> 712: pent = pwd.getpwnam("dirsrv") >> >> ipatests/test_integration/test_backup_and_restore.py >> 167: self.master.run_command(['userdel', 'dirsrv']) >> 168: self.master.run_command(['userdel', 'pkiuser']) >> >> ipaplatform/redhat/tasks.py >> 441: if name == 'pkiuser': >> >> When these are included, ACK. > Good catch! > > My new patch takes care of remaining cases. > > > > Christian do you agree with proposed changes, can we push it? Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Fri Mar 18 09:28:23 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 18 Mar 2016 10:28:23 +0100 Subject: [Freeipa-devel] [PATCH 0143-0144] different errors/warnings for different LDAP limit type exceeded Message-ID: <56EBCA37.6020306@redhat.com> These patches implement behavior agreed upon during discussion of https://fedorahosted.org/freeipa/ticket/5677 However I'm not sure if we want to push them into 4-3 branch (the ticket is triaged into 4.3.2 milestone) since they modify the framework behavior quite a bit. If there is no need to have it there (CC'ing Milan since he is the reporter), I would retriage it into 4.4 milestone. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0143-differentiate-between-limit-types-when-LDAP-search-e.patch Type: text/x-patch Size: 12769 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0144-specify-type-of-exceeded-limit-when-warning-about-tr.patch Type: text/x-patch Size: 4905 bytes Desc: not available URL: From mkubik at redhat.com Fri Mar 18 09:43:00 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Fri, 18 Mar 2016 10:43:00 +0100 Subject: [Freeipa-devel] [PATCH 0143-0144] different errors/warnings for different LDAP limit type exceeded In-Reply-To: <56EBCA37.6020306@redhat.com> References: <56EBCA37.6020306@redhat.com> Message-ID: <56EBCDA4.5000905@redhat.com> On 03/18/2016 10:28 AM, Martin Babinsky wrote: > These patches implement behavior agreed upon during discussion of > https://fedorahosted.org/freeipa/ticket/5677 > > However I'm not sure if we want to push them into 4-3 branch (the > ticket is triaged into 4.3.2 milestone) since they modify the > framework behavior quite a bit. > > If there is no need to have it there (CC'ing Milan since he is the > reporter), I would retriage it into 4.4 milestone. > I'm OK with the patch being only in master/ipa-4-4. Assuming the problem in the limits exceeded cases originates in the backend (be it directory server or dogtag), we can compare the problem in a run on master and an older branch. They will likely have the same cause. -- Milan Kubik From mbasti at redhat.com Fri Mar 18 09:44:01 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 18 Mar 2016 10:44:01 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <20160317193747.GB23625@mail.corp.redhat.com> References: <56D93B28.2020302@redhat.com> <56D93B98.4090307@redhat.com> <56D9AA4B.103@redhat.com> <56D9B8CB.3040507@redhat.com> <56DEB998.3070501@redhat.com> <56DF0ABD.4040603@redhat.com> <56DF256E.8010000@redhat.com> <56E1F09D.10405@redhat.com> <20160317102835.GB19342@mail.corp.redhat.com> <56EAC67D.8040701@redhat.com> <20160317193747.GB23625@mail.corp.redhat.com> Message-ID: <56EBCDE1.9020409@redhat.com> On 17.03.2016 20:37, Lukas Slebodnik wrote: > On (17/03/16 16:00), Oleg Fayans wrote: >> Hi Lukas, >> >> On 03/17/2016 11:28 AM, Lukas Slebodnik wrote: >>> On (10/03/16 23:09), Oleg Fayans wrote: >>>> Hi Martin, >>>> >>>> >>>> >>>> On 03/08/2016 08:18 PM, Martin Basti wrote: >>>>> >>>>> On 08.03.2016 18:24, Martin Basti wrote: >>>>>> >>>>>> On 08.03.2016 12:38, Oleg Fayans wrote: >>>>>>> The patches were rebased against the current master >>>>>>> >>>>>>> On 03/04/2016 05:33 PM, Martin Basti wrote: >>>>>>>> * old messages have been removed * >>>>>>>>>>>> 1) >>>>>>>>>>>> this method is unused please remove it >>>>>>>>>>>> >>>>>>>>>>>> def test_kra_install_master(self): >>>>>>>>> Well, in fact it is used twice: in both domain levels, so I'd better >>>>>>>>> keep it: >>>>>>>>> >>>>>>>>> -bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py >>>>>>>>> --collect-only >>>>>>>>> ==================================================================================== >>>>>>>>> >>>>>>>>> >>>>>>>>> test session starts >>>>>>>>> ===================================================================================== >>>>>>>>> >>>>>>>>> >>>>>>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>>>>> pytest.ini >>>>>>>>> plugins: sourceorder, multihost >>>>>>>>> collected 8 items >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> aah my bad, I forgot that pytest executes it when it begins with test_* >>>>>>>> even in parent class >>>>>>>>>>>> 2) >>>>>>>>>>>> Why are these there? I do not see any usage >>>>>>>>>>>> >>>>>>>>>>>> from env_config import get_global_config >>>>>>>>>>>> config = get_global_config() >>>>>>>>> Removed >>>>>>>>> >>>>>>>>>>>> 3) nitpick >>>>>>>>>>>> + num_clients = 0 >>>>>>>>>>>> this is set by default >>>>>>>>> Removed >>>>>>>>> >>>>>>>>>>>> otherwise LGTM >>>>>>>>>>>> >>>>>>>>>>>> Results of testing tomorrow. >>>>>>>>>>>> >>>>>>>>>>>> Martin^2 >>>>>>>>>>>> >>>>>>>>>>> I applied all patches including workarounds, but test failed. >>>>>>>>>>> >>>>>>>>>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] RUN >>>>>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>>>>>>> '--setup-ca', '--ip-address', '192.168.144.102', >>>>>>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] The host >>>>>>>>>>> replica1.ipa.test already exists on the master server. >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] You should >>>>>>>>>>> remove it before proceeding: >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] % ipa >>>>>>>>>>> host-del replica1.ipa.test >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>>>>>> ipa-replica-install command failed. See >>>>>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] Exit >>>>>>>>>>> code: 3 >>>>>>>>>>> FAILED >>>>>>>>> this is exactly the error that happens when a workaround for 5627 >>>>>>>>> is not >>>>>>>>> applied. I have re-run the tests with all the patches and everything >>>>>>>>> passed. Could you please double-check, whether patch 0027 was applied >>>>>>>>> correctly? >>>>>>>>> >>>>>>>>> bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py >>>>>>>>> --pdb >>>>>>>>> ==================================================================================== >>>>>>>>> >>>>>>>>> >>>>>>>>> test session starts >>>>>>>>> ===================================================================================== >>>>>>>>> >>>>>>>>> >>>>>>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>>>>> pytest.ini >>>>>>>>> plugins: sourceorder, multihost >>>>>>>>> collected 8 items >>>>>>>>> >>>>>>>>> test_integration/test_replica_promotion.py ........ >>>>>>>>> >>>>>>>>> ================================================================================ >>>>>>>>> >>>>>>>>> >>>>>>>>> 8 passed in 7561.93 seconds >>>>>>>>> ================================================================================= >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> I will >>>>>>>> >>>>>>>>>> And it needs ticket, otherwise it will not be in 4-3 branch. >>>>>>>>> https://fedorahosted.org/freeipa/ticket/5723 >>>>>> NACK >>>>>> >>>>>> 1) >>>>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>>>> >>>>>> >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', >>>>>> 'IPA.TEST'] >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] RUN >>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>> '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] IPA client is >>>>>> already configured on this system, ignoring the --domain, --server, >>>>>> --realm, --hostname, --password and --keytab options. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Your system >>>>>> may be partly configured. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Run >>>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>>>>> provide a file generated by ipa-replica-prepare to create a replica >>>>>> when the domain is at level 0. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>> ipa-replica-install command failed. See >>>>>> /var/log/ipareplica-install.log for more information >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Exit code: 1 >>>>>> FAILED >>>>>> >>>>>> 2) >>>>>> ipatests.test_integration.test_replica_promotion.TestKRAInstall >>>>>> >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', >>>>>> 'IPA.TEST'] >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>> '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA client is >>>>>> already configured on this system, ignoring the --domain, --server, >>>>>> --realm, --hostname, --password and --keytab options. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your system >>>>>> may be partly configured. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >>>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>>>>> provide a file generated by ipa-replica-prepare to create a replica >>>>>> when the domain is at level 0. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>> ipa-replica-install command failed. See >>>>>> /var/log/ipareplica-install.log for more information >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit code: 1 >>>>>> FAILED >>>>>> >>>>>> >>>>>> 3) >>>>>> ipatests.test_integration.test_replica_promotion.TestCAInstall >>>>>> >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>> 'Secret123', '--setup-dns', '--forwarder', '10.34.78.1', >>>>>> '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>> '--setup-dns', '--forwarder', '10.34.78.1', '--ip-address', >>>>>> '192.168.200.103', '-r', 'IPA.TEST'] >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA client is >>>>>> already configured on this system, ignoring the --domain, --server, >>>>>> --realm, --hostname, --password and --keytab options. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your system >>>>>> may be partly configured. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >>>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>>>>> provide a file generated by ipa-replica-prepare to create a replica >>>>>> when the domain is at level 0. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>> ipa-replica-install command failed. See >>>>>> /var/log/ipareplica-install.log for more information >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit code: 1 >>>>>> FAILED >>>>>> >>>>>> >>>>>> Reason: >>>>>> >>>>>> def install_replica(master, replica, setup_ca=True, setup_dns=False, >>>>>> - setup_kra=False, extra_args=()): >>>>>> + setup_kra=False, extra_args=(), domain_level=None): >>>>>> + if domain_level is None: >>>>>> + domain_level = domainlevel(master) >>>> Oops. Sorry, must have been a result of inaccurate rebase. Fixed >>>> The successful run is attached >>>> >>>>>> - if domainlevel(master) == DOMAIN_LEVEL_0: >>>>>> + if domainlevel == DOMAIN_LEVEL_0: >>>>>> >>>>>> domain_level variable is actually unused >>>>>> >>>>> Also with your patch that removes host_prepare, I see many following >>>>> errors in test debug output >>>>> >>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: line 1: >>>>> cd: /root/ipatests: No such file or directory >>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: line 2: >>>>> /root/ipatests/env.sh: No such file or directory >>>>> >>>>> >>>>> I do not see these errors in current tests, so the patch does not seem >>>>> right to me. >>>> http://jenkins.idm.lab.eng.brq.redhat.com:8080/job/freeipa-integration-f23master-customized_ds_config_install-domlevel-1/23/consoleFull >>>> >>>> I've been experimenting a lot to find get rid of it but was >>>> unsuccessful. Seemingly it does not affect the tests. >>>> >>> Oleg it looks like you broke something >>> in the test_integration/test_external_ca.py >>> >>> _______________________ TestExternalCA.test_external_ca ________________________ >>> >>> self = >>> >>> def test_external_ca(self): >>> # Step 1 of ipa-server-install >>> self.master.run_command([ >>> 'ipa-server-install', '-U', >>> '-a', self.master.config.admin_password, >>> '-p', self.master.config.dirman_password, >>> '--setup-dns', '--no-forwarders', >>> '-n', self.master.domain.name, >>> '-r', self.master.domain.realm, >>> '--domain-level=%i' % self.master.config.domain_level, >>> '--external-ca' >>> ]) >>> >>> nss_db = os.path.join(self.master.config.test_dir, 'testdb') >>> external_cert_file = os.path.join(nss_db, 'ipa.crt') >>> external_ca_file = os.path.join(nss_db, 'ca.crt') >>> noisefile = os.path.join(self.master.config.test_dir, 'noise.txt') >>> pwdfile = os.path.join(self.master.config.test_dir, 'pwdfile.txt') >>> >>> # Create noise and password files for NSS database >>>> self.master.run_command('date | sha256sum > %s' % noisefile) >>> test_integration/test_external_ca.py:49: >>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>> ../pytest_multihost/host.py:246: in run_command >>> command.wait(raiseonerr=raiseonerr) >>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>> >>> self = >>> raiseonerr = True >>> >>> def wait(self, raiseonerr=True): >>> """Wait for the remote process to exit >>> >>> Raises an excption if the exit code is not 0, unless raiseonerr is >>> true. >>> """ >>> if self._done: >>> return self.returncode >>> >>> self._end_process() >>> >>> self._done = True >>> >>> if raiseonerr and self.returncode: >>> self.log.error('Exit code: %s', self.returncode) >>>> raise subprocess.CalledProcessError(self.returncode, self.argv) >>> E CalledProcessError: Command 'date | sha256sum > /root/ipatests/noise.txt' returned non-zero exit status 1 >>> >>> ../pytest_multihost/transport.py:159: CalledProcessError >>> ---------------------------- Captured stdout setup ----------------------------- >>> >>> ========================== 1 failed in 32.25 seconds =========================== >>> >>> >>> >>> The command "date | sha256sum > /root/ipatests/noise.txt" >>> >>> The only explanation is that the directory /root/ipatests/ does not exist. >> Obviously this is caused by my patch N 0025 >> freeipa-ofayans-0025-Removed-a-constantly-failing-call-to-prepare_host.patch >> >> Without it replica_promotion tests would fail. The only compromise I see >> is to remove this line in unapply_fixes function in >> ipatests/test_integration/tasks.py: >> >> host.run_command(['rm', '-rvf', host.config.test_dir]) >> >> Now the biggest question is: why do we keep removing the config folder >> anyway? All the files (backups of /etc/hosts, etc) that ever get there >> get overwritten each time anyway so it's quite safe to just keep the >> folder throughout the whole test execution. >> > I do not know why it was removed. IMHO it shoudl be enough > to remove just content of this directory. > > But it will bee godd to fix it ASAP > and unblock test test_integration/test_external_ca.py > I hope we want to have green test in 4.3 branch. > Please also open a ticket so it can be backported to > stable branch (if needed) > > LS > Please do not file a new ticket, fix it as part of the current one. IMO we should create that directory per test class. Create it before first test, remove after last in the particular class. Please ask Milan if there can be any issues with log collecting. Martin^2 From mbabinsk at redhat.com Fri Mar 18 09:44:09 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 18 Mar 2016 10:44:09 +0100 Subject: [Freeipa-devel] [PATCH 0143-0144] different errors/warnings for different LDAP limit type exceeded In-Reply-To: <56EBCDA4.5000905@redhat.com> References: <56EBCA37.6020306@redhat.com> <56EBCDA4.5000905@redhat.com> Message-ID: <56EBCDE9.2070202@redhat.com> On 03/18/2016 10:43 AM, Milan Kub?k wrote: > On 03/18/2016 10:28 AM, Martin Babinsky wrote: >> These patches implement behavior agreed upon during discussion of >> https://fedorahosted.org/freeipa/ticket/5677 >> >> However I'm not sure if we want to push them into 4-3 branch (the >> ticket is triaged into 4.3.2 milestone) since they modify the >> framework behavior quite a bit. >> >> If there is no need to have it there (CC'ing Milan since he is the >> reporter), I would retriage it into 4.4 milestone. >> > I'm OK with the patch being only in master/ipa-4-4. Assuming the problem > in the limits exceeded cases originates in the backend (be it directory > server or dogtag), we can compare the problem in a run on master and an > older branch. They will likely have the same cause. > Ok I will add the ticket to offline triage to push it out, then. -- Martin^3 Babinsky From mbabinsk at redhat.com Fri Mar 18 09:47:01 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 18 Mar 2016 10:47:01 +0100 Subject: [Freeipa-devel] [DESIGN] Server Roles In-Reply-To: <56EBC8A5.9080504@redhat.com> References: <56EAE651.4040603@redhat.com> <56EBC8A5.9080504@redhat.com> Message-ID: <56EBCE95.2070501@redhat.com> On 03/18/2016 10:21 AM, Martin Kosek wrote: > On 03/17/2016 06:16 PM, Martin Babinsky wrote: >> Hi list, >> >> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP design >> document concerning the concept of Server Roles as a user-friendly abstraction >> of the services running on IPA masters. >> >> The main aim of this feature is to provide a higher level interface to query >> and manipulate service-related information stored in dirsrv backend. >> >> I have not touched the design much from the post-Devconf session, mainly >> because there are some points to clarify and agree upon. > > Initial thoughts: > > * Use Cases: these are rather vague points what you want to implement. In Use > Case section, I would like to see what specific *user* use cases you are > addressing, i.e. what user problems you are solving. Ideally in a form of a > user story. Like here: > > http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Use_Cases > or here: > http://www.freeipa.org/page/V4/Authentication_Indicators#Use_Cases > or here: > http://www.freeipa.org/page/V4/External_trust_to_AD#Use_Cases > Ok I will thing of some clearer points. >> I have the following points to discuss: >> >> 1.) the design assumes that there is a distinction between roles such as DNS >> server, CA, etc. and the more specific sub-roles such as DNSSec key master, CRL >> master, etc. Now in the hindsight I think this distinction is quite artificial >> and just clutters the interface unnecessarily. We might implement this kind of >> hierarchy in the code itself but that is something the user needs not be aware of. > > Well, there are dependencies. A server cannot be a CRL master without also > being a CA role. I assume same applies to DNSSEC master. > > I think we need to think more about distinguishing what is role, what is just > an attribute of a role, etc. AD for example distinguishes roles, role service > and features: > > https://technet.microsoft.com/en-us/library/cc754923.aspx > We will have to implement the role/subrole/unicorn hierarchy anyhow. What I would like to discuss is whether it is necessary to expose this hierarchy to the users. Consider a case when user wants to find which server is a CA renewal master: ipa server-role-find "CA renewal master" vs. ipa server-role-find --subrole "Renewal master" Behind the scenes, the code has to do the same thing (e.g. issue a search using (&(cn=CA)(ipaConfigString=enabledService)(ipaConfigString=caRenewalMaster))), but the UX is a bit different. > Martin > -- Martin^3 Babinsky From mkosek at redhat.com Fri Mar 18 09:59:10 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 18 Mar 2016 10:59:10 +0100 Subject: [Freeipa-devel] [DESIGN] Server Roles In-Reply-To: <56EBCE95.2070501@redhat.com> References: <56EAE651.4040603@redhat.com> <56EBC8A5.9080504@redhat.com> <56EBCE95.2070501@redhat.com> Message-ID: <56EBD16E.40005@redhat.com> On 03/18/2016 10:47 AM, Martin Babinsky wrote: > On 03/18/2016 10:21 AM, Martin Kosek wrote: >> On 03/17/2016 06:16 PM, Martin Babinsky wrote: >>> Hi list, >>> >>> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP design >>> document concerning the concept of Server Roles as a user-friendly abstraction >>> of the services running on IPA masters. >>> >>> The main aim of this feature is to provide a higher level interface to query >>> and manipulate service-related information stored in dirsrv backend. >>> >>> I have not touched the design much from the post-Devconf session, mainly >>> because there are some points to clarify and agree upon. >> >> Initial thoughts: >> >> * Use Cases: these are rather vague points what you want to implement. In Use >> Case section, I would like to see what specific *user* use cases you are >> addressing, i.e. what user problems you are solving. Ideally in a form of a >> user story. Like here: >> >> http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Use_Cases >> or here: >> http://www.freeipa.org/page/V4/Authentication_Indicators#Use_Cases >> or here: >> http://www.freeipa.org/page/V4/External_trust_to_AD#Use_Cases >> > Ok I will thing of some clearer points. > >>> I have the following points to discuss: >>> >>> 1.) the design assumes that there is a distinction between roles such as DNS >>> server, CA, etc. and the more specific sub-roles such as DNSSec key master, CRL >>> master, etc. Now in the hindsight I think this distinction is quite artificial >>> and just clutters the interface unnecessarily. We might implement this kind of >>> hierarchy in the code itself but that is something the user needs not be >>> aware of. >> >> Well, there are dependencies. A server cannot be a CRL master without also >> being a CA role. I assume same applies to DNSSEC master. >> >> I think we need to think more about distinguishing what is role, what is just >> an attribute of a role, etc. AD for example distinguishes roles, role service >> and features: >> >> https://technet.microsoft.com/en-us/library/cc754923.aspx >> > We will have to implement the role/subrole/unicorn hierarchy anyhow. What I > would like to discuss is whether it is necessary to expose this hierarchy to > the users. Consider a case when user wants to find which server is a CA renewal > master: > > ipa server-role-find "CA renewal master" > > vs. > > ipa server-role-find --subrole "Renewal master" > > Behind the scenes, the code has to do the same thing (e.g. issue a search using > (&(cn=CA)(ipaConfigString=enabledService)(ipaConfigString=caRenewalMaster))), > but the UX is a bit different. Well, even the LDAP structure is different in this case. CA role is an object in cn=masters, caRenewalMaster is it's property. So they will likely be different user objects too. For your example, I can image a search like that: $ ipa server-role-find "CA" --subrole "renewal-master" (for the case when you have "DNS" role also with "renewal-master" sub-role). Martin From ldoudova at redhat.com Fri Mar 18 10:24:12 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Fri, 18 Mar 2016 11:24:12 +0100 Subject: [Freeipa-devel] [TESTS][PATCH 0011] WebUI: Creating user without private group In-Reply-To: <56E1B5CC.7070208@redhat.com> References: <56CF0AD6.4060505@redhat.com> <56DD9E73.1020609@redhat.com> <56DEBE89.70808@redhat.com> <56DEC2DF.3000801@redhat.com> <56E1B5CC.7070208@redhat.com> Message-ID: <56EBD74C.40709@redhat.com> On 03/10/2016 06:58 PM, Petr Vobornik wrote: > On 03/08/2016 01:17 PM, Lenka Doudova wrote: >> >> >> On 03/08/2016 12:59 PM, Petr Vobornik wrote: >>> On 03/07/2016 04:29 PM, Pavel Vomacka wrote: >>>> >>>> >>>> On 02/25/2016 03:08 PM, Lenka Doudova wrote: >>>>> Hi, >>>>> >>>>> here's a patch for webUI tests that provides test for creating user >>>>> without private group. >>>>> Related to ticket https://fedorahosted.org/freeipa/ticket/4986 >>>>> >>>>> Since the option to specify GID when creating a user is not available >>>>> https://fedorahosted.org/freeipa/ticket/5505 the test creates a new >>>>> posix group, makes it a default user group instead of 'ipausers' and >>>>> then attemps to create the user without private group. Returning >>>>> default user group value to 'ipausers' is provided even for cases >>>>> when >>>>> the test fails so it would not block other tests from performing >>>>> properly. >>>>> >>>>> Lenka >>>>> >>>>> >>>> Hi, >>>> >>>> ACK, works well. >>>> >>>> Pavel^3 Vomacka >>>> >>> >>> NACK, don't use naked except, specify at least 'Exception' >>> + except: >>> >> >> Thanks, patch fixed according to Petr's review attached. >> >> Lenka > > Ticket 5505 was pushed. So the workaround can be removed. Do you > prefer to do it in this patch? > > Also, maybe it would be good to test both cases and check if the error > is actually the right one. Hi, attaching patch fixed according to recently pushed changes. Lenka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ldoudova-0011.3-WebUI-Test-creating-user-without-private-group.patch Type: text/x-patch Size: 7345 bytes Desc: not available URL: From tjaalton at ubuntu.com Fri Mar 18 10:30:18 2016 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Fri, 18 Mar 2016 12:30:18 +0200 Subject: [Freeipa-devel] [PATCH 0012-0013] Improve ipaplatform.constants Message-ID: <56EBD8BA.9080304@ubuntu.com> Fix some hardcoded uid/gid strings to help with porting. -- t -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tjaalton-0012-ipaplatform-Move-remaining-user-group-constants-to-i.patch Type: text/x-diff Size: 27762 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tjaalton-0013-Use-ODS_USER-ODS_GROUP-in-opendnssec_conf.template.patch Type: text/x-diff Size: 1426 bytes Desc: not available URL: From cheimes at redhat.com Fri Mar 18 10:53:21 2016 From: cheimes at redhat.com (Christian Heimes) Date: Fri, 18 Mar 2016 11:53:21 +0100 Subject: [Freeipa-devel] [PATCH 0029] Move user/group constants for PKI and DS into ipaplatform In-Reply-To: <56EBC8D9.9050501@redhat.com> References: <569E381B.3040104@redhat.com> <20160120015428.GJ31821@dhcp-40-8.bne.redhat.com> <569F6826.2060608@redhat.com> <1542878923.39274119.1456758177069.JavaMail.zimbra@redhat.com> <56EBC8D9.9050501@redhat.com> Message-ID: <56EBDE21.7000200@redhat.com> On 2016-03-18 10:22, Martin Basti wrote: > > > On 29.02.2016 16:02, David Kupka wrote: >> Hello Christian, >> sorry for letting this patch rot for so long. I've forget about it the minute Fraser replied. >> To compensate a little I've fixed pep8 error, rebased it and attaching two versions for master and for 4.3 branch. >> I haven't found any missing cases and it works for me. If you're OK with the modified patches it can be pushed. >> >> David >> >> ----- Original Message ----- >> From: "Christian Heimes" >> To: "Fraser Tweedale" >> Cc: "freeipa-devel" >> Sent: Wednesday, January 20, 2016 11:57:42 AM >> Subject: Re: [Freeipa-devel] [PATCH 0029] Move user/group constants for PKI and DS into ipaplatform >> >> On 2016-01-20 02:54, Fraser Tweedale wrote: >>> On Tue, Jan 19, 2016 at 02:20:27PM +0100, Christian Heimes wrote: >>>> ipaplatform.constants has platform specific names for a couple of system >>>> users like Apache HTTPD. The user names for PKI_USER, PKI_GROUP, DS_USER >>>> and DS_GROUP are defined in other modules. Similar to #5587 the patch my >>>> patch moves the constants into the platform module. >>>> >>>> https://fedorahosted.org/freeipa/ticket/5619 >>> I see a few remaining cases: >>> >>> ipaserver/install/dsinstance.py >>> 712: pent = pwd.getpwnam("dirsrv") >>> >>> ipatests/test_integration/test_backup_and_restore.py >>> 167: self.master.run_command(['userdel', 'dirsrv']) >>> 168: self.master.run_command(['userdel', 'pkiuser']) >>> >>> ipaplatform/redhat/tasks.py >>> 441: if name == 'pkiuser': >>> >>> When these are included, ACK. >> Good catch! >> >> My new patch takes care of remaining cases. >> >> >> >> > > Christian do you agree with proposed changes, can we push it? > Martin^2 Oh, the patch is still open? ACK! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mbasti at redhat.com Fri Mar 18 11:39:21 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 18 Mar 2016 12:39:21 +0100 Subject: [Freeipa-devel] [PATCH] sudo: Fix a typo in the --help output of sudocmdgroup In-Reply-To: <20160311170158.GB3112@hendrix.redhat.com> References: <20160311170158.GB3112@hendrix.redhat.com> Message-ID: <56EBE8E9.6010203@redhat.com> On 11.03.2016 18:01, Jakub Hrozek wrote: > Hi, > > attached is a trivial patch. > > ACK Pushed to master: c6371abeb353c9e82b4c27899f98cae2c3b7cf88 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Mar 18 12:09:33 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 18 Mar 2016 13:09:33 +0100 Subject: [Freeipa-devel] [PATCH 0012-0013] Improve ipaplatform.constants In-Reply-To: <56EBD8BA.9080304@ubuntu.com> References: <56EBD8BA.9080304@ubuntu.com> Message-ID: <56EBEFFD.4070609@redhat.com> On 18.03.2016 11:30, Timo Aaltonen wrote: > Fix some hardcoded uid/gid strings to help with porting. > > > Please note this is part of: https://fedorahosted.org/freeipa/ticket/5343 and ticket should be added to commits before push -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Fri Mar 18 12:24:31 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 18 Mar 2016 13:24:31 +0100 Subject: [Freeipa-devel] [PATCH 0439] Do not do extra search for ipasshpubkey In-Reply-To: <56E804A4.4000505@redhat.com> References: <56E804A4.4000505@redhat.com> Message-ID: <56EBF37F.4090101@redhat.com> On 03/15/2016 01:48 PM, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/3376 > > Patch attached. > > ACK but fix the 'behavioar' typo in the commit message before pushing. -- Martin^3 Babinsky From mbasti at redhat.com Fri Mar 18 12:28:01 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 18 Mar 2016 13:28:01 +0100 Subject: [Freeipa-devel] [PATCH] 0018 DS deadlock when memberof scopes topology plugin updates In-Reply-To: <56EAF244.9030202@redhat.com> References: <56EAF244.9030202@redhat.com> Message-ID: <56EBF451.7060308@redhat.com> On 17.03.2016 19:07, thierry bordaz wrote: > https://fedorahosted.org/freeipa/ticket/5637 > > > Pushed to: ipa-4-3: 17873d19b804c78a2d1ff78e37ea2da35acac942 master: e1bbd90360b98910540b7390b312b6405d0da102 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Mar 18 12:28:47 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 18 Mar 2016 13:28:47 +0100 Subject: [Freeipa-devel] [PATCH] 0018 DS deadlock when memberof scopes topology plugin updates In-Reply-To: <56EBF451.7060308@redhat.com> References: <56EAF244.9030202@redhat.com> <56EBF451.7060308@redhat.com> Message-ID: <56EBF47F.7020604@redhat.com> On 18.03.2016 13:28, Martin Basti wrote: > > > On 17.03.2016 19:07, thierry bordaz wrote: >> https://fedorahosted.org/freeipa/ticket/5637 >> >> >> > > Pushed to: > ipa-4-3: 17873d19b804c78a2d1ff78e37ea2da35acac942 > master: e1bbd90360b98910540b7390b312b6405d0da102 > > > ACK :) -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Mar 18 12:38:39 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 18 Mar 2016 13:38:39 +0100 Subject: [Freeipa-devel] [PATCH 0141] ipa-replica-manage: print traceback on unexpected error when in verbose mode In-Reply-To: <56E82439.2040108@redhat.com> References: <56E18BC8.1000700@redhat.com> <56E6F430.4020900@redhat.com> <56E82439.2040108@redhat.com> Message-ID: <56EBF6CF.8000607@redhat.com> On 15.03.2016 16:03, Martin Babinsky wrote: > On 03/14/2016 06:26 PM, Martin Basti wrote: >> >> >> On 10.03.2016 15:59, Martin Babinsky wrote: >>> https://fedorahosted.org/freeipa/ticket/5380 >>> >>> >>> >> NACK >> >> 1) >> Maybe we should print traceback in verbose mode for RuntimeError as >> well. >> >> 2) >> IMO would be better to print traceback first and then, print error >> >> Martin^2 > > Attaching updated patch. > I changed my mind, RuntimeError should stay as it is now. Sorry From rcritten at redhat.com Fri Mar 18 12:49:29 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 18 Mar 2016 08:49:29 -0400 Subject: [Freeipa-devel] [PATCH 0143-0144] different errors/warnings for different LDAP limit type exceeded In-Reply-To: <56EBCA37.6020306@redhat.com> References: <56EBCA37.6020306@redhat.com> Message-ID: <56EBF959.3060807@redhat.com> Martin Babinsky wrote: > These patches implement behavior agreed upon during discussion of > https://fedorahosted.org/freeipa/ticket/5677 > > However I'm not sure if we want to push them into 4-3 branch (the ticket > is triaged into 4.3.2 milestone) since they modify the framework > behavior quite a bit. > > If there is no need to have it there (CC'ing Milan since he is the > reporter), I would retriage it into 4.4 milestone. + desc="while getting entries (search base: '{}'," + "filter: {})".format(base_dn, filter)) This is going to expose parts of the DIT in an error message to users. We have tried in the past to hide the implementation. I'd propose logging the error and making the exception less verbose. rob From mbabinsk at redhat.com Fri Mar 18 13:02:09 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 18 Mar 2016 14:02:09 +0100 Subject: [Freeipa-devel] [PATCH 0141] ipa-replica-manage: print traceback on unexpected error when in verbose mode In-Reply-To: <56EBF6CF.8000607@redhat.com> References: <56E18BC8.1000700@redhat.com> <56E6F430.4020900@redhat.com> <56E82439.2040108@redhat.com> <56EBF6CF.8000607@redhat.com> Message-ID: <56EBFC51.7050606@redhat.com> On 03/18/2016 01:38 PM, Martin Basti wrote: > > > On 15.03.2016 16:03, Martin Babinsky wrote: >> On 03/14/2016 06:26 PM, Martin Basti wrote: >>> >>> >>> On 10.03.2016 15:59, Martin Babinsky wrote: >>>> https://fedorahosted.org/freeipa/ticket/5380 >>>> >>>> >>>> >>> NACK >>> >>> 1) >>> Maybe we should print traceback in verbose mode for RuntimeError as >>> well. >>> >>> 2) >>> IMO would be better to print traceback first and then, print error >>> >>> Martin^2 >> >> Attaching updated patch. >> > I changed my mind, RuntimeError should stay as it is now. Sorry No problem. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0141.2-ipa-replica-manage-print-traceback-on-unexpected-err.patch Type: text/x-patch Size: 2158 bytes Desc: not available URL: From mbabinsk at redhat.com Fri Mar 18 13:12:25 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 18 Mar 2016 14:12:25 +0100 Subject: [Freeipa-devel] [PATCH 0428] SPEC: do not execute upgrade when ipa server is not installed In-Reply-To: <56D68798.60603@redhat.com> References: <56D5E8D3.5020709@redhat.com> <56D5E9DF.1080201@redhat.com> <56D5EA6C.4030005@redhat.com> <56D5EF32.7090006@redhat.com> <56D68798.60603@redhat.com> Message-ID: <56EBFEB9.7070105@redhat.com> On 03/02/2016 07:26 AM, Jan Cholasta wrote: > On 1.3.2016 20:36, Rob Crittenden wrote: >> Martin Basti wrote: >>> >>> >>> On 01.03.2016 20:13, Rob Crittenden wrote: >>>> Martin Basti wrote: >>>>> https://fedorahosted.org/freeipa/ticket/5704 >>>>> >>>>> Patch attached. >>>>> >>>>> >>>> Would it be safer to integrate this into ipa-upgrade itself? You'd just >>>> need to return 0 for the case where IPA isn't installed. >>>> >>>> rob >>> How about the case when ipa-server-upgrade is called by user from CLI? >>> It should fail because IPA is not installed, instead of returning >>> success. That check is in specfile anyway due service restart. >>> >>> Martin^2 >> >> Yeah, I was hoping you'd miss that :-) >> >> It just seems to me, as you point out, that it should check when run by >> anything, user or spec, so adding it only to the spec seems wrong. I'm >> not a huge fan of option bloat but that would be one way around this, >> --graceful-exit or something. Could make it a hidden option if you >> wanted. > > I don't think adding the option is worth the effort, as we will be soon > moving away from running the upgrade script directly from the spec file > to a service based solution (#4552, #5373). > I am not a big fan of adding a special option and the related magic to the upgrade code itself either. I will ACK this patch unless there is some strong opposition towards this approach. -- Martin^3 Babinsky From akasurde at redhat.com Fri Mar 18 13:21:16 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Fri, 18 Mar 2016 18:51:16 +0530 Subject: [Freeipa-devel] [PATCH] Added fix for notifying user about account expiration in Web UI Message-ID: <56EC00CC.2080300@redhat.com> Hi All, Please review these patches. Fixes : https://fedorahosted.org/freeipa/ticket/5077 Thanks, Abhijeet Kasurde -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-akasurde-0006-1-Added-fix-for-notifying-user-about-account-expiratio.patch Type: text/x-patch Size: 1652 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-akasurde-0006-1-Added-fix-for-notifying-user-about-account-expiratio-ipa-4-2.patch Type: text/x-patch Size: 1652 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-akasurde-0006-1-Added-fix-for-notifying-user-about-account-expiratio-ipa-4-3.patch Type: text/x-patch Size: 1652 bytes Desc: not available URL: From pvoborni at redhat.com Fri Mar 18 13:44:12 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 18 Mar 2016 14:44:12 +0100 Subject: [Freeipa-devel] [DESIGN] Server Roles In-Reply-To: <56EBD16E.40005@redhat.com> References: <56EAE651.4040603@redhat.com> <56EBC8A5.9080504@redhat.com> <56EBCE95.2070501@redhat.com> <56EBD16E.40005@redhat.com> Message-ID: <56EC062C.8000606@redhat.com> On 03/18/2016 10:59 AM, Martin Kosek wrote: > On 03/18/2016 10:47 AM, Martin Babinsky wrote: >> On 03/18/2016 10:21 AM, Martin Kosek wrote: >>> On 03/17/2016 06:16 PM, Martin Babinsky wrote: >>>> Hi list, >>>> >>>> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP design >>>> document concerning the concept of Server Roles as a user-friendly abstraction >>>> of the services running on IPA masters. >>>> >>>> The main aim of this feature is to provide a higher level interface to query >>>> and manipulate service-related information stored in dirsrv backend. >>>> >>>> I have not touched the design much from the post-Devconf session, mainly >>>> because there are some points to clarify and agree upon. >>> >>> Initial thoughts: >>> >>> * Use Cases: these are rather vague points what you want to implement. In Use >>> Case section, I would like to see what specific *user* use cases you are >>> addressing, i.e. what user problems you are solving. Ideally in a form of a >>> user story. Like here: >>> >>> http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Use_Cases >>> or here: >>> http://www.freeipa.org/page/V4/Authentication_Indicators#Use_Cases >>> or here: >>> http://www.freeipa.org/page/V4/External_trust_to_AD#Use_Cases >>> >> Ok I will thing of some clearer points. >> >>>> I have the following points to discuss: >>>> >>>> 1.) the design assumes that there is a distinction between roles such as DNS >>>> server, CA, etc. and the more specific sub-roles such as DNSSec key master, CRL >>>> master, etc. Now in the hindsight I think this distinction is quite artificial >>>> and just clutters the interface unnecessarily. We might implement this kind of >>>> hierarchy in the code itself but that is something the user needs not be >>>> aware of. >>> >>> Well, there are dependencies. A server cannot be a CRL master without also >>> being a CA role. I assume same applies to DNSSEC master. >>> >>> I think we need to think more about distinguishing what is role, what is just >>> an attribute of a role, etc. AD for example distinguishes roles, role service >>> and features: >>> >>> https://technet.microsoft.com/en-us/library/cc754923.aspx >>> >> We will have to implement the role/subrole/unicorn hierarchy anyhow. What I >> would like to discuss is whether it is necessary to expose this hierarchy to >> the users. Consider a case when user wants to find which server is a CA renewal >> master: >> >> ipa server-role-find "CA renewal master" >> >> vs. >> >> ipa server-role-find --subrole "Renewal master" >> >> Behind the scenes, the code has to do the same thing (e.g. issue a search using >> (&(cn=CA)(ipaConfigString=enabledService)(ipaConfigString=caRenewalMaster))), >> but the UX is a bit different. > > Well, even the LDAP structure is different in this case. CA role is an object > in cn=masters, caRenewalMaster is it's property. So they will likely be > different user objects too. > > For your example, I can image a search like that: > > $ ipa server-role-find "CA" --subrole "renewal-master" > > (for the case when you have "DNS" role also with "renewal-master" sub-role). > > Martin > I don't have a strong option about this matter. Number of roles will be limited. I don't see any point in developing hierarchies in CLI/API/Web UI. Simply describing the roles and their dependencies in server-role help should be enough. Hierarchy and dependency should be checked internally. Question is how it should behave in practice. There is no example in the design page. Imagine these use cases: $ server-role-find "CA" "CA renewal master" "DNS server" "DNSSec Key Master" ... maybe is should print also description, but help might be enough. $ ipa server-role-enable $SERVER "CA renewal master" Error: Server must have a "CA" role. $ ipa server-role-enable $SERVER "CA" Error: run ipa-ca-install on $SERVER to enable the CA role Note: if in future we implement a privileged daemon then the installation can be done by the daemon. # ipa-ca-install $ ipa server-role-enable $SERVER "CA" INFO: Server already in CA role $ server-show $SERVER ... Roles: DNS Server, CA ... $ ipa server-role-enable $SERVER "CA renewal master" SUCCESS: $server is now "CA renewal master" INFO: "CA renewal master" role was unset from $SERVER_PREVIOUS What is a purpose of `ipa server-role-disable`? If in future we need to configure a role then: $ ipa server-role-mod $SERVER $ROLE --fooattr=value (this is not supported in FW now because the attrs might differ based on $ROLE) -- Petr Vobornik From simo at redhat.com Fri Mar 18 13:59:33 2016 From: simo at redhat.com (Simo Sorce) Date: Fri, 18 Mar 2016 09:59:33 -0400 Subject: [Freeipa-devel] [DESIGN] Server Roles In-Reply-To: <56EC062C.8000606@redhat.com> References: <56EAE651.4040603@redhat.com> <56EBC8A5.9080504@redhat.com> <56EBCE95.2070501@redhat.com> <56EBD16E.40005@redhat.com> <56EC062C.8000606@redhat.com> Message-ID: <1458309573.26218.109.camel@redhat.com> On Fri, 2016-03-18 at 14:44 +0100, Petr Vobornik wrote: > On 03/18/2016 10:59 AM, Martin Kosek wrote: > > On 03/18/2016 10:47 AM, Martin Babinsky wrote: > >> On 03/18/2016 10:21 AM, Martin Kosek wrote: > >>> On 03/17/2016 06:16 PM, Martin Babinsky wrote: > >>>> Hi list, > >>>> > >>>> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP design > >>>> document concerning the concept of Server Roles as a user-friendly abstraction > >>>> of the services running on IPA masters. > >>>> > >>>> The main aim of this feature is to provide a higher level interface to query > >>>> and manipulate service-related information stored in dirsrv backend. > >>>> > >>>> I have not touched the design much from the post-Devconf session, mainly > >>>> because there are some points to clarify and agree upon. > >>> > >>> Initial thoughts: > >>> > >>> * Use Cases: these are rather vague points what you want to implement. In Use > >>> Case section, I would like to see what specific *user* use cases you are > >>> addressing, i.e. what user problems you are solving. Ideally in a form of a > >>> user story. Like here: > >>> > >>> http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Use_Cases > >>> or here: > >>> http://www.freeipa.org/page/V4/Authentication_Indicators#Use_Cases > >>> or here: > >>> http://www.freeipa.org/page/V4/External_trust_to_AD#Use_Cases > >>> > >> Ok I will thing of some clearer points. > >> > >>>> I have the following points to discuss: > >>>> > >>>> 1.) the design assumes that there is a distinction between roles such as DNS > >>>> server, CA, etc. and the more specific sub-roles such as DNSSec key master, CRL > >>>> master, etc. Now in the hindsight I think this distinction is quite artificial > >>>> and just clutters the interface unnecessarily. We might implement this kind of > >>>> hierarchy in the code itself but that is something the user needs not be > >>>> aware of. > >>> > >>> Well, there are dependencies. A server cannot be a CRL master without also > >>> being a CA role. I assume same applies to DNSSEC master. > >>> > >>> I think we need to think more about distinguishing what is role, what is just > >>> an attribute of a role, etc. AD for example distinguishes roles, role service > >>> and features: > >>> > >>> https://technet.microsoft.com/en-us/library/cc754923.aspx > >>> > >> We will have to implement the role/subrole/unicorn hierarchy anyhow. What I > >> would like to discuss is whether it is necessary to expose this hierarchy to > >> the users. Consider a case when user wants to find which server is a CA renewal > >> master: > >> > >> ipa server-role-find "CA renewal master" > >> > >> vs. > >> > >> ipa server-role-find --subrole "Renewal master" > >> > >> Behind the scenes, the code has to do the same thing (e.g. issue a search using > >> (&(cn=CA)(ipaConfigString=enabledService)(ipaConfigString=caRenewalMaster))), > >> but the UX is a bit different. > > > > Well, even the LDAP structure is different in this case. CA role is an object > > in cn=masters, caRenewalMaster is it's property. So they will likely be > > different user objects too. > > > > For your example, I can image a search like that: > > > > $ ipa server-role-find "CA" --subrole "renewal-master" > > > > (for the case when you have "DNS" role also with "renewal-master" sub-role). > > > > Martin > > > > I don't have a strong option about this matter. > > Number of roles will be limited. I don't see any point in developing > hierarchies in CLI/API/Web UI. Simply describing the roles and their > dependencies in server-role help should be enough. > > Hierarchy and dependency should be checked internally. > > Question is how it should behave in practice. There is no example in the > design page. Imagine these use cases: > > $ server-role-find > "CA" > "CA renewal master" > "DNS server" > "DNSSec Key Master" > ... > > maybe is should print also description, but help might be enough. > > > $ ipa server-role-enable $SERVER "CA renewal master" > Error: Server must have a "CA" role. > > $ ipa server-role-enable $SERVER "CA" > Error: run ipa-ca-install on $SERVER to enable the CA role > > Note: if in future we implement a privileged daemon then the > installation can be done by the daemon. > > # ipa-ca-install > > $ ipa server-role-enable $SERVER "CA" > INFO: Server already in CA role > > $ server-show $SERVER > ... > Roles: DNS Server, CA > ... > > $ ipa server-role-enable $SERVER "CA renewal master" > SUCCESS: $server is now "CA renewal master" > INFO: "CA renewal master" role was unset from $SERVER_PREVIOUS > > What is a purpose of `ipa server-role-disable`? > > If in future we need to configure a role then: > > $ ipa server-role-mod $SERVER $ROLE --fooattr=value (this is not > supported in FW now because the attrs might differ based on $ROLE) I am not sure why we use enable/disable verbs here, why not a simple add/remove ? enable/disabled usually means you can add a role but keep it disabled, or that you can keep a role installed and just disabled it, but that is not really the case. Also I would like to draw attention to one other aspect. Roles != Services, in the list of roles for example I see memcached, it is in the list because you picked up all services and made a role out of them, but they are not all roles. in fact memcached is just an implementation detail of the framework and should not be mentioned at all (and in fact we are planning to stop using it altogether). Another "role" thaat should probably not exist is kpasswd, again kpasswd is there only because we required to start a separate service to implement its functionality, but semantically it is just an implementation detail of the KDC role. A master KDC will *always* have it, and in future, a Read Only KDC will not have it or use a different service that can proxy password change requests to a writable master, in any case an admin should not be able to "enable/disable" this role disjointly from the KDC role. Finally, although the KRA is a separate Role it has a dependency on the CA Role, how is that expressed ? Last but not least, why do we need a "role" concept ? Cab't we simply expose the running services ? If not, the reasons why need to be explained in the design page, as currently it only says that Role are introduced to expose the information, but it doesn't say why just exposing the information w/o changing any semantics is not desirable. My 2c, Simo. -- Simo Sorce * Red Hat, Inc * New York From pvoborni at redhat.com Fri Mar 18 14:09:46 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 18 Mar 2016 15:09:46 +0100 Subject: [Freeipa-devel] [PATCH] Added fix for notifying user about account expiration in Web UI In-Reply-To: <56EC00CC.2080300@redhat.com> References: <56EC00CC.2080300@redhat.com> Message-ID: <56EC0C2A.3020009@redhat.com> On 03/18/2016 02:21 PM, Abhijeet Kasurde wrote: > Hi All, > > Please review these patches. > > Fixes : https://fedorahosted.org/freeipa/ticket/5077 > > Thanks, > Abhijeet Kasurde > 'invalid' is a default and right now is meant for invalid password(not correct, see below). So by reading the patch, it will break the case when user sets invalid password. Better would be to process kinit output in rpcserver.py:login_password and set e.g: 'krbprincipal-expired' reason. Then add it to a list of known errors in ipa.js:login_password:498. We should probaly add also 'invalid-password' to the list. Then do the change as in this patch but only with: 'krbprincipal-expired'. If 'invalid-password' is added to the list of know errors then we should change the default error from "The password or username you entered is incorrect. " to e.g.: 'Login failed from unknown reason" -- Petr Vobornik From mbabinsk at redhat.com Fri Mar 18 14:12:21 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 18 Mar 2016 15:12:21 +0100 Subject: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer In-Reply-To: <56EADD09.2060109@redhat.com> References: <56EADD09.2060109@redhat.com> Message-ID: <56EC0CC5.5040209@redhat.com> On 03/17/2016 05:36 PM, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5681 > > Patch attached. > > Hi Martin, Nitpick attack: Please fix the commit message: "File httpd.service was created by RPM, what causes that httpd service may", should be "..., which causes" Otherwise the code looks good and works as expected. However, you still cannot start httpd.service after ipa-server uninstallation because some leftovers in /ipa/httpd/alias cause mod_nss to fail (see http error_log): """ [Fri Mar 18 12:43:29.320276 2016] [suexec:notice] [pid 2033] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Mar 18 12:43:29.320288 2016] [:warn] [pid 2033] NSSSessionCacheTimeout is deprecated. Ignoring. [Fri Mar 18 12:43:29.444287 2016] [:error] [pid 2033] Password for slot internal is incorrect. [Fri Mar 18 12:43:29.446090 2016] [:error] [pid 2033] NSS initialization failed. Certificate database: /etc/httpd/alias. [Fri Mar 18 12:43:29.446100 2016] [:error] [pid 2033] SSL Library Error: -8177 The security password entered is incorrect """ I guess that this is beyond this patch, since I think it is related to https://fedorahosted.org/freeipa/ticket/4639 but I am not sure. CC'ing Jan who owns the ticket. -- Martin^3 Babinsky From cheimes at redhat.com Fri Mar 18 14:26:48 2016 From: cheimes at redhat.com (Christian Heimes) Date: Fri, 18 Mar 2016 15:26:48 +0100 Subject: [Freeipa-devel] Converting plugin output Message-ID: <56EC1028.40600@redhat.com> Hi, I'd like to use FreeIPA's RPC interface from Ansible directly. But the output of plugins is rather unfriendly and unpythonic: >>> print(api.Command.dnsconfig_show()) {u'result': {u'dn': u'cn=dns,dc=ipa,dc=example', u'idnsallowsyncptr': (u'FALSE',)}, u'value': None, u'summary': None} Please notice (u'FALSE',) instead of False. I have written a simple function that uses the parameter definitions to convert most values automatically: def converter(plugin, *args, **kwargs): response = plugin(*args, **kwargs) params = {p.name: p for p in plugin.obj.takes_params} if hasattr(plugin, 'output_params'): params.update({p.name: p for p in plugin.output_params()}) results = response['result'] if isinstance(results, dict): results = [results] for result in results: for key, value in result.iteritems(): param = params.get(key) if param is None: continue if (value and not param.multivalue and isinstance(value, (list, tuple))): if len(value) > 1: raise ValueError(key, value) value = value[0] result[key] = param.convert(value) return response It works like a charm for several plugins: >>> print(converter(api.Command.dnsconfig_show)) {u'result': {u'dn': u'cn=dns,dc=ipa,dc=example', u'idnsallowsyncptr': False}, u'value': None, u'summary': None} But it is failing for some plugins like user_find(). The plugin returns u'memberof_group': (u'admins', u'trust admins'). However global_output_params defines the value as an optional and single valued string: Str('memberof_group?', label=_('Member of groups')). I think the definition is wrong. memberof_group and some other fields should be defined as optional and multivalued fields insteads. Even the field's label uses a plural form. What do you think? Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From pvoborni at redhat.com Fri Mar 18 14:28:09 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 18 Mar 2016 15:28:09 +0100 Subject: [Freeipa-devel] [DESIGN] Server Roles In-Reply-To: <1458309573.26218.109.camel@redhat.com> References: <56EAE651.4040603@redhat.com> <56EBC8A5.9080504@redhat.com> <56EBCE95.2070501@redhat.com> <56EBD16E.40005@redhat.com> <56EC062C.8000606@redhat.com> <1458309573.26218.109.camel@redhat.com> Message-ID: <56EC1079.10107@redhat.com> On 03/18/2016 02:59 PM, Simo Sorce wrote: > On Fri, 2016-03-18 at 14:44 +0100, Petr Vobornik wrote: >> On 03/18/2016 10:59 AM, Martin Kosek wrote: >>> On 03/18/2016 10:47 AM, Martin Babinsky wrote: >>>> On 03/18/2016 10:21 AM, Martin Kosek wrote: >>>>> On 03/17/2016 06:16 PM, Martin Babinsky wrote: >>>>>> Hi list, >>>>>> >>>>>> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP design >>>>>> document concerning the concept of Server Roles as a user-friendly abstraction >>>>>> of the services running on IPA masters. >>>>>> >>>>>> The main aim of this feature is to provide a higher level interface to query >>>>>> and manipulate service-related information stored in dirsrv backend. >>>>>> >>>>>> I have not touched the design much from the post-Devconf session, mainly >>>>>> because there are some points to clarify and agree upon. >>>>> >>>>> Initial thoughts: >>>>> >>>>> * Use Cases: these are rather vague points what you want to implement. In Use >>>>> Case section, I would like to see what specific *user* use cases you are >>>>> addressing, i.e. what user problems you are solving. Ideally in a form of a >>>>> user story. Like here: >>>>> >>>>> http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Use_Cases >>>>> or here: >>>>> http://www.freeipa.org/page/V4/Authentication_Indicators#Use_Cases >>>>> or here: >>>>> http://www.freeipa.org/page/V4/External_trust_to_AD#Use_Cases >>>>> >>>> Ok I will thing of some clearer points. >>>> >>>>>> I have the following points to discuss: >>>>>> >>>>>> 1.) the design assumes that there is a distinction between roles such as DNS >>>>>> server, CA, etc. and the more specific sub-roles such as DNSSec key master, CRL >>>>>> master, etc. Now in the hindsight I think this distinction is quite artificial >>>>>> and just clutters the interface unnecessarily. We might implement this kind of >>>>>> hierarchy in the code itself but that is something the user needs not be >>>>>> aware of. >>>>> >>>>> Well, there are dependencies. A server cannot be a CRL master without also >>>>> being a CA role. I assume same applies to DNSSEC master. >>>>> >>>>> I think we need to think more about distinguishing what is role, what is just >>>>> an attribute of a role, etc. AD for example distinguishes roles, role service >>>>> and features: >>>>> >>>>> https://technet.microsoft.com/en-us/library/cc754923.aspx >>>>> >>>> We will have to implement the role/subrole/unicorn hierarchy anyhow. What I >>>> would like to discuss is whether it is necessary to expose this hierarchy to >>>> the users. Consider a case when user wants to find which server is a CA renewal >>>> master: >>>> >>>> ipa server-role-find "CA renewal master" >>>> >>>> vs. >>>> >>>> ipa server-role-find --subrole "Renewal master" >>>> >>>> Behind the scenes, the code has to do the same thing (e.g. issue a search using >>>> (&(cn=CA)(ipaConfigString=enabledService)(ipaConfigString=caRenewalMaster))), >>>> but the UX is a bit different. >>> >>> Well, even the LDAP structure is different in this case. CA role is an object >>> in cn=masters, caRenewalMaster is it's property. So they will likely be >>> different user objects too. >>> >>> For your example, I can image a search like that: >>> >>> $ ipa server-role-find "CA" --subrole "renewal-master" >>> >>> (for the case when you have "DNS" role also with "renewal-master" sub-role). >>> >>> Martin >>> >> >> I don't have a strong option about this matter. >> >> Number of roles will be limited. I don't see any point in developing >> hierarchies in CLI/API/Web UI. Simply describing the roles and their >> dependencies in server-role help should be enough. >> >> Hierarchy and dependency should be checked internally. >> >> Question is how it should behave in practice. There is no example in the >> design page. Imagine these use cases: >> >> $ server-role-find >> "CA" >> "CA renewal master" >> "DNS server" >> "DNSSec Key Master" >> ... >> >> maybe is should print also description, but help might be enough. >> >> >> $ ipa server-role-enable $SERVER "CA renewal master" >> Error: Server must have a "CA" role. >> >> $ ipa server-role-enable $SERVER "CA" >> Error: run ipa-ca-install on $SERVER to enable the CA role >> >> Note: if in future we implement a privileged daemon then the >> installation can be done by the daemon. >> >> # ipa-ca-install >> >> $ ipa server-role-enable $SERVER "CA" >> INFO: Server already in CA role >> >> $ server-show $SERVER >> ... >> Roles: DNS Server, CA >> ... >> >> $ ipa server-role-enable $SERVER "CA renewal master" >> SUCCESS: $server is now "CA renewal master" >> INFO: "CA renewal master" role was unset from $SERVER_PREVIOUS >> >> What is a purpose of `ipa server-role-disable`? >> >> If in future we need to configure a role then: >> >> $ ipa server-role-mod $SERVER $ROLE --fooattr=value (this is not >> supported in FW now because the attrs might differ based on $ROLE) > > I am not sure why we use enable/disable verbs here, why not a simple > add/remove ? 'Add' is fine with me. AFAIK, there is not use case for 'remove' now, but in future it is probably OK. > enable/disabled usually means you can add a role but keep it disabled, > or that you can keep a role installed and just disabled it, but that is > not really the case. > > Also I would like to draw attention to one other aspect. > Roles != Services, in the list of roles for example I see memcached, it > is in the list because you picked up all services and made a role out of > them, but they are not all roles. > > in fact memcached is just an implementation detail of the framework and > should not be mentioned at all (and in fact we are planning to stop > using it altogether). > > Another "role" thaat should probably not exist is kpasswd, again kpasswd > is there only because we required to start a separate service to > implement its functionality, but semantically it is just an > implementation detail of the KDC role. A master KDC will *always* have > it, and in future, a Read Only KDC will not have it or use a different > service that can proxy password change requests to a writable master, in > any case an admin should not be able to "enable/disable" this role > disjointly from the KDC role. I don't see them listed as a role in the design. They are just a service of implicit 'master' role. > > Finally, although the KRA is a separate Role it has a dependency on the > CA Role, how is that expressed ? > > Last but not least, why do we need a "role" concept ? Cab't we simply > expose the running services ? If not, the reasons why need to be > explained in the design page, as currently it only says that Role are > introduced to expose the information, but it doesn't say why just > exposing the information w/o changing any semantics is not desirable. > > My 2c, > Simo. > I see roles as info for admins. Services are implementation detail. Use cases I see: 1. Administrator wants to know which servers are configured with CA|KRA|DNS. 2. Administrator wants to know which server is CRL master. 3. We want this info to be able to display it in topology graph (but this is for 4.5). Should there be an NTP server role? -- Petr Vobornik From mbabinsk at redhat.com Fri Mar 18 14:28:45 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 18 Mar 2016 15:28:45 +0100 Subject: [Freeipa-devel] [DESIGN] Server Roles In-Reply-To: <1458309573.26218.109.camel@redhat.com> References: <56EAE651.4040603@redhat.com> <56EBC8A5.9080504@redhat.com> <56EBCE95.2070501@redhat.com> <56EBD16E.40005@redhat.com> <56EC062C.8000606@redhat.com> <1458309573.26218.109.camel@redhat.com> Message-ID: <56EC109D.9060302@redhat.com> On 03/18/2016 02:59 PM, Simo Sorce wrote: > On Fri, 2016-03-18 at 14:44 +0100, Petr Vobornik wrote: >> On 03/18/2016 10:59 AM, Martin Kosek wrote: >>> On 03/18/2016 10:47 AM, Martin Babinsky wrote: >>>> On 03/18/2016 10:21 AM, Martin Kosek wrote: >>>>> On 03/17/2016 06:16 PM, Martin Babinsky wrote: >>>>>> Hi list, >>>>>> >>>>>> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP design >>>>>> document concerning the concept of Server Roles as a user-friendly abstraction >>>>>> of the services running on IPA masters. >>>>>> >>>>>> The main aim of this feature is to provide a higher level interface to query >>>>>> and manipulate service-related information stored in dirsrv backend. >>>>>> >>>>>> I have not touched the design much from the post-Devconf session, mainly >>>>>> because there are some points to clarify and agree upon. >>>>> >>>>> Initial thoughts: >>>>> >>>>> * Use Cases: these are rather vague points what you want to implement. In Use >>>>> Case section, I would like to see what specific *user* use cases you are >>>>> addressing, i.e. what user problems you are solving. Ideally in a form of a >>>>> user story. Like here: >>>>> >>>>> http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Use_Cases >>>>> or here: >>>>> http://www.freeipa.org/page/V4/Authentication_Indicators#Use_Cases >>>>> or here: >>>>> http://www.freeipa.org/page/V4/External_trust_to_AD#Use_Cases >>>>> >>>> Ok I will thing of some clearer points. >>>> >>>>>> I have the following points to discuss: >>>>>> >>>>>> 1.) the design assumes that there is a distinction between roles such as DNS >>>>>> server, CA, etc. and the more specific sub-roles such as DNSSec key master, CRL >>>>>> master, etc. Now in the hindsight I think this distinction is quite artificial >>>>>> and just clutters the interface unnecessarily. We might implement this kind of >>>>>> hierarchy in the code itself but that is something the user needs not be >>>>>> aware of. >>>>> >>>>> Well, there are dependencies. A server cannot be a CRL master without also >>>>> being a CA role. I assume same applies to DNSSEC master. >>>>> >>>>> I think we need to think more about distinguishing what is role, what is just >>>>> an attribute of a role, etc. AD for example distinguishes roles, role service >>>>> and features: >>>>> >>>>> https://technet.microsoft.com/en-us/library/cc754923.aspx >>>>> >>>> We will have to implement the role/subrole/unicorn hierarchy anyhow. What I >>>> would like to discuss is whether it is necessary to expose this hierarchy to >>>> the users. Consider a case when user wants to find which server is a CA renewal >>>> master: >>>> >>>> ipa server-role-find "CA renewal master" >>>> >>>> vs. >>>> >>>> ipa server-role-find --subrole "Renewal master" >>>> >>>> Behind the scenes, the code has to do the same thing (e.g. issue a search using >>>> (&(cn=CA)(ipaConfigString=enabledService)(ipaConfigString=caRenewalMaster))), >>>> but the UX is a bit different. >>> >>> Well, even the LDAP structure is different in this case. CA role is an object >>> in cn=masters, caRenewalMaster is it's property. So they will likely be >>> different user objects too. >>> >>> For your example, I can image a search like that: >>> >>> $ ipa server-role-find "CA" --subrole "renewal-master" >>> >>> (for the case when you have "DNS" role also with "renewal-master" sub-role). >>> >>> Martin >>> >> >> I don't have a strong option about this matter. >> >> Number of roles will be limited. I don't see any point in developing >> hierarchies in CLI/API/Web UI. Simply describing the roles and their >> dependencies in server-role help should be enough. >> >> Hierarchy and dependency should be checked internally. >> >> Question is how it should behave in practice. There is no example in the >> design page. Imagine these use cases: >> >> $ server-role-find >> "CA" >> "CA renewal master" >> "DNS server" >> "DNSSec Key Master" >> ... >> >> maybe is should print also description, but help might be enough. >> >> >> $ ipa server-role-enable $SERVER "CA renewal master" >> Error: Server must have a "CA" role. >> >> $ ipa server-role-enable $SERVER "CA" >> Error: run ipa-ca-install on $SERVER to enable the CA role >> >> Note: if in future we implement a privileged daemon then the >> installation can be done by the daemon. >> >> # ipa-ca-install >> >> $ ipa server-role-enable $SERVER "CA" >> INFO: Server already in CA role >> >> $ server-show $SERVER >> ... >> Roles: DNS Server, CA >> ... >> >> $ ipa server-role-enable $SERVER "CA renewal master" >> SUCCESS: $server is now "CA renewal master" >> INFO: "CA renewal master" role was unset from $SERVER_PREVIOUS >> >> What is a purpose of `ipa server-role-disable`? >> >> If in future we need to configure a role then: >> >> $ ipa server-role-mod $SERVER $ROLE --fooattr=value (this is not >> supported in FW now because the attrs might differ based on $ROLE) > > I am not sure why we use enable/disable verbs here, why not a simple > add/remove ? > enable/disabled usually means you can add a role but keep it disabled, > or that you can keep a role installed and just disabled it, but that is > not really the case. > The services should be moved only by installer code, I would prefer to only enable/disable roles (set the 'ipaConfigstring=enbaledService/disabledService' for each service comprising the role). This would not solve much in the current implementation (apart from marking the role o that master as disabled),but we discussed with Jan Cholasta that in the future we could have a small service running on each IPA master, monitoring changes in LDAP and doing stuff on the local system reflecting the state of LDAP tree. With this service in mind, we could mark a role as disabled remotely, and the daemon running on the affected master would pick this up and disable all systemd services running on that host which comprise the role. > Also I would like to draw attention to one other aspect. > Roles != Services, in the list of roles for example I see memcached, it > is in the list because you picked up all services and made a role out of > them, but they are not all roles. > > in fact memcached is just an implementation detail of the framework and > should not be mentioned at all (and in fact we are planning to stop > using it altogether). > > Another "role" thaat should probably not exist is kpasswd, again kpasswd > is there only because we required to start a separate service to > implement its functionality, but semantically it is just an > implementation detail of the KDC role. A master KDC will *always* have > it, and in future, a Read Only KDC will not have it or use a different > service that can proxy password change requests to a writable master, in > any case an admin should not be able to "enable/disable" this role > disjointly from the KDC role. KDC, PASSWD, MEMCACHE, KEYS and few other should be either part of some default role not exposed to the users or not used in the role concept at all. The mapping is several services -> single role so no, roles are not services. > > Finally, although the KRA is a separate Role it has a dependency on the > CA Role, how is that expressed ? > That would be a part of implementation discussion I guess. I imagine roles having a hierarchy so that you e.g. could not mark a server as CRL master if his CA role is disabled. I should put together a prototype code illustrating this. > Last but not least, why do we need a "role" concept ? Cab't we simply > expose the running services ? If not, the reasons why need to be > explained in the design page, as currently it only says that Role are > introduced to expose the information, but it doesn't say why just > exposing the information w/o changing any semantics is not desirable. > The problem is that if you just list only a list of services running on a master it can be quite hard for the user to know e.g. which services mean that the machine is a AD Trust controller (lemme check: ADTRUST, EXTID) or which CA is the renewal master (CA service is there and some ipaConfigString=caRenewalMaster attribute is set). IMHO it is a useful abstraction to hide these details and present them as "some roles that the master fulfills". This abstraction also simplifies some steps migration of e.g. renewal master or DNSSec key master: Instead of searching for server with 'ipaConfigString=caRenewalMaster' attribute, removing it from the entry and adding it to another CA master, you just call a single API command and be done with it. > My 2c, > Simo. > -- Martin^3 Babinsky From mbabinsk at redhat.com Fri Mar 18 14:43:23 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 18 Mar 2016 15:43:23 +0100 Subject: [Freeipa-devel] [DESIGN] Server Roles In-Reply-To: <56EC062C.8000606@redhat.com> References: <56EAE651.4040603@redhat.com> <56EBC8A5.9080504@redhat.com> <56EBCE95.2070501@redhat.com> <56EBD16E.40005@redhat.com> <56EC062C.8000606@redhat.com> Message-ID: <56EC140B.9060806@redhat.com> On 03/18/2016 02:44 PM, Petr Vobornik wrote: > On 03/18/2016 10:59 AM, Martin Kosek wrote: >> On 03/18/2016 10:47 AM, Martin Babinsky wrote: >>> On 03/18/2016 10:21 AM, Martin Kosek wrote: >>>> On 03/17/2016 06:16 PM, Martin Babinsky wrote: >>>>> Hi list, >>>>> >>>>> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP >>>>> design >>>>> document concerning the concept of Server Roles as a user-friendly >>>>> abstraction >>>>> of the services running on IPA masters. >>>>> >>>>> The main aim of this feature is to provide a higher level interface >>>>> to query >>>>> and manipulate service-related information stored in dirsrv backend. >>>>> >>>>> I have not touched the design much from the post-Devconf session, >>>>> mainly >>>>> because there are some points to clarify and agree upon. >>>> >>>> Initial thoughts: >>>> >>>> * Use Cases: these are rather vague points what you want to >>>> implement. In Use >>>> Case section, I would like to see what specific *user* use cases you >>>> are >>>> addressing, i.e. what user problems you are solving. Ideally in a >>>> form of a >>>> user story. Like here: >>>> >>>> http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Use_Cases >>>> or here: >>>> http://www.freeipa.org/page/V4/Authentication_Indicators#Use_Cases >>>> or here: >>>> http://www.freeipa.org/page/V4/External_trust_to_AD#Use_Cases >>>> >>> Ok I will thing of some clearer points. >>> >>>>> I have the following points to discuss: >>>>> >>>>> 1.) the design assumes that there is a distinction between roles >>>>> such as DNS >>>>> server, CA, etc. and the more specific sub-roles such as DNSSec key >>>>> master, CRL >>>>> master, etc. Now in the hindsight I think this distinction is quite >>>>> artificial >>>>> and just clutters the interface unnecessarily. We might implement >>>>> this kind of >>>>> hierarchy in the code itself but that is something the user needs >>>>> not be >>>>> aware of. >>>> >>>> Well, there are dependencies. A server cannot be a CRL master >>>> without also >>>> being a CA role. I assume same applies to DNSSEC master. >>>> >>>> I think we need to think more about distinguishing what is role, >>>> what is just >>>> an attribute of a role, etc. AD for example distinguishes roles, >>>> role service >>>> and features: >>>> >>>> https://technet.microsoft.com/en-us/library/cc754923.aspx >>>> >>> We will have to implement the role/subrole/unicorn hierarchy anyhow. >>> What I >>> would like to discuss is whether it is necessary to expose this >>> hierarchy to >>> the users. Consider a case when user wants to find which server is a >>> CA renewal >>> master: >>> >>> ipa server-role-find "CA renewal master" >>> >>> vs. >>> >>> ipa server-role-find --subrole "Renewal master" >>> >>> Behind the scenes, the code has to do the same thing (e.g. issue a >>> search using >>> (&(cn=CA)(ipaConfigString=enabledService)(ipaConfigString=caRenewalMaster))), >>> >>> but the UX is a bit different. >> >> Well, even the LDAP structure is different in this case. CA role is an >> object >> in cn=masters, caRenewalMaster is it's property. So they will likely be >> different user objects too. >> >> For your example, I can image a search like that: >> >> $ ipa server-role-find "CA" --subrole "renewal-master" >> >> (for the case when you have "DNS" role also with "renewal-master" >> sub-role). >> >> Martin >> > > I don't have a strong option about this matter. > > Number of roles will be limited. I don't see any point in developing > hierarchies in CLI/API/Web UI. Simply describing the roles and their > dependencies in server-role help should be enough. > > Hierarchy and dependency should be checked internally. > > Question is how it should behave in practice. There is no example in the > design page. Imagine these use cases: > > $ server-role-find > "CA" > "CA renewal master" > "DNS server" > "DNSSec Key Master" > ... > > maybe is should print also description, but help might be enough. > $ server-role-find === Certificate Authority Manages certificate requests and revocation... (optionally list masters) Enabled on: master1.ipa.test, replica3.ipa.test === DNS Server manages forward and reverse name resolution Enabled on: master1.ipa.test === CA renewal master Manages automatic renewal of certificates nearing expiration Enabled on: replica3.ipa.test ... > > $ ipa server-role-enable $SERVER "CA renewal master" > Error: Server must have a "CA" role. > > $ ipa server-role-enable $SERVER "CA" > Error: run ipa-ca-install on $SERVER to enable the CA role > > Note: if in future we implement a privileged daemon then the > installation can be done by the daemon. > > # ipa-ca-install > > $ ipa server-role-enable $SERVER "CA" > INFO: Server already in CA role > > $ server-show $SERVER > ... > Roles: DNS Server, CA > ... > > $ ipa server-role-enable $SERVER "CA renewal master" > SUCCESS: $server is now "CA renewal master" > INFO: "CA renewal master" role was unset from $SERVER_PREVIOUS > > What is a purpose of `ipa server-role-disable`? > As an administrator I need to hide a misbehaving CA master from the topology so that CSRs are not forwarded to it. E.g. 'role_disable' can be also called internally when a 'singular' role (renewal master) is migrated to other master. > If in future we need to configure a role then: > > $ ipa server-role-mod $SERVER $ROLE --fooattr=value (this is not > supported in FW now because the attrs might differ based on $ROLE) -- Martin^3 Babinsky From simo at redhat.com Fri Mar 18 14:58:03 2016 From: simo at redhat.com (Simo Sorce) Date: Fri, 18 Mar 2016 10:58:03 -0400 Subject: [Freeipa-devel] [DESIGN] Server Roles In-Reply-To: <56EC1079.10107@redhat.com> References: <56EAE651.4040603@redhat.com> <56EBC8A5.9080504@redhat.com> <56EBCE95.2070501@redhat.com> <56EBD16E.40005@redhat.com> <56EC062C.8000606@redhat.com> <1458309573.26218.109.camel@redhat.com> <56EC1079.10107@redhat.com> Message-ID: <1458313083.26218.118.camel@redhat.com> On Fri, 2016-03-18 at 15:28 +0100, Petr Vobornik wrote: > On 03/18/2016 02:59 PM, Simo Sorce wrote: > > On Fri, 2016-03-18 at 14:44 +0100, Petr Vobornik wrote: > >> On 03/18/2016 10:59 AM, Martin Kosek wrote: > >>> On 03/18/2016 10:47 AM, Martin Babinsky wrote: > >>>> On 03/18/2016 10:21 AM, Martin Kosek wrote: > >>>>> On 03/17/2016 06:16 PM, Martin Babinsky wrote: > >>>>>> Hi list, > >>>>>> > >>>>>> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP design > >>>>>> document concerning the concept of Server Roles as a user-friendly abstraction > >>>>>> of the services running on IPA masters. > >>>>>> > >>>>>> The main aim of this feature is to provide a higher level interface to query > >>>>>> and manipulate service-related information stored in dirsrv backend. > >>>>>> > >>>>>> I have not touched the design much from the post-Devconf session, mainly > >>>>>> because there are some points to clarify and agree upon. > >>>>> > >>>>> Initial thoughts: > >>>>> > >>>>> * Use Cases: these are rather vague points what you want to implement. In Use > >>>>> Case section, I would like to see what specific *user* use cases you are > >>>>> addressing, i.e. what user problems you are solving. Ideally in a form of a > >>>>> user story. Like here: > >>>>> > >>>>> http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Use_Cases > >>>>> or here: > >>>>> http://www.freeipa.org/page/V4/Authentication_Indicators#Use_Cases > >>>>> or here: > >>>>> http://www.freeipa.org/page/V4/External_trust_to_AD#Use_Cases > >>>>> > >>>> Ok I will thing of some clearer points. > >>>> > >>>>>> I have the following points to discuss: > >>>>>> > >>>>>> 1.) the design assumes that there is a distinction between roles such as DNS > >>>>>> server, CA, etc. and the more specific sub-roles such as DNSSec key master, CRL > >>>>>> master, etc. Now in the hindsight I think this distinction is quite artificial > >>>>>> and just clutters the interface unnecessarily. We might implement this kind of > >>>>>> hierarchy in the code itself but that is something the user needs not be > >>>>>> aware of. > >>>>> > >>>>> Well, there are dependencies. A server cannot be a CRL master without also > >>>>> being a CA role. I assume same applies to DNSSEC master. > >>>>> > >>>>> I think we need to think more about distinguishing what is role, what is just > >>>>> an attribute of a role, etc. AD for example distinguishes roles, role service > >>>>> and features: > >>>>> > >>>>> https://technet.microsoft.com/en-us/library/cc754923.aspx > >>>>> > >>>> We will have to implement the role/subrole/unicorn hierarchy anyhow. What I > >>>> would like to discuss is whether it is necessary to expose this hierarchy to > >>>> the users. Consider a case when user wants to find which server is a CA renewal > >>>> master: > >>>> > >>>> ipa server-role-find "CA renewal master" > >>>> > >>>> vs. > >>>> > >>>> ipa server-role-find --subrole "Renewal master" > >>>> > >>>> Behind the scenes, the code has to do the same thing (e.g. issue a search using > >>>> (&(cn=CA)(ipaConfigString=enabledService)(ipaConfigString=caRenewalMaster))), > >>>> but the UX is a bit different. > >>> > >>> Well, even the LDAP structure is different in this case. CA role is an object > >>> in cn=masters, caRenewalMaster is it's property. So they will likely be > >>> different user objects too. > >>> > >>> For your example, I can image a search like that: > >>> > >>> $ ipa server-role-find "CA" --subrole "renewal-master" > >>> > >>> (for the case when you have "DNS" role also with "renewal-master" sub-role). > >>> > >>> Martin > >>> > >> > >> I don't have a strong option about this matter. > >> > >> Number of roles will be limited. I don't see any point in developing > >> hierarchies in CLI/API/Web UI. Simply describing the roles and their > >> dependencies in server-role help should be enough. > >> > >> Hierarchy and dependency should be checked internally. > >> > >> Question is how it should behave in practice. There is no example in the > >> design page. Imagine these use cases: > >> > >> $ server-role-find > >> "CA" > >> "CA renewal master" > >> "DNS server" > >> "DNSSec Key Master" > >> ... > >> > >> maybe is should print also description, but help might be enough. > >> > >> > >> $ ipa server-role-enable $SERVER "CA renewal master" > >> Error: Server must have a "CA" role. > >> > >> $ ipa server-role-enable $SERVER "CA" > >> Error: run ipa-ca-install on $SERVER to enable the CA role > >> > >> Note: if in future we implement a privileged daemon then the > >> installation can be done by the daemon. > >> > >> # ipa-ca-install > >> > >> $ ipa server-role-enable $SERVER "CA" > >> INFO: Server already in CA role > >> > >> $ server-show $SERVER > >> ... > >> Roles: DNS Server, CA > >> ... > >> > >> $ ipa server-role-enable $SERVER "CA renewal master" > >> SUCCESS: $server is now "CA renewal master" > >> INFO: "CA renewal master" role was unset from $SERVER_PREVIOUS > >> > >> What is a purpose of `ipa server-role-disable`? > >> > >> If in future we need to configure a role then: > >> > >> $ ipa server-role-mod $SERVER $ROLE --fooattr=value (this is not > >> supported in FW now because the attrs might differ based on $ROLE) > > > > I am not sure why we use enable/disable verbs here, why not a simple > > add/remove ? > > 'Add' is fine with me. AFAIK, there is not use case for 'remove' now, > but in future it is probably OK. > > > enable/disabled usually means you can add a role but keep it disabled, > > or that you can keep a role installed and just disabled it, but that is > > not really the case. > > > > Also I would like to draw attention to one other aspect. > > Roles != Services, in the list of roles for example I see memcached, it > > is in the list because you picked up all services and made a role out of > > them, but they are not all roles. > > > > in fact memcached is just an implementation detail of the framework and > > should not be mentioned at all (and in fact we are planning to stop > > using it altogether). > > > > Another "role" thaat should probably not exist is kpasswd, again kpasswd > > is there only because we required to start a separate service to > > implement its functionality, but semantically it is just an > > implementation detail of the KDC role. A master KDC will *always* have > > it, and in future, a Read Only KDC will not have it or use a different > > service that can proxy password change requests to a writable master, in > > any case an admin should not be able to "enable/disable" this role > > disjointly from the KDC role. > > I don't see them listed as a role in the design. They are just a service > of implicit 'master' role. Sorry, then I misunderstood the page partially. > > > > Finally, although the KRA is a separate Role it has a dependency on the > > CA Role, how is that expressed ? > > > > Last but not least, why do we need a "role" concept ? Cab't we simply > > expose the running services ? If not, the reasons why need to be > > explained in the design page, as currently it only says that Role are > > introduced to expose the information, but it doesn't say why just > > exposing the information w/o changing any semantics is not desirable. > > > > My 2c, > > Simo. > > > > I see roles as info for admins. Services are implementation detail. Ok, I am just asking to explain why in the page, a couple of sentences, no more. > Use cases I see: > 1. Administrator wants to know which servers are configured with > CA|KRA|DNS. > 2. Administrator wants to know which server is CRL master. > 3. We want this info to be able to display it in topology graph (but > this is for 4.5). Ack, ack and ack. > Should there be an NTP server role? Probably. -- Simo Sorce * Red Hat, Inc * New York From tjaalton at ubuntu.com Fri Mar 18 22:27:31 2016 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Sat, 19 Mar 2016 00:27:31 +0200 Subject: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer In-Reply-To: <56EADD09.2060109@redhat.com> References: <56EADD09.2060109@redhat.com> Message-ID: <56EC80D3.6010703@ubuntu.com> On 17.03.2016 18:36, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5681 would be nicer if ipa-httpd.conf was a template with the current hardcoded values replaced with platform paths.. not relevant to this patch, but there are others candidates for templates like: daemons/dnssec/ipa-dnskeysyncd.service daemons/dnssec/ipa-ods-exporter.service install/conf/ipa.conf From mbasti at redhat.com Sun Mar 20 20:56:34 2016 From: mbasti at redhat.com (Martin Basti) Date: Sun, 20 Mar 2016 21:56:34 +0100 Subject: [Freeipa-devel] [PATCHES 0442-0449] Pylint: sunday code cleanup Message-ID: <56EF0E82.5090301@redhat.com> Patches attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0442-pylint-remove-bare-except.patch Type: text/x-patch Size: 21832 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0443-Pylint-fix-definition-of-global-variables.patch Type: text/x-patch Size: 2941 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0444-Pylint-enable-pointless-except-check.patch Type: text/x-patch Size: 729 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0445-Pylint-enable-reimported-check.patch Type: text/x-patch Size: 5017 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0446-Pylint-use-list-comprehension-instead-of-iteration.patch Type: text/x-patch Size: 1434 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0447-Pylint-import-max-one-module-per-line.patch Type: text/x-patch Size: 4079 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0448-Pylint-remove-unnecessary-semicolon.patch Type: text/x-patch Size: 5055 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0449-Pylint-enable-invalid-name-check.patch Type: text/x-patch Size: 669 bytes Desc: not available URL: From jcholast at redhat.com Mon Mar 21 06:48:23 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 21 Mar 2016 07:48:23 +0100 Subject: [Freeipa-devel] [PATCH 0439] Do not do extra search for ipasshpubkey In-Reply-To: <56EBF37F.4090101@redhat.com> References: <56E804A4.4000505@redhat.com> <56EBF37F.4090101@redhat.com> Message-ID: <56EF9937.5030100@redhat.com> On 18.3.2016 13:24, Martin Babinsky wrote: > On 03/15/2016 01:48 PM, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/3376 >> >> Patch attached. >> >> > ACK but fix the 'behavioar' typo in the commit message before pushing. 1) You are breaking the default_attributes contract by declaring ipasshpubkey as default attribute and then removing it from the result. This is a hack, which makes the code less readable ("If ipasshpubkey is in default_attributes, why am I not getting it in the result?") and requires every developer to remember to remove ipasshpubkey themselves if they are using user/host objects in their code and want the same behavior as user/host commands. Please keep the change isolated in the relevant commands. 2) Don't add ipasshpubkey to search_attributes, we don't want user-find and friends to search inside ipasshpubkey. -- Jan Cholasta From mkosek at redhat.com Mon Mar 21 07:55:38 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 21 Mar 2016 08:55:38 +0100 Subject: [Freeipa-devel] [DESIGN] Server Roles In-Reply-To: <1458313083.26218.118.camel@redhat.com> References: <56EAE651.4040603@redhat.com> <56EBC8A5.9080504@redhat.com> <56EBCE95.2070501@redhat.com> <56EBD16E.40005@redhat.com> <56EC062C.8000606@redhat.com> <1458309573.26218.109.camel@redhat.com> <56EC1079.10107@redhat.com> <1458313083.26218.118.camel@redhat.com> Message-ID: <56EFA8FA.5020105@redhat.com> On 03/18/2016 03:58 PM, Simo Sorce wrote: > On Fri, 2016-03-18 at 15:28 +0100, Petr Vobornik wrote: >> On 03/18/2016 02:59 PM, Simo Sorce wrote: ... >> Use cases I see: >> 1. Administrator wants to know which servers are configured with >> CA|KRA|DNS. >> 2. Administrator wants to know which server is CRL master. >> 3. We want this info to be able to display it in topology graph (but >> this is for 4.5). > > Ack, ack and ack. +1. *This* is what I was looking for in the Design page Use Case section, that I mentioned in my first reply. The rest of the design page should be written with these use cases in mind. >> Should there be an NTP server role? > > Probably. > From mkosek at redhat.com Mon Mar 21 08:02:39 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 21 Mar 2016 09:02:39 +0100 Subject: [Freeipa-devel] [DESIGN] Server Roles In-Reply-To: <56EC140B.9060806@redhat.com> References: <56EAE651.4040603@redhat.com> <56EBC8A5.9080504@redhat.com> <56EBCE95.2070501@redhat.com> <56EBD16E.40005@redhat.com> <56EC062C.8000606@redhat.com> <56EC140B.9060806@redhat.com> Message-ID: <56EFAA9F.9000206@redhat.com> On 03/18/2016 03:43 PM, Martin Babinsky wrote: > On 03/18/2016 02:44 PM, Petr Vobornik wrote: >> On 03/18/2016 10:59 AM, Martin Kosek wrote: >>> On 03/18/2016 10:47 AM, Martin Babinsky wrote: >>>> On 03/18/2016 10:21 AM, Martin Kosek wrote: >>>>> On 03/17/2016 06:16 PM, Martin Babinsky wrote: >>>>>> Hi list, >>>>>> >>>>>> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP >>>>>> design >>>>>> document concerning the concept of Server Roles as a user-friendly >>>>>> abstraction >>>>>> of the services running on IPA masters. >>>>>> >>>>>> The main aim of this feature is to provide a higher level interface >>>>>> to query >>>>>> and manipulate service-related information stored in dirsrv backend. >>>>>> >>>>>> I have not touched the design much from the post-Devconf session, >>>>>> mainly >>>>>> because there are some points to clarify and agree upon. >>>>> >>>>> Initial thoughts: >>>>> >>>>> * Use Cases: these are rather vague points what you want to >>>>> implement. In Use >>>>> Case section, I would like to see what specific *user* use cases you >>>>> are >>>>> addressing, i.e. what user problems you are solving. Ideally in a >>>>> form of a >>>>> user story. Like here: >>>>> >>>>> http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Use_Cases >>>>> or here: >>>>> http://www.freeipa.org/page/V4/Authentication_Indicators#Use_Cases >>>>> or here: >>>>> http://www.freeipa.org/page/V4/External_trust_to_AD#Use_Cases >>>>> >>>> Ok I will thing of some clearer points. >>>> >>>>>> I have the following points to discuss: >>>>>> >>>>>> 1.) the design assumes that there is a distinction between roles >>>>>> such as DNS >>>>>> server, CA, etc. and the more specific sub-roles such as DNSSec key >>>>>> master, CRL >>>>>> master, etc. Now in the hindsight I think this distinction is quite >>>>>> artificial >>>>>> and just clutters the interface unnecessarily. We might implement >>>>>> this kind of >>>>>> hierarchy in the code itself but that is something the user needs >>>>>> not be >>>>>> aware of. >>>>> >>>>> Well, there are dependencies. A server cannot be a CRL master >>>>> without also >>>>> being a CA role. I assume same applies to DNSSEC master. >>>>> >>>>> I think we need to think more about distinguishing what is role, >>>>> what is just >>>>> an attribute of a role, etc. AD for example distinguishes roles, >>>>> role service >>>>> and features: >>>>> >>>>> https://technet.microsoft.com/en-us/library/cc754923.aspx >>>>> >>>> We will have to implement the role/subrole/unicorn hierarchy anyhow. >>>> What I >>>> would like to discuss is whether it is necessary to expose this >>>> hierarchy to >>>> the users. Consider a case when user wants to find which server is a >>>> CA renewal >>>> master: >>>> >>>> ipa server-role-find "CA renewal master" >>>> >>>> vs. >>>> >>>> ipa server-role-find --subrole "Renewal master" >>>> >>>> Behind the scenes, the code has to do the same thing (e.g. issue a >>>> search using >>>> (&(cn=CA)(ipaConfigString=enabledService)(ipaConfigString=caRenewalMaster))), >>>> >>>> but the UX is a bit different. >>> >>> Well, even the LDAP structure is different in this case. CA role is an >>> object >>> in cn=masters, caRenewalMaster is it's property. So they will likely be >>> different user objects too. >>> >>> For your example, I can image a search like that: >>> >>> $ ipa server-role-find "CA" --subrole "renewal-master" >>> >>> (for the case when you have "DNS" role also with "renewal-master" >>> sub-role). >>> >>> Martin >>> >> >> I don't have a strong option about this matter. >> >> Number of roles will be limited. I don't see any point in developing >> hierarchies in CLI/API/Web UI. Simply describing the roles and their >> dependencies in server-role help should be enough. >> >> Hierarchy and dependency should be checked internally. >> >> Question is how it should behave in practice. There is no example in the >> design page. Imagine these use cases: >> >> $ server-role-find >> "CA" >> "CA renewal master" >> "DNS server" >> "DNSSec Key Master" >> ... >> >> maybe is should print also description, but help might be enough. >> > $ server-role-find > === > Certificate Authority > Manages certificate requests and revocation... > (optionally list masters) > Enabled on: master1.ipa.test, replica3.ipa.test > > === > DNS Server > manages forward and reverse name resolution > Enabled on: master1.ipa.test > > === > CA renewal master > Manages automatic renewal of certificates nearing expiration > Enabled on: replica3.ipa.test > ... Even though I disliked having renewal master as separate role and rather as a property of existing CA role, this looks reasonable. What plans do you have around the data model, that currently "CA renewal master" and "Certificate Authority" roles are implemented completely differently in cn=masters? (I mean LDAP entry vs. LDAP attribute) It would be transformed during upgrade? Also, how do you plan hiding the "services" we were not interested in seeing (like KADMIN that Simo mentioned) from these commands? Anyway, I think the best next step would actually be following Petr Spacek's idea and start with designing the user interface (CLI) and all the proposed commands that would solve the use cases Petr V. mentioned elsewhere. That would help us assess the sanity and usability of the proposed approach. Martin From ofayans at redhat.com Mon Mar 21 08:11:08 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Mon, 21 Mar 2016 09:11:08 +0100 Subject: [Freeipa-devel] [TEST][Patch-0027] Fixed test failure during in-tree session, ticket N 5736 In-Reply-To: <56E96F20.6080009@redhat.com> References: <56E92E7D.7030205@redhat.com> <56E96214.7050609@redhat.com> <56E966B4.2030709@redhat.com> <56E96A25.7080504@redhat.com> <56E96F20.6080009@redhat.com> Message-ID: <56EFAC9C.7070309@redhat.com> Hi Martin, On 03/16/2016 03:35 PM, Martin Basti wrote: > > > On 16.03.2016 15:13, Martin Basti wrote: >> >> >> On 16.03.2016 14:59, Oleg Fayans wrote: >>> Hi Martin >>> >>> On 03/16/2016 02:39 PM, Martin Basti wrote: >>>> >>>> On 16.03.2016 10:59, Oleg Fayans wrote: >>>>> With this patch applied integration tests pass and in-tree tests are >>>>> gracefully skipped. >>>>> >>>>> @mkubik, It is not possible to put the decorator to util.py as per our >>>>> discussion, because it uses tasks, so tasks must be imported. But >>>>> tasks >>>>> already import util, which leads to circular imports. So I've put >>>>> it to >>>>> tasks.py >>>>> >>>>> >>>>> >>>> NACK >>>> >>>> 1) >>>> Use right ticket in commit message (#5723) >>> But (#5736) is exactly the issue that is being addressed. Probably note >>> both tickets in the commit message? >> But as I wrote in ticket #5736, this ticket should be closed, because >> issue is caused by ticket which is not finished yet, so we should >> continue just with original ticket. Done >> >>> >>>> 2) >>>> Link to ticket should be last in the commit message Done >>>> >>>> 3) >>>> dereplicafy >>>> >>>> 3a) >>>> wrong doc string, it removes *only* replicas not clients >>> No, in fact it removes both: >>> uninstall_replica(args[0].master, host) >>> uninstall_client(host) >>> >>> Both tasks have raiseonerr set to False, which means that even if >>> replica was not installed but the client was - it will also be removed >> I see just >> for host in args[0].replicas >> >> I don't see any >> for host in args[0].clients >> there >> >> Also uninstall_client should not be there. ipa-server-install >> --uninstall removes client too. The extra call of uninstall client is >> IMO there just because an ancient bug that is already fixed. That's done because some tests install client separately and then deliberately install replica the wrong way to test that the installer fails in a predicted way. That's why this separate uninstall_client call. The doc string was corrected. >> >>> >>>> 3b) >>>> can we rename it to something different? (replicas_cleanup, >>>> replicas_uninstall, replicas_teardown) >>> replicas_cleanup, or even topo_cleanup sounds OK to me. replicas_cleanup it is >>> >>>> 4) >>>> Please fix commit message >>>> - Wile trated correctly >>>> - followiong >>>> - rewrote -> rewrite >>> Will do Done >>> >>>> 5) >>>> decorator >>>> + def wrapped(*args): >>>> + func(*args) >>>> + for host in args[0].replicas: >>>> >>>> Shouldn't be there try-finally around func() call, or something? >>> No, the wrapped function is a test_* method: if it fails we need to see >>> the original failure >> but if something raise an exception in func(), cleanup will not be >> executed. >> >> You can do >> In [4]: try: >> ...: raise ValueError('Hello') >> ...: finally: >> ...: try: >> ...: raise ValueError('Cleanup') >> ...: except Exception: >> ...: pass >> ...: >> --------------------------------------------------------------------------- >> >> ValueError Traceback (most recent call >> last) >> in () >> 1 try: >> ----> 2 raise ValueError('Hello') >> 3 finally: >> 4 try: >> 5 raise ValueError('Cleanup') >> >> ValueError: Hello > On the other hand, I do not want cleanup with --pdb option, so maybe it > should just fail > >> >>> >>>> Are you sure that there is no need to return result of func()? >>> The same applies here: we never return results from test_* methods >> ok >>> >>>> *) Please create additional patch that will add licence there >>>> >>>> >>> Will do :) >>> >>> >> > The license-related patch is attached too -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0027.1-rewrote-a-misprocessed-teardown_method-method.patch Type: text/x-patch Size: 4655 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0029-Added-copyright-info-to-replica-promotion-tests.patch Type: text/x-patch Size: 919 bytes Desc: not available URL: From jcholast at redhat.com Mon Mar 21 08:28:15 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 21 Mar 2016 09:28:15 +0100 Subject: [Freeipa-devel] [DESIGN] Server Roles In-Reply-To: <56EAE651.4040603@redhat.com> References: <56EAE651.4040603@redhat.com> Message-ID: <56EFB09F.9010200@redhat.com> On 17.3.2016 18:16, Martin Babinsky wrote: > Hi list, > > here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP > design document concerning the concept of Server Roles as a > user-friendly abstraction of the services running on IPA masters. > > The main aim of this feature is to provide a higher level interface to > query and manipulate service-related information stored in dirsrv backend. > > I have not touched the design much from the post-Devconf session, mainly > because there are some points to clarify and agree upon. > > I have the following points to discuss: > > 1.) the design assumes that there is a distinction between roles such as > DNS server, CA, etc. and the more specific sub-roles such as DNSSec key > master, CRL master, etc. Now in the hindsight I think this distinction > is quite artificial and just clutters the interface unnecessarily. We > might implement this kind of hierarchy in the code itself but that is > something the user needs not be aware of. These shouldn't be (sub-)roles at all - they are inherently a one-to-many relationship between the logical services and servers, whereas roles are many-to-many relationship between the logical services and servers. I would rather see them exposed in the global service config, such as: $ ipa dnsconfig-mod --sec-master=ipa12.example.com DNSSEC master: ipa12.example.com > > 2.) I guess the role names should be case insensitive so that users are > not hindered by trying to get the case right. +1 > > 3.) Do we need an internal API call which will add all services > belonging to a role to the corresponding master entry? (basically a > 'server_add_role' type of command). Currently, each service instance > adds its own service entry during service installation so we probably do > not need to duplicate this functionality. +1, we don't need more duplicate code. > > That is all I can think of right now. I had many more questions popping > up during this night's bout of insomnia, but they got lost during the day. How are we going to expose the different states of server roles? They can be: a) available/unavailable (the package providing the role was/was not installed on the server) b) configured/unconfigured (the installer for the role was/was not successfully run on the server, LDAP service entries exist) c) enabled/disabled My preference would be to make server-role commands work on top of available services, like this: # ipa server-role-show $HOSTNAME DNS ipa: ERROR: DNS: server role not found # dnf install freeipa-server-dns ... # ipa server-role-show $HOSTNAME DNS Name: DNS Configured: False Enabled: False # ipa-dns-install ... # ipa server-role-show $HOSTNAME DNS Name: DNS Configured: True Enabled: True > > Do not be afraid to bring up other questions/remarks/comments. This is > my first design documents so I expect them to be plenty. The CLI commands are a little bit self-inconsistent, see any other plugin for how the general layout of arguments should look like. -- Jan Cholasta From pspacek at redhat.com Mon Mar 21 09:17:32 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 21 Mar 2016 10:17:32 +0100 Subject: [Freeipa-devel] [PATCH 0143-0144] different errors/warnings for different LDAP limit type exceeded In-Reply-To: <56EBF959.3060807@redhat.com> References: <56EBCA37.6020306@redhat.com> <56EBF959.3060807@redhat.com> Message-ID: <56EFBC2C.8030300@redhat.com> On 18.3.2016 13:49, Rob Crittenden wrote: > Martin Babinsky wrote: >> These patches implement behavior agreed upon during discussion of >> https://fedorahosted.org/freeipa/ticket/5677 >> >> However I'm not sure if we want to push them into 4-3 branch (the ticket >> is triaged into 4.3.2 milestone) since they modify the framework >> behavior quite a bit. >> >> If there is no need to have it there (CC'ing Milan since he is the >> reporter), I would retriage it into 4.4 milestone. > > > + desc="while getting entries (search base: '{}'," > + "filter: {})".format(base_dn, filter)) > > This is going to expose parts of the DIT in an error message to users. We have > tried in the past to hide the implementation. I'd propose logging the error > and making the exception less verbose. IMHO it actually helps to print the DN. At very least the user can see if the error is happening always with the same DN or if it keeps changing. In other words, for user it is not that important to understand meaning of the DN but it might be important to see if it is the same or not. -- Petr^2 Spacek From mbabinsk at redhat.com Mon Mar 21 09:23:47 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 21 Mar 2016 10:23:47 +0100 Subject: [Freeipa-devel] [DESIGN] Server Roles In-Reply-To: <56EFAA9F.9000206@redhat.com> References: <56EAE651.4040603@redhat.com> <56EBC8A5.9080504@redhat.com> <56EBCE95.2070501@redhat.com> <56EBD16E.40005@redhat.com> <56EC062C.8000606@redhat.com> <56EC140B.9060806@redhat.com> <56EFAA9F.9000206@redhat.com> Message-ID: <56EFBDA3.2050905@redhat.com> On 03/21/2016 09:02 AM, Martin Kosek wrote: > On 03/18/2016 03:43 PM, Martin Babinsky wrote: >> On 03/18/2016 02:44 PM, Petr Vobornik wrote: >>> On 03/18/2016 10:59 AM, Martin Kosek wrote: >>>> On 03/18/2016 10:47 AM, Martin Babinsky wrote: >>>>> On 03/18/2016 10:21 AM, Martin Kosek wrote: >>>>>> On 03/17/2016 06:16 PM, Martin Babinsky wrote: >>>>>>> Hi list, >>>>>>> >>>>>>> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP >>>>>>> design >>>>>>> document concerning the concept of Server Roles as a user-friendly >>>>>>> abstraction >>>>>>> of the services running on IPA masters. >>>>>>> >>>>>>> The main aim of this feature is to provide a higher level interface >>>>>>> to query >>>>>>> and manipulate service-related information stored in dirsrv backend. >>>>>>> >>>>>>> I have not touched the design much from the post-Devconf session, >>>>>>> mainly >>>>>>> because there are some points to clarify and agree upon. >>>>>> >>>>>> Initial thoughts: >>>>>> >>>>>> * Use Cases: these are rather vague points what you want to >>>>>> implement. In Use >>>>>> Case section, I would like to see what specific *user* use cases you >>>>>> are >>>>>> addressing, i.e. what user problems you are solving. Ideally in a >>>>>> form of a >>>>>> user story. Like here: >>>>>> >>>>>> http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Use_Cases >>>>>> or here: >>>>>> http://www.freeipa.org/page/V4/Authentication_Indicators#Use_Cases >>>>>> or here: >>>>>> http://www.freeipa.org/page/V4/External_trust_to_AD#Use_Cases >>>>>> >>>>> Ok I will thing of some clearer points. >>>>> >>>>>>> I have the following points to discuss: >>>>>>> >>>>>>> 1.) the design assumes that there is a distinction between roles >>>>>>> such as DNS >>>>>>> server, CA, etc. and the more specific sub-roles such as DNSSec key >>>>>>> master, CRL >>>>>>> master, etc. Now in the hindsight I think this distinction is quite >>>>>>> artificial >>>>>>> and just clutters the interface unnecessarily. We might implement >>>>>>> this kind of >>>>>>> hierarchy in the code itself but that is something the user needs >>>>>>> not be >>>>>>> aware of. >>>>>> >>>>>> Well, there are dependencies. A server cannot be a CRL master >>>>>> without also >>>>>> being a CA role. I assume same applies to DNSSEC master. >>>>>> >>>>>> I think we need to think more about distinguishing what is role, >>>>>> what is just >>>>>> an attribute of a role, etc. AD for example distinguishes roles, >>>>>> role service >>>>>> and features: >>>>>> >>>>>> https://technet.microsoft.com/en-us/library/cc754923.aspx >>>>>> >>>>> We will have to implement the role/subrole/unicorn hierarchy anyhow. >>>>> What I >>>>> would like to discuss is whether it is necessary to expose this >>>>> hierarchy to >>>>> the users. Consider a case when user wants to find which server is a >>>>> CA renewal >>>>> master: >>>>> >>>>> ipa server-role-find "CA renewal master" >>>>> >>>>> vs. >>>>> >>>>> ipa server-role-find --subrole "Renewal master" >>>>> >>>>> Behind the scenes, the code has to do the same thing (e.g. issue a >>>>> search using >>>>> (&(cn=CA)(ipaConfigString=enabledService)(ipaConfigString=caRenewalMaster))), >>>>> >>>>> but the UX is a bit different. >>>> >>>> Well, even the LDAP structure is different in this case. CA role is an >>>> object >>>> in cn=masters, caRenewalMaster is it's property. So they will likely be >>>> different user objects too. >>>> >>>> For your example, I can image a search like that: >>>> >>>> $ ipa server-role-find "CA" --subrole "renewal-master" >>>> >>>> (for the case when you have "DNS" role also with "renewal-master" >>>> sub-role). >>>> >>>> Martin >>>> >>> >>> I don't have a strong option about this matter. >>> >>> Number of roles will be limited. I don't see any point in developing >>> hierarchies in CLI/API/Web UI. Simply describing the roles and their >>> dependencies in server-role help should be enough. >>> >>> Hierarchy and dependency should be checked internally. >>> >>> Question is how it should behave in practice. There is no example in the >>> design page. Imagine these use cases: >>> >>> $ server-role-find >>> "CA" >>> "CA renewal master" >>> "DNS server" >>> "DNSSec Key Master" >>> ... >>> >>> maybe is should print also description, but help might be enough. >>> >> $ server-role-find >> === >> Certificate Authority >> Manages certificate requests and revocation... >> (optionally list masters) >> Enabled on: master1.ipa.test, replica3.ipa.test >> >> === >> DNS Server >> manages forward and reverse name resolution >> Enabled on: master1.ipa.test >> >> === >> CA renewal master >> Manages automatic renewal of certificates nearing expiration >> Enabled on: replica3.ipa.test >> ... > > Even though I disliked having renewal master as separate role and rather as a > property of existing CA role, this looks reasonable. > > What plans do you have around the data model, that currently "CA renewal > master" and "Certificate Authority" roles are implemented completely > differently in cn=masters? (I mean LDAP entry vs. LDAP attribute) It would be > transformed during upgrade? > IMHO e may not need to touch LDAP structure at all if we use subtree search of LDAP entries. Consider the following search for CA renewal master: http://fpaste.org/343249/85492491/ I plan to use a set (meta)classes which will dynamically provide attributes and values to match against for each role. The obvious disadvantage here is the additional DN manipulation to get the master entry itself. But maybe I am missing something. Also see Jan's reply to OP, he proposes that these singular "(sub) roles" be transformed into virtual attributes coupled to each role: ipa server-find --dnssec-key-master/--ca-renewal-master=True -------------------- 1 IPA server matched -------------------- Server name: master1.ipa.test Managed suffixes: domain, ca Min domain level: 0 Max domain level: 1 ---------------------------- Number of entries returned 1 ---------------------------- ipa server-role-show "DNS Server" ------------------- DNS server ------------------- manages forward and reverse name resolution Enabled on: master1.ipa.test DNSSec key master: master1.ipa.test > Also, how do you plan hiding the "services" we were not interested in seeing > (like KADMIN that Simo mentioned) from these commands? > I have updated the design page to mention this: there will be a default implicit IPA master role grouping the services that must be running on each master. This role will not be displayed in the UI. Alternatively, since these services will not be part of any role the code which will perform the search for roles will simply ignore them. > Anyway, I think the best next step would actually be following Petr Spacek's > idea and start with designing the user interface (CLI) and all the proposed > commands that would solve the use cases Petr V. mentioned elsewhere. > > That would help us assess the sanity and usability of the proposed approach. > > Martin > -- Martin^3 Babinsky From pspacek at redhat.com Mon Mar 21 09:29:29 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 21 Mar 2016 10:29:29 +0100 Subject: [Freeipa-devel] [PATCHES 0442-0449] Pylint: sunday code cleanup In-Reply-To: <56EF0E82.5090301@redhat.com> References: <56EF0E82.5090301@redhat.com> Message-ID: <56EFBEF9.5050509@redhat.com> On 20.3.2016 21:56, Martin Basti wrote: > Patches attached. I do not really like freeipa-mbasti-0442-pylint-remove-bare-except because it replaces most of try: ... except: with try: ... except Exception: which AFAIK does not add any value. It would be better to replace Exception with more specific exception so the code raises an error instead of continuing when something really unexpected happens. Other patches look sensible to me. -- Petr^2 Spacek From cheimes at redhat.com Mon Mar 21 09:33:30 2016 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 21 Mar 2016 10:33:30 +0100 Subject: [Freeipa-devel] [PATCHES 0442-0449] Pylint: sunday code cleanup In-Reply-To: <56EFBEF9.5050509@redhat.com> References: <56EF0E82.5090301@redhat.com> <56EFBEF9.5050509@redhat.com> Message-ID: <56EFBFEA.4080103@redhat.com> On 2016-03-21 10:29, Petr Spacek wrote: > On 20.3.2016 21:56, Martin Basti wrote: >> Patches attached. > > I do not really like > freeipa-mbasti-0442-pylint-remove-bare-except > because it replaces most of > > try: ... except: > > with > > try: ... except Exception: > > > which AFAIK does not add any value. It would be better to replace Exception > with more specific exception so the code raises an error instead of continuing > when something really unexpected happens. It adds some value. A bare except also excepts signals like KeyboardInterrupt and SystemExit. except Exception doesn't block these exceptions. But yes, more specific exceptions are better. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From pvoborni at redhat.com Mon Mar 21 10:00:55 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 21 Mar 2016 11:00:55 +0100 Subject: [Freeipa-devel] user-* commands performance issues In-Reply-To: <56EAC8AC.2030805@redhat.com> References: <56EAC8AC.2030805@redhat.com> Message-ID: <56EFC657.20803@redhat.com> On 03/17/2016 04:09 PM, Martin Basti wrote: > Hello all, > > I would like to discuss the way how we should improve the speed of > user-find commands (and other commands too if possible): > > 0) > Do not do extra search for ipasshpubkey. This is clear, patch posted for > review. > https://fedorahosted.org/freeipa/ticket/3376 > > commands: user, stageuser, host, idview > > 1) > make --no-members option visible in CLI > https://fedorahosted.org/freeipa/ticket/4995 There was a discussion around devconf that --no-members should be a default behavior of xxx-find commands and I'm for it. Reasoning: use case: 'find me all groups which satisfy this filter'. Showing members clutters the output(one group with >500 member makes it unusable) and makes things slow(both on server and CLI side). For xxx-show commands it is a question where I don't have a strong opinion. > > I don't think we should implement also --no-indirect-members, I think > that this kind of granularity is not needed. > If --no-members is used, then indirect members will be ignored too. +1 > > commands: all which use members > > 2) > Limit the amount of searches for memberof[indirect] (group, netgroup, > role, hbacrule, sudorule) and search for each dn only once in find > commands. > > We can have configurable option in default.conf (for example > memberof_search_limit=100 (0 unlimited)). Find commands will get members > only for specified amount and if this limit is exceeded a warning > message is shown. > I do not like this idea much, I think it should be all or nothing, I > prefer to not do this. > > However I like the idea of temporary caching inside find commands, where > each memberof DN is resolved just once and results are cached in a map > and reused in current context of command. This should be improvement > mainly for indirect searches, but cache should be faster for direct > members than doing internal calls of framework objects. This part is > backward compatible, the first part is not. > > https://fedorahosted.org/freeipa/ticket/5282 What parts of the ticket can be solved with deref plugin? I guess we can get the CNs, but not what is a direct member. Maybe it should be discussed separately. > > commands: user-find, stageuser-find, possibly all find commands > > 3) > Remove userPassword, krbPrincipalKey from search results > This change is not backward compatible, can we do this? > > https://fedorahosted.org/freeipa/ticket/5281 > > commands: user-find I'm for it, would like to hear other opinions. Note: it should be only in user-find commands. 'show' has to display it. > > Martin^2 > -- Petr Vobornik From jcholast at redhat.com Mon Mar 21 11:02:34 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 21 Mar 2016 12:02:34 +0100 Subject: [Freeipa-devel] Converting plugin output In-Reply-To: <56EC1028.40600@redhat.com> References: <56EC1028.40600@redhat.com> Message-ID: <56EFD4CA.8080502@redhat.com> Hi, On 18.3.2016 15:26, Christian Heimes wrote: > Hi, > > I'd like to use FreeIPA's RPC interface from Ansible directly. But the > output of plugins is rather unfriendly and unpythonic: > >>>> print(api.Command.dnsconfig_show()) > {u'result': {u'dn': u'cn=dns,dc=ipa,dc=example', u'idnsallowsyncptr': > (u'FALSE',)}, u'value': None, u'summary': None} > > Please notice (u'FALSE',) instead of False. This is how the framework does things - there is no internal consistency and no singular place where coding of values is handled, lot of the output is generated by ad-hoc code somewhere in post_callbacks. Unfortunately this is not easily fixable. > > > I have written a simple function that uses the parameter definitions to > convert most values automatically: > > def converter(plugin, *args, **kwargs): > response = plugin(*args, **kwargs) > params = {p.name: p for p in plugin.obj.takes_params} > if hasattr(plugin, 'output_params'): > params.update({p.name: p for p in plugin.output_params()}) > results = response['result'] > if isinstance(results, dict): > results = [results] > for result in results: > for key, value in result.iteritems(): > param = params.get(key) > if param is None: > continue > if (value and not param.multivalue and > isinstance(value, (list, tuple))): > if len(value) > 1: > raise ValueError(key, value) > value = value[0] > result[key] = param.convert(value) > return response > > It works like a charm for several plugins: > >>>> print(converter(api.Command.dnsconfig_show)) > {u'result': {u'dn': u'cn=dns,dc=ipa,dc=example', u'idnsallowsyncptr': > False}, u'value': None, u'summary': None} > > > But it is failing for some plugins like user_find(). The plugin returns > u'memberof_group': (u'admins', u'trust admins'). However > global_output_params defines the value as an optional and single valued > string: > > Str('memberof_group?', label=_('Member of groups')). > > I think the definition is wrong. memberof_group and some other fields > should be defined as optional and multivalued fields insteads. Even the > field's label uses a plural form. > > What do you think? Yes, the definition is wrong, but I don't think it's worth fixing, since you can't rely on a single-value param having a single value in the output for any other command and param anyway. Honza -- Jan Cholasta From jcholast at redhat.com Mon Mar 21 11:25:20 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 21 Mar 2016 12:25:20 +0100 Subject: [Freeipa-devel] [PATCH 0143-0144] different errors/warnings for different LDAP limit type exceeded In-Reply-To: <56EFBC2C.8030300@redhat.com> References: <56EBCA37.6020306@redhat.com> <56EBF959.3060807@redhat.com> <56EFBC2C.8030300@redhat.com> Message-ID: <56EFDA20.9090005@redhat.com> On 21.3.2016 10:17, Petr Spacek wrote: > On 18.3.2016 13:49, Rob Crittenden wrote: >> Martin Babinsky wrote: >>> These patches implement behavior agreed upon during discussion of >>> https://fedorahosted.org/freeipa/ticket/5677 >>> >>> However I'm not sure if we want to push them into 4-3 branch (the ticket >>> is triaged into 4.3.2 milestone) since they modify the framework >>> behavior quite a bit. >>> >>> If there is no need to have it there (CC'ing Milan since he is the >>> reporter), I would retriage it into 4.4 milestone. >> >> >> + desc="while getting entries (search base: '{}'," >> + "filter: {})".format(base_dn, filter)) >> >> This is going to expose parts of the DIT in an error message to users. We have >> tried in the past to hide the implementation. I'd propose logging the error >> and making the exception less verbose. I agree with Rob here, we shouldn't expose internal stuff in error messages for users. In this particular case, even if we included internal stuff in the error message, it should be the error message returned by the server rather than this ad-hoc message. > > IMHO it actually helps to print the DN. At very least the user can see if the > error is happening always with the same DN or if it keeps changing. > > In other words, for user it is not that important to understand meaning of the > DN but it might be important to see if it is the same or not. I can't imagine a situation where it would actually be useful for the user (as opposed to the admin, who has access to logs) to know the base DN of some arbitrary LDAP search operation. Could you give an example? -- Jan Cholasta From mbasti at redhat.com Mon Mar 21 11:30:40 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 21 Mar 2016 12:30:40 +0100 Subject: [Freeipa-devel] [PATCHES 0442-0449] Pylint: sunday code cleanup In-Reply-To: <56EFBFEA.4080103@redhat.com> References: <56EF0E82.5090301@redhat.com> <56EFBEF9.5050509@redhat.com> <56EFBFEA.4080103@redhat.com> Message-ID: <56EFDB60.7060002@redhat.com> On 21.03.2016 10:33, Christian Heimes wrote: > On 2016-03-21 10:29, Petr Spacek wrote: >> On 20.3.2016 21:56, Martin Basti wrote: >>> Patches attached. >> I do not really like >> freeipa-mbasti-0442-pylint-remove-bare-except >> because it replaces most of >> >> try: ... except: >> >> with >> >> try: ... except Exception: >> >> >> which AFAIK does not add any value. It would be better to replace Exception >> with more specific exception so the code raises an error instead of continuing >> when something really unexpected happens. > It adds some value. A bare except also excepts signals like > KeyboardInterrupt and SystemExit. except Exception doesn't block these > exceptions. > > But yes, more specific exceptions are better. > > Christian > > > > 'except Exception' is another pylint check :D I replaced bare except with a particular exception in cases where it was clear. For other occurrences of bare except it covers too much Exception types, so catch Exception is more sensible, or I need crystal ball to detect what kind of exceptions can be raised there. Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Mon Mar 21 11:44:27 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 21 Mar 2016 12:44:27 +0100 Subject: [Freeipa-devel] user-* commands performance issues In-Reply-To: <56EFC657.20803@redhat.com> References: <56EAC8AC.2030805@redhat.com> <56EFC657.20803@redhat.com> Message-ID: <56EFDE9B.8030503@redhat.com> On 21.3.2016 11:00, Petr Vobornik wrote: > On 03/17/2016 04:09 PM, Martin Basti wrote: >> Hello all, >> >> I would like to discuss the way how we should improve the speed of >> user-find commands (and other commands too if possible): >> >> 0) >> Do not do extra search for ipasshpubkey. This is clear, patch posted for >> review. >> https://fedorahosted.org/freeipa/ticket/3376 >> >> commands: user, stageuser, host, idview >> >> 1) >> make --no-members option visible in CLI >> https://fedorahosted.org/freeipa/ticket/4995 > > There was a discussion around devconf that --no-members should be a > default behavior of xxx-find commands and I'm for it. +1, although we should be backward compatible with old clients which expect the attributes to be there. > > Reasoning: use case: 'find me all groups which satisfy this filter'. > Showing members clutters the output(one group with >500 member makes it > unusable) and makes things slow(both on server and CLI side). > > For xxx-show commands it is a question where I don't have a strong opinion. I think it shouldn't hurt to keep them in -show commands, as there is always only a single entry to process. > >> >> I don't think we should implement also --no-indirect-members, I think >> that this kind of granularity is not needed. >> If --no-members is used, then indirect members will be ignored too. > > +1 +1 > >> >> commands: all which use members >> >> 2) >> Limit the amount of searches for memberof[indirect] (group, netgroup, >> role, hbacrule, sudorule) and search for each dn only once in find >> commands. >> >> We can have configurable option in default.conf (for example >> memberof_search_limit=100 (0 unlimited)). Find commands will get members >> only for specified amount and if this limit is exceeded a warning >> message is shown. >> I do not like this idea much, I think it should be all or nothing, I >> prefer to not do this. +1 >> >> However I like the idea of temporary caching inside find commands, where >> each memberof DN is resolved just once and results are cached in a map >> and reused in current context of command. This should be improvement >> mainly for indirect searches, but cache should be faster for direct >> members than doing internal calls of framework objects. This part is >> backward compatible, the first part is not. >> >> https://fedorahosted.org/freeipa/ticket/5282 > > What parts of the ticket can be solved with deref plugin? I guess we can > get the CNs, but not what is a direct member. Maybe it should be > discussed separately. Indirect members are already resolved by a single LDAP search. What kind of additional optimization would you like to do for them? > >> >> commands: user-find, stageuser-find, possibly all find commands >> >> 3) >> Remove userPassword, krbPrincipalKey from search results >> This change is not backward compatible, can we do this? >> >> https://fedorahosted.org/freeipa/ticket/5281 >> >> commands: user-find > > I'm for it, would like to hear other opinions. > > Note: it should be only in user-find commands. 'show' has to display it. +1 -- Jan Cholasta From mbasti at redhat.com Mon Mar 21 12:02:40 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 21 Mar 2016 13:02:40 +0100 Subject: [Freeipa-devel] user-* commands performance issues In-Reply-To: <56EFDE9B.8030503@redhat.com> References: <56EAC8AC.2030805@redhat.com> <56EFC657.20803@redhat.com> <56EFDE9B.8030503@redhat.com> Message-ID: <56EFE2E0.7030304@redhat.com> On 21.03.2016 12:44, Jan Cholasta wrote: > On 21.3.2016 11:00, Petr Vobornik wrote: >> On 03/17/2016 04:09 PM, Martin Basti wrote: >>> Hello all, >>> >>> I would like to discuss the way how we should improve the speed of >>> user-find commands (and other commands too if possible): >>> >>> 0) >>> Do not do extra search for ipasshpubkey. This is clear, patch posted >>> for >>> review. >>> https://fedorahosted.org/freeipa/ticket/3376 >>> >>> commands: user, stageuser, host, idview >>> >>> 1) >>> make --no-members option visible in CLI >>> https://fedorahosted.org/freeipa/ticket/4995 >> >> There was a discussion around devconf that --no-members should be a >> default behavior of xxx-find commands and I'm for it. > > +1, although we should be backward compatible with old clients which > expect the attributes to be there. Ok, I agree to have --no-members as default for *-find commands, but it doesn't contradict to exposing --no-member option for all commands. > >> >> Reasoning: use case: 'find me all groups which satisfy this filter'. >> Showing members clutters the output(one group with >500 member makes it >> unusable) and makes things slow(both on server and CLI side). >> >> For xxx-show commands it is a question where I don't have a strong >> opinion. > > I think it shouldn't hurt to keep them in -show commands, as there is > always only a single entry to process. +1 > >> >>> >>> I don't think we should implement also --no-indirect-members, I think >>> that this kind of granularity is not needed. >>> If --no-members is used, then indirect members will be ignored too. >> >> +1 > > +1 > >> >>> >>> commands: all which use members >>> >>> 2) >>> Limit the amount of searches for memberof[indirect] (group, netgroup, >>> role, hbacrule, sudorule) and search for each dn only once in find >>> commands. >>> >>> We can have configurable option in default.conf (for example >>> memberof_search_limit=100 (0 unlimited)). Find commands will get >>> members >>> only for specified amount and if this limit is exceeded a warning >>> message is shown. >>> I do not like this idea much, I think it should be all or nothing, I >>> prefer to not do this. > > +1 > >>> >>> However I like the idea of temporary caching inside find commands, >>> where >>> each memberof DN is resolved just once and results are cached in a map >>> and reused in current context of command. This should be improvement >>> mainly for indirect searches, but cache should be faster for direct >>> members than doing internal calls of framework objects. This part is >>> backward compatible, the first part is not. >>> >>> https://fedorahosted.org/freeipa/ticket/5282 >> >> What parts of the ticket can be solved with deref plugin? I guess we can >> get the CNs, but not what is a direct member. Maybe it should be >> discussed separately. > > Indirect members are already resolved by a single LDAP search. What > kind of additional optimization would you like to do for them? We can use deref plugin to get pkeys from one search in case that pkeys are not part of DN. (I have to investigate if it is worth to do for user-find, I'm not sure if any memberof attributes have pkey that is not part of DN) For indirect members, it is one search per entry, but for 1000 users, it is 1000 searches and I would like to have just one for the particular indirect member. > >> >>> >>> commands: user-find, stageuser-find, possibly all find commands >>> >>> 3) >>> Remove userPassword, krbPrincipalKey from search results >>> This change is not backward compatible, can we do this? >>> >>> https://fedorahosted.org/freeipa/ticket/5281 >>> >>> commands: user-find >> >> I'm for it, would like to hear other opinions. >> >> Note: it should be only in user-find commands. 'show' has to display it. > > +1 > From lslebodn at redhat.com Mon Mar 21 12:50:40 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 21 Mar 2016 13:50:40 +0100 Subject: [Freeipa-devel] [PATCHES 0442-0449] Pylint: sunday code cleanup In-Reply-To: <56EFDB60.7060002@redhat.com> References: <56EF0E82.5090301@redhat.com> <56EFBEF9.5050509@redhat.com> <56EFBFEA.4080103@redhat.com> <56EFDB60.7060002@redhat.com> Message-ID: <20160321125040.GE5897@mail.corp.redhat.com> On (21/03/16 12:30), Martin Basti wrote: >On 21.03.2016 10:33, Christian Heimes wrote: >>On 2016-03-21 10:29, Petr Spacek wrote: >>>On 20.3.2016 21:56, Martin Basti wrote: >>>>Patches attached. >>>I do not really like >>>freeipa-mbasti-0442-pylint-remove-bare-except >>>because it replaces most of >>> >>>try: ... except: >>> >>>with >>> >>>try: ... except Exception: >>> >>> >>>which AFAIK does not add any value. It would be better to replace Exception >>>with more specific exception so the code raises an error instead of continuing >>>when something really unexpected happens. >>It adds some value. A bare except also excepts signals like >>KeyboardInterrupt and SystemExit. except Exception doesn't block these >>exceptions. >> >>But yes, more specific exceptions are better. >> >>Christian >> >> >> >> >'except Exception' is another pylint check :D > >I replaced bare except with a particular exception in cases where it was >clear. For other occurrences of bare except it covers too much Exception >types, so catch Exception is more sensible, or I need crystal ball to detect >what kind of exceptions can be raised there. > Agree. It can be changed to more specific exceptions type of Exception in future. This change is less risky. pylint passed on fedora {23, 24, rawhide} ACK LS From ofayans at redhat.com Mon Mar 21 12:51:10 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Mon, 21 Mar 2016 13:51:10 +0100 Subject: [Freeipa-devel] [TEST][Patch-0030]Next part of replica promotion tests Message-ID: <56EFEE3E.5010202@redhat.com> -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0030-Added-5-more-tests-to-Replica-Promotion-testsuite.patch Type: text/x-patch Size: 7423 bytes Desc: not available URL: From pvoborni at redhat.com Mon Mar 21 14:50:56 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 21 Mar 2016 15:50:56 +0100 Subject: [Freeipa-devel] user-* commands performance issues In-Reply-To: <56EFE2E0.7030304@redhat.com> References: <56EAC8AC.2030805@redhat.com> <56EFC657.20803@redhat.com> <56EFDE9B.8030503@redhat.com> <56EFE2E0.7030304@redhat.com> Message-ID: <56F00A50.6000602@redhat.com> On 03/21/2016 01:02 PM, Martin Basti wrote: > > > On 21.03.2016 12:44, Jan Cholasta wrote: >> On 21.3.2016 11:00, Petr Vobornik wrote: >>> On 03/17/2016 04:09 PM, Martin Basti wrote: >>>> Hello all, >>>> >>>> I would like to discuss the way how we should improve the speed of >>>> user-find commands (and other commands too if possible): >>>> >>>> 0) >>>> Do not do extra search for ipasshpubkey. This is clear, patch posted >>>> for >>>> review. >>>> https://fedorahosted.org/freeipa/ticket/3376 >>>> >>>> commands: user, stageuser, host, idview >>>> >>>> 1) >>>> make --no-members option visible in CLI >>>> https://fedorahosted.org/freeipa/ticket/4995 >>> >>> There was a discussion around devconf that --no-members should be a >>> default behavior of xxx-find commands and I'm for it. >> >> +1, although we should be backward compatible with old clients which >> expect the attributes to be there. > Ok, I agree to have --no-members as default for *-find commands, but it > doesn't contradict to exposing --no-member option for all commands. +1, xxx-show can have --no-members > >> >>> >>> Reasoning: use case: 'find me all groups which satisfy this filter'. >>> Showing members clutters the output(one group with >500 member makes it >>> unusable) and makes things slow(both on server and CLI side). >>> >>> For xxx-show commands it is a question where I don't have a strong >>> opinion. >> >> I think it shouldn't hurt to keep them in -show commands, as there is >> always only a single entry to process. > +1 > >> >>> >>>> >>>> I don't think we should implement also --no-indirect-members, I think >>>> that this kind of granularity is not needed. >>>> If --no-members is used, then indirect members will be ignored too. >>> >>> +1 >> >> +1 >> >>> >>>> >>>> commands: all which use members >>>> >>>> 2) >>>> Limit the amount of searches for memberof[indirect] (group, netgroup, >>>> role, hbacrule, sudorule) and search for each dn only once in find >>>> commands. >>>> >>>> We can have configurable option in default.conf (for example >>>> memberof_search_limit=100 (0 unlimited)). Find commands will get >>>> members >>>> only for specified amount and if this limit is exceeded a warning >>>> message is shown. >>>> I do not like this idea much, I think it should be all or nothing, I >>>> prefer to not do this. >> >> +1 I'd also avoid anything special here. But there are sometimes cases when the behavior is not good. E.g. a command fails because something is not able to get members and you actually don't care about the members. Not sure if it is was "fixed"(sizelimit=0). But with new member handling it might not be a big issue. >> >>>> >>>> However I like the idea of temporary caching inside find commands, >>>> where >>>> each memberof DN is resolved just once and results are cached in a map >>>> and reused in current context of command. This should be improvement >>>> mainly for indirect searches, but cache should be faster for direct >>>> members than doing internal calls of framework objects. This part is >>>> backward compatible, the first part is not. >>>> >>>> https://fedorahosted.org/freeipa/ticket/5282 >>> >>> What parts of the ticket can be solved with deref plugin? I guess we can >>> get the CNs, but not what is a direct member. Maybe it should be >>> discussed separately. >> >> Indirect members are already resolved by a single LDAP search. What >> kind of additional optimization would you like to do for them? > > We can use deref plugin to get pkeys from one search in case that pkeys > are not part of DN. (I have to investigate if it is worth to do for > user-find, I'm not sure if any memberof attributes have pkey that is not > part of DN) sudo rule, hbac rule > > For indirect members, it is one search per entry, but for 1000 users, it > is 1000 searches and I would like to have just one for the particular > indirect member. are we talking about user-find? If so then it is mostly solved with default --no-member style behavior. But if a user or a group is directly/indirectly a member of a lot of groups(1000) then it might become slow. But caching won't probably help much, not sure. > > >> >>> >>>> >>>> commands: user-find, stageuser-find, possibly all find commands >>>> >>>> 3) >>>> Remove userPassword, krbPrincipalKey from search results >>>> This change is not backward compatible, can we do this? >>>> >>>> https://fedorahosted.org/freeipa/ticket/5281 >>>> >>>> commands: user-find >>> >>> I'm for it, would like to hear other opinions. >>> >>> Note: it should be only in user-find commands. 'show' has to display it. >> >> +1 >> > -- Petr Vobornik From ofayans at redhat.com Mon Mar 21 14:54:14 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Mon, 21 Mar 2016 15:54:14 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <20160317193747.GB23625@mail.corp.redhat.com> References: <56D93B28.2020302@redhat.com> <56D93B98.4090307@redhat.com> <56D9AA4B.103@redhat.com> <56D9B8CB.3040507@redhat.com> <56DEB998.3070501@redhat.com> <56DF0ABD.4040603@redhat.com> <56DF256E.8010000@redhat.com> <56E1F09D.10405@redhat.com> <20160317102835.GB19342@mail.corp.redhat.com> <56EAC67D.8040701@redhat.com> <20160317193747.GB23625@mail.corp.redhat.com> Message-ID: <56F00B16.90402@redhat.com> Hi Lukas, Martin, Looks I've implemented the approach proposed by Martin. The issue seems to have gone (see the external_ca_out for external_ca test output). Would like you to take a look and tell me what'd you think. On 03/17/2016 08:37 PM, Lukas Slebodnik wrote: > On (17/03/16 16:00), Oleg Fayans wrote: >> Hi Lukas, >> >> On 03/17/2016 11:28 AM, Lukas Slebodnik wrote: >>> On (10/03/16 23:09), Oleg Fayans wrote: >>>> Hi Martin, >>>> >>>> >>>> >>>> On 03/08/2016 08:18 PM, Martin Basti wrote: >>>>> >>>>> >>>>> On 08.03.2016 18:24, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 08.03.2016 12:38, Oleg Fayans wrote: >>>>>>> The patches were rebased against the current master >>>>>>> >>>>>>> On 03/04/2016 05:33 PM, Martin Basti wrote: >>>>>>>> * old messages have been removed * >>>>>>>>>>>> 1) >>>>>>>>>>>> this method is unused please remove it >>>>>>>>>>>> >>>>>>>>>>>> def test_kra_install_master(self): >>>>>>>>> Well, in fact it is used twice: in both domain levels, so I'd better >>>>>>>>> keep it: >>>>>>>>> >>>>>>>>> -bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py >>>>>>>>> --collect-only >>>>>>>>> ==================================================================================== >>>>>>>>> >>>>>>>>> >>>>>>>>> test session starts >>>>>>>>> ===================================================================================== >>>>>>>>> >>>>>>>>> >>>>>>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>>>>> pytest.ini >>>>>>>>> plugins: sourceorder, multihost >>>>>>>>> collected 8 items >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> aah my bad, I forgot that pytest executes it when it begins with test_* >>>>>>>> even in parent class >>>>>>>>>>>> 2) >>>>>>>>>>>> Why are these there? I do not see any usage >>>>>>>>>>>> >>>>>>>>>>>> from env_config import get_global_config >>>>>>>>>>>> config = get_global_config() >>>>>>>>> Removed >>>>>>>>> >>>>>>>>>>>> 3) nitpick >>>>>>>>>>>> + num_clients = 0 >>>>>>>>>>>> this is set by default >>>>>>>>> Removed >>>>>>>>> >>>>>>>>>>>> otherwise LGTM >>>>>>>>>>>> >>>>>>>>>>>> Results of testing tomorrow. >>>>>>>>>>>> >>>>>>>>>>>> Martin^2 >>>>>>>>>>>> >>>>>>>>>>> I applied all patches including workarounds, but test failed. >>>>>>>>>>> >>>>>>>>>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] RUN >>>>>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>>>>>>> '--setup-ca', '--ip-address', '192.168.144.102', >>>>>>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] The host >>>>>>>>>>> replica1.ipa.test already exists on the master server. >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] You should >>>>>>>>>>> remove it before proceeding: >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] % ipa >>>>>>>>>>> host-del replica1.ipa.test >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>>>>>> ipa-replica-install command failed. See >>>>>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] Exit >>>>>>>>>>> code: 3 >>>>>>>>>>> FAILED >>>>>>>>> this is exactly the error that happens when a workaround for 5627 >>>>>>>>> is not >>>>>>>>> applied. I have re-run the tests with all the patches and everything >>>>>>>>> passed. Could you please double-check, whether patch 0027 was applied >>>>>>>>> correctly? >>>>>>>>> >>>>>>>>> bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py >>>>>>>>> --pdb >>>>>>>>> ==================================================================================== >>>>>>>>> >>>>>>>>> >>>>>>>>> test session starts >>>>>>>>> ===================================================================================== >>>>>>>>> >>>>>>>>> >>>>>>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>>>>> pytest.ini >>>>>>>>> plugins: sourceorder, multihost >>>>>>>>> collected 8 items >>>>>>>>> >>>>>>>>> test_integration/test_replica_promotion.py ........ >>>>>>>>> >>>>>>>>> ================================================================================ >>>>>>>>> >>>>>>>>> >>>>>>>>> 8 passed in 7561.93 seconds >>>>>>>>> ================================================================================= >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> I will >>>>>>>> >>>>>>>>>> And it needs ticket, otherwise it will not be in 4-3 branch. >>>>>>>>> https://fedorahosted.org/freeipa/ticket/5723 >>>>>> NACK >>>>>> >>>>>> 1) >>>>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>>>> >>>>>> >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', >>>>>> 'IPA.TEST'] >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] RUN >>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>> '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] IPA client is >>>>>> already configured on this system, ignoring the --domain, --server, >>>>>> --realm, --hostname, --password and --keytab options. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Your system >>>>>> may be partly configured. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Run >>>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>>>>> provide a file generated by ipa-replica-prepare to create a replica >>>>>> when the domain is at level 0. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>> ipa-replica-install command failed. See >>>>>> /var/log/ipareplica-install.log for more information >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Exit code: 1 >>>>>> FAILED >>>>>> >>>>>> 2) >>>>>> ipatests.test_integration.test_replica_promotion.TestKRAInstall >>>>>> >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', >>>>>> 'IPA.TEST'] >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>> '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA client is >>>>>> already configured on this system, ignoring the --domain, --server, >>>>>> --realm, --hostname, --password and --keytab options. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your system >>>>>> may be partly configured. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >>>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>>>>> provide a file generated by ipa-replica-prepare to create a replica >>>>>> when the domain is at level 0. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>> ipa-replica-install command failed. See >>>>>> /var/log/ipareplica-install.log for more information >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit code: 1 >>>>>> FAILED >>>>>> >>>>>> >>>>>> 3) >>>>>> ipatests.test_integration.test_replica_promotion.TestCAInstall >>>>>> >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>> 'Secret123', '--setup-dns', '--forwarder', '10.34.78.1', >>>>>> '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>> '--setup-dns', '--forwarder', '10.34.78.1', '--ip-address', >>>>>> '192.168.200.103', '-r', 'IPA.TEST'] >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA client is >>>>>> already configured on this system, ignoring the --domain, --server, >>>>>> --realm, --hostname, --password and --keytab options. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your system >>>>>> may be partly configured. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >>>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>>>>> provide a file generated by ipa-replica-prepare to create a replica >>>>>> when the domain is at level 0. >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>> ipa-replica-install command failed. See >>>>>> /var/log/ipareplica-install.log for more information >>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit code: 1 >>>>>> FAILED >>>>>> >>>>>> >>>>>> Reason: >>>>>> >>>>>> def install_replica(master, replica, setup_ca=True, setup_dns=False, >>>>>> - setup_kra=False, extra_args=()): >>>>>> + setup_kra=False, extra_args=(), domain_level=None): >>>>>> + if domain_level is None: >>>>>> + domain_level = domainlevel(master) >>>> >>>> Oops. Sorry, must have been a result of inaccurate rebase. Fixed >>>> The successful run is attached >>>> >>>>>> >>>>>> - if domainlevel(master) == DOMAIN_LEVEL_0: >>>>>> + if domainlevel == DOMAIN_LEVEL_0: >>>>>> >>>>>> domain_level variable is actually unused >>>>>> >>>>> Also with your patch that removes host_prepare, I see many following >>>>> errors in test debug output >>>>> >>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: line 1: >>>>> cd: /root/ipatests: No such file or directory >>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: line 2: >>>>> /root/ipatests/env.sh: No such file or directory >>>>> >>>>> >>>>> I do not see these errors in current tests, so the patch does not seem >>>>> right to me. >>>> >>>> http://jenkins.idm.lab.eng.brq.redhat.com:8080/job/freeipa-integration-f23master-customized_ds_config_install-domlevel-1/23/consoleFull >>>> >>>> I've been experimenting a lot to find get rid of it but was >>>> unsuccessful. Seemingly it does not affect the tests. >>>> >>> Oleg it looks like you broke something >>> in the test_integration/test_external_ca.py >>> >>> _______________________ TestExternalCA.test_external_ca ________________________ >>> >>> self = >>> >>> def test_external_ca(self): >>> # Step 1 of ipa-server-install >>> self.master.run_command([ >>> 'ipa-server-install', '-U', >>> '-a', self.master.config.admin_password, >>> '-p', self.master.config.dirman_password, >>> '--setup-dns', '--no-forwarders', >>> '-n', self.master.domain.name, >>> '-r', self.master.domain.realm, >>> '--domain-level=%i' % self.master.config.domain_level, >>> '--external-ca' >>> ]) >>> >>> nss_db = os.path.join(self.master.config.test_dir, 'testdb') >>> external_cert_file = os.path.join(nss_db, 'ipa.crt') >>> external_ca_file = os.path.join(nss_db, 'ca.crt') >>> noisefile = os.path.join(self.master.config.test_dir, 'noise.txt') >>> pwdfile = os.path.join(self.master.config.test_dir, 'pwdfile.txt') >>> >>> # Create noise and password files for NSS database >>>> self.master.run_command('date | sha256sum > %s' % noisefile) >>> >>> test_integration/test_external_ca.py:49: >>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>> ../pytest_multihost/host.py:246: in run_command >>> command.wait(raiseonerr=raiseonerr) >>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>> >>> self = >>> raiseonerr = True >>> >>> def wait(self, raiseonerr=True): >>> """Wait for the remote process to exit >>> >>> Raises an excption if the exit code is not 0, unless raiseonerr is >>> true. >>> """ >>> if self._done: >>> return self.returncode >>> >>> self._end_process() >>> >>> self._done = True >>> >>> if raiseonerr and self.returncode: >>> self.log.error('Exit code: %s', self.returncode) >>>> raise subprocess.CalledProcessError(self.returncode, self.argv) >>> E CalledProcessError: Command 'date | sha256sum > /root/ipatests/noise.txt' returned non-zero exit status 1 >>> >>> ../pytest_multihost/transport.py:159: CalledProcessError >>> ---------------------------- Captured stdout setup ----------------------------- >>> >>> ========================== 1 failed in 32.25 seconds =========================== >>> >>> >>> >>> The command "date | sha256sum > /root/ipatests/noise.txt" >>> >>> The only explanation is that the directory /root/ipatests/ does not exist. >> >> Obviously this is caused by my patch N 0025 >> freeipa-ofayans-0025-Removed-a-constantly-failing-call-to-prepare_host.patch >> >> Without it replica_promotion tests would fail. The only compromise I see >> is to remove this line in unapply_fixes function in >> ipatests/test_integration/tasks.py: >> >> host.run_command(['rm', '-rvf', host.config.test_dir]) >> >> Now the biggest question is: why do we keep removing the config folder >> anyway? All the files (backups of /etc/hosts, etc) that ever get there >> get overwritten each time anyway so it's quite safe to just keep the >> folder throughout the whole test execution. >> > I do not know why it was removed. IMHO it shoudl be enough > to remove just content of this directory. > > But it will bee godd to fix it ASAP > and unblock test test_integration/test_external_ca.py > I hope we want to have green test in 4.3 branch. > Please also open a ticket so it can be backported to > stable branch (if needed) > > LS > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0028-refactor-the-way-the-test-folder-is-created-deleted.patch Type: text/x-patch Size: 2966 bytes Desc: not available URL: -------------- next part -------------- ============================= test session starts ============================== platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini plugins: multihost, sourceorder collected 1 items test_integration/test_external_ca.py [ipa.ipatests.test_integration.base.IntegrationTest] Preparing host f23master.pesen.net [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] Authenticating with private RSA key using user root [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN ['true'] [ipa.ipatests.test_integration.host.Host.f23master.cmd1] RUN ['true'] [ipa.ipatests.test_integration.host.Host.f23master.cmd1] -bash: line 1: cd: /home/ofayans/ipatests: No such file or directory [ipa.ipatests.test_integration.host.Host.f23master.cmd1] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding f23master.pesen.net:/home/ofayans/ipatests/env.sh to list of logs to collect [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] STAT /home/ofayans [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] MKDIR /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] WRITE /home/ofayans/ipatests/env.sh [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN ['true'] [ipa.ipatests.test_integration.host.Host.f23master.cmd2] RUN ['true'] [ipa.ipatests.test_integration.host.Host.f23master.cmd2] Exit code: 0 [ipa.ipatests.pytest_plugins.integration] Adding f23master.pesen.net:/home/ofayans/ipatests/env.sh to list of logs to collect [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] STAT /home/ofayans/ipatests [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] WRITE /home/ofayans/ipatests/env.sh [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN ['ipa-server-install', '-U', '-a', 'x2k1j5tdsl', '-p', 'x2k1j5tdsl', '--setup-dns', '--no-forwarders', '-n', 'pesen.net', '-r', 'PESEN.NET', '--domain-level=1', '--external-ca'] [ipa.ipatests.test_integration.host.Host.f23master.cmd3] RUN ['ipa-server-install', '-U', '-a', 'x2k1j5tdsl', '-p', 'x2k1j5tdsl', '--setup-dns', '--no-forwarders', '-n', 'pesen.net', '-r', 'PESEN.NET', '--domain-level=1', '--external-ca'] [ipa.ipatests.test_integration.host.Host.f23master.cmd3] Checking DNS domain pesen.net, please wait ... [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [ipa.ipatests.test_integration.host.Host.f23master.cmd3] The log file for this installation can be found in /var/log/ipaserver-install.log [ipa.ipatests.test_integration.host.Host.f23master.cmd3] ============================================================================== [ipa.ipatests.test_integration.host.Host.f23master.cmd3] This program will set up the FreeIPA Server. [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [ipa.ipatests.test_integration.host.Host.f23master.cmd3] This includes: [ipa.ipatests.test_integration.host.Host.f23master.cmd3] * Configure a stand-alone CA (dogtag) for certificate management [ipa.ipatests.test_integration.host.Host.f23master.cmd3] * Configure the Network Time Daemon (ntpd) [ipa.ipatests.test_integration.host.Host.f23master.cmd3] * Create and configure an instance of Directory Server [ipa.ipatests.test_integration.host.Host.f23master.cmd3] * Create and configure a Kerberos Key Distribution Center (KDC) [ipa.ipatests.test_integration.host.Host.f23master.cmd3] * Configure Apache (httpd) [ipa.ipatests.test_integration.host.Host.f23master.cmd3] * Configure DNS (bind) [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [ipa.ipatests.test_integration.host.Host.f23master.cmd3] Warning: skipping DNS resolution of host f23master.pesen.net [ipa.ipatests.test_integration.host.Host.f23master.cmd3] Checking DNS domain pesen.net., please wait ... [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [ipa.ipatests.test_integration.host.Host.f23master.cmd3] The IPA Master Server will be configured with: [ipa.ipatests.test_integration.host.Host.f23master.cmd3] Hostname: f23master.pesen.net [ipa.ipatests.test_integration.host.Host.f23master.cmd3] IP address(es): 192.168.122.63 [ipa.ipatests.test_integration.host.Host.f23master.cmd3] Domain name: pesen.net [ipa.ipatests.test_integration.host.Host.f23master.cmd3] Realm name: PESEN.NET [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [ipa.ipatests.test_integration.host.Host.f23master.cmd3] BIND DNS server will be configured to serve IPA domain with: [ipa.ipatests.test_integration.host.Host.f23master.cmd3] Forwarders: No forwarders [ipa.ipatests.test_integration.host.Host.f23master.cmd3] Reverse zone(s): No reverse zone [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [ipa.ipatests.test_integration.host.Host.f23master.cmd3] Configuring NTP daemon (ntpd) [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [1/4]: stopping ntpd [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [2/4]: writing configuration [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [3/4]: configuring ntpd to start on boot [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [4/4]: starting ntpd [ipa.ipatests.test_integration.host.Host.f23master.cmd3] Done configuring NTP daemon (ntpd). [ipa.ipatests.test_integration.host.Host.f23master.cmd3] Configuring directory server (dirsrv). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [1/46]: creating directory server user [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [2/46]: creating directory server instance [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [3/46]: restarting directory server [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [4/46]: adding default schema [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [5/46]: enabling memberof plugin [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [6/46]: enabling winsync plugin [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [7/46]: configuring replication version plugin [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [8/46]: enabling IPA enrollment plugin [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [9/46]: enabling ldapi [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [10/46]: configuring uniqueness plugin [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [11/46]: configuring uuid plugin [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [12/46]: configuring modrdn plugin [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [13/46]: configuring DNS plugin [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [14/46]: enabling entryUSN plugin [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [15/46]: configuring lockout plugin [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [16/46]: configuring topology plugin [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [17/46]: creating indices [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [18/46]: enabling referential integrity plugin [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [19/46]: configuring certmap.conf [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [20/46]: configure autobind for root [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [21/46]: configure new location for managed entries [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [22/46]: configure dirsrv ccache [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [23/46]: enabling SASL mapping fallback [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [24/46]: restarting directory server [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [25/46]: adding sasl mappings to the directory [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [26/46]: adding default layout [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [27/46]: adding delegation layout [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [28/46]: creating container for managed entries [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [29/46]: configuring user private groups [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [30/46]: configuring netgroups from hostgroups [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [31/46]: creating default Sudo bind user [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [32/46]: creating default Auto Member layout [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [33/46]: adding range check plugin [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [34/46]: creating default HBAC rule allow_all [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [35/46]: adding sasl mappings to the directory [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [36/46]: adding entries for topology management [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [37/46]: initializing group membership [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [38/46]: adding master entry [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [39/46]: initializing domain level [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [40/46]: configuring Posix uid/gid generation [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [41/46]: adding replication acis [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [42/46]: enabling compatibility plugin [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [43/46]: activating sidgen plugin [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [44/46]: activating extdom plugin [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [45/46]: tuning directory server [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [46/46]: configuring directory to start on boot [ipa.ipatests.test_integration.host.Host.f23master.cmd3] Done configuring directory server (dirsrv). [ipa.ipatests.test_integration.host.Host.f23master.cmd3] Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [1/8]: creating certificate server user [ipa.ipatests.test_integration.host.Host.f23master.cmd3] [2/8]: configuring certificate server instance [ipa.ipatests.test_integration.host.Host.f23master.cmd3] The next step is to get /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-server-install as: [ipa.ipatests.test_integration.host.Host.f23master.cmd3] /usr/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate [ipa.ipatests.test_integration.host.Host.f23master.cmd3] Exit code: 0 [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN date | sha256sum > /home/ofayans/ipatests/noise.txt [ipa.ipatests.test_integration.host.Host.f23master.cmd4] RUN date | sha256sum > /home/ofayans/ipatests/noise.txt [ipa.ipatests.test_integration.host.Host.f23master.cmd4] Exit code: 0 [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN echo x2k1j5tdsl > /home/ofayans/ipatests/pwdfile.txt [ipa.ipatests.test_integration.host.Host.f23master.cmd5] RUN echo x2k1j5tdsl > /home/ofayans/ipatests/pwdfile.txt [ipa.ipatests.test_integration.host.Host.f23master.cmd5] Exit code: 0 [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN ['mkdir', '/home/ofayans/ipatests/testdb'] [ipa.ipatests.test_integration.host.Host.f23master.cmd6] RUN ['mkdir', '/home/ofayans/ipatests/testdb'] [ipa.ipatests.test_integration.host.Host.f23master.cmd6] Exit code: 0 [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN ['certutil', '-N', '-d', '/home/ofayans/ipatests/testdb', '-f', '/home/ofayans/ipatests/pwdfile.txt'] [ipa.ipatests.test_integration.host.Host.f23master.cmd7] RUN ['certutil', '-N', '-d', '/home/ofayans/ipatests/testdb', '-f', '/home/ofayans/ipatests/pwdfile.txt'] [ipa.ipatests.test_integration.host.Host.f23master.cmd7] Exit code: 0 [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN ['certutil', '-S', '-d', '/home/ofayans/ipatests/testdb', '-f', '/home/ofayans/ipatests/pwdfile.txt', '-n', 'external', '-s', 'CN=External CA, O=pesen.net', '-x', '-t', 'CTu,CTu,CTu', '-g', '2048', '-m', '0', '-v', '60', '-z', '/home/ofayans/ipatests/noise.txt', '-2', '-1', '-5'] [ipa.ipatests.test_integration.host.Host.f23master.cmd8] RUN ['certutil', '-S', '-d', '/home/ofayans/ipatests/testdb', '-f', '/home/ofayans/ipatests/pwdfile.txt', '-n', 'external', '-s', 'CN=External CA, O=pesen.net', '-x', '-t', 'CTu,CTu,CTu', '-g', '2048', '-m', '0', '-v', '60', '-z', '/home/ofayans/ipatests/noise.txt', '-2', '-1', '-5'] [ipa.ipatests.test_integration.host.Host.f23master.cmd8] [ipa.ipatests.test_integration.host.Host.f23master.cmd8] [ipa.ipatests.test_integration.host.Host.f23master.cmd8] Generating key. This may take a few moments... [ipa.ipatests.test_integration.host.Host.f23master.cmd8] [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 0 - Digital Signature [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 1 - Non-repudiation [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 2 - Key encipherment [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 3 - Data encipherment [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 4 - Key agreement [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 5 - Cert signing key [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 6 - CRL signing key [ipa.ipatests.test_integration.host.Host.f23master.cmd8] Other to finish [ipa.ipatests.test_integration.host.Host.f23master.cmd8] > 0 - Digital Signature [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 1 - Non-repudiation [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 2 - Key encipherment [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 3 - Data encipherment [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 4 - Key agreement [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 5 - Cert signing key [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 6 - CRL signing key [ipa.ipatests.test_integration.host.Host.f23master.cmd8] Other to finish [ipa.ipatests.test_integration.host.Host.f23master.cmd8] > Is this a critical extension [y/N]? [ipa.ipatests.test_integration.host.Host.f23master.cmd8] Is this a CA certificate [y/N]? [ipa.ipatests.test_integration.host.Host.f23master.cmd8] Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]? [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 0 - SSL Client [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 1 - SSL Server [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 2 - S/MIME [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 3 - Object Signing [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 4 - Reserved for future use [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 5 - SSL CA [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 6 - S/MIME CA [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 7 - Object Signing CA [ipa.ipatests.test_integration.host.Host.f23master.cmd8] Notice: Trust flag u is set automatically if the private key is present. [ipa.ipatests.test_integration.host.Host.f23master.cmd8] Other to finish [ipa.ipatests.test_integration.host.Host.f23master.cmd8] > 0 - SSL Client [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 1 - SSL Server [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 2 - S/MIME [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 3 - Object Signing [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 4 - Reserved for future use [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 5 - SSL CA [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 6 - S/MIME CA [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 7 - Object Signing CA [ipa.ipatests.test_integration.host.Host.f23master.cmd8] Other to finish [ipa.ipatests.test_integration.host.Host.f23master.cmd8] > 0 - SSL Client [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 1 - SSL Server [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 2 - S/MIME [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 3 - Object Signing [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 4 - Reserved for future use [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 5 - SSL CA [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 6 - S/MIME CA [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 7 - Object Signing CA [ipa.ipatests.test_integration.host.Host.f23master.cmd8] Other to finish [ipa.ipatests.test_integration.host.Host.f23master.cmd8] > 0 - SSL Client [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 1 - SSL Server [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 2 - S/MIME [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 3 - Object Signing [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 4 - Reserved for future use [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 5 - SSL CA [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 6 - S/MIME CA [ipa.ipatests.test_integration.host.Host.f23master.cmd8] 7 - Object Signing CA [ipa.ipatests.test_integration.host.Host.f23master.cmd8] Other to finish [ipa.ipatests.test_integration.host.Host.f23master.cmd8] > Is this a critical extension [y/N]? [ipa.ipatests.test_integration.host.Host.f23master.cmd8] Exit code: 0 [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN ['certutil', '-C', '-d', '/home/ofayans/ipatests/testdb', '-f', '/home/ofayans/ipatests/pwdfile.txt', '-c', 'external', '-m', '1', '-v', '60', '-2', '-1', '-5', '-i', '/root/ipa.csr', '-o', '/home/ofayans/ipatests/testdb/ipa.crt', '-a'] [ipa.ipatests.test_integration.host.Host.f23master.cmd9] RUN ['certutil', '-C', '-d', '/home/ofayans/ipatests/testdb', '-f', '/home/ofayans/ipatests/pwdfile.txt', '-c', 'external', '-m', '1', '-v', '60', '-2', '-1', '-5', '-i', '/root/ipa.csr', '-o', '/home/ofayans/ipatests/testdb/ipa.crt', '-a'] [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 0 - Digital Signature [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 1 - Non-repudiation [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 2 - Key encipherment [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 3 - Data encipherment [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 4 - Key agreement [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 5 - Cert signing key [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 6 - CRL signing key [ipa.ipatests.test_integration.host.Host.f23master.cmd9] Other to finish [ipa.ipatests.test_integration.host.Host.f23master.cmd9] > 0 - Digital Signature [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 1 - Non-repudiation [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 2 - Key encipherment [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 3 - Data encipherment [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 4 - Key agreement [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 5 - Cert signing key [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 6 - CRL signing key [ipa.ipatests.test_integration.host.Host.f23master.cmd9] Other to finish [ipa.ipatests.test_integration.host.Host.f23master.cmd9] > 0 - Digital Signature [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 1 - Non-repudiation [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 2 - Key encipherment [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 3 - Data encipherment [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 4 - Key agreement [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 5 - Cert signing key [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 6 - CRL signing key [ipa.ipatests.test_integration.host.Host.f23master.cmd9] Other to finish [ipa.ipatests.test_integration.host.Host.f23master.cmd9] > 0 - Digital Signature [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 1 - Non-repudiation [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 2 - Key encipherment [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 3 - Data encipherment [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 4 - Key agreement [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 5 - Cert signing key [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 6 - CRL signing key [ipa.ipatests.test_integration.host.Host.f23master.cmd9] Other to finish [ipa.ipatests.test_integration.host.Host.f23master.cmd9] > Is this a critical extension [y/N]? [ipa.ipatests.test_integration.host.Host.f23master.cmd9] Is this a CA certificate [y/N]? [ipa.ipatests.test_integration.host.Host.f23master.cmd9] Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]? [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 0 - SSL Client [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 1 - SSL Server [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 2 - S/MIME [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 3 - Object Signing [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 4 - Reserved for future use [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 5 - SSL CA [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 6 - S/MIME CA [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 7 - Object Signing CA [ipa.ipatests.test_integration.host.Host.f23master.cmd9] Other to finish [ipa.ipatests.test_integration.host.Host.f23master.cmd9] > 0 - SSL Client [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 1 - SSL Server [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 2 - S/MIME [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 3 - Object Signing [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 4 - Reserved for future use [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 5 - SSL CA [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 6 - S/MIME CA [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 7 - Object Signing CA [ipa.ipatests.test_integration.host.Host.f23master.cmd9] Other to finish [ipa.ipatests.test_integration.host.Host.f23master.cmd9] > 0 - SSL Client [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 1 - SSL Server [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 2 - S/MIME [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 3 - Object Signing [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 4 - Reserved for future use [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 5 - SSL CA [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 6 - S/MIME CA [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 7 - Object Signing CA [ipa.ipatests.test_integration.host.Host.f23master.cmd9] Other to finish [ipa.ipatests.test_integration.host.Host.f23master.cmd9] > 0 - SSL Client [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 1 - SSL Server [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 2 - S/MIME [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 3 - Object Signing [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 4 - Reserved for future use [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 5 - SSL CA [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 6 - S/MIME CA [ipa.ipatests.test_integration.host.Host.f23master.cmd9] 7 - Object Signing CA [ipa.ipatests.test_integration.host.Host.f23master.cmd9] Other to finish [ipa.ipatests.test_integration.host.Host.f23master.cmd9] > Is this a critical extension [y/N]? [ipa.ipatests.test_integration.host.Host.f23master.cmd9] Exit code: 0 [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN certutil -L -d /home/ofayans/ipatests/testdb -n "external" -a > /home/ofayans/ipatests/testdb/ca.crt [ipa.ipatests.test_integration.host.Host.f23master.cmd10] RUN certutil -L -d /home/ofayans/ipatests/testdb -n "external" -a > /home/ofayans/ipatests/testdb/ca.crt [ipa.ipatests.test_integration.host.Host.f23master.cmd10] Exit code: 0 [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN ['ipa-server-install', '-a', 'x2k1j5tdsl', '-p', 'x2k1j5tdsl', '--external-cert-file', '/home/ofayans/ipatests/testdb/ipa.crt', '--external-cert-file', '/home/ofayans/ipatests/testdb/ca.crt'] [ipa.ipatests.test_integration.host.Host.f23master.cmd11] RUN ['ipa-server-install', '-a', 'x2k1j5tdsl', '-p', 'x2k1j5tdsl', '--external-cert-file', '/home/ofayans/ipatests/testdb/ipa.crt', '--external-cert-file', '/home/ofayans/ipatests/testdb/ca.crt'] [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [ipa.ipatests.test_integration.host.Host.f23master.cmd11] The log file for this installation can be found in /var/log/ipaserver-install.log [ipa.ipatests.test_integration.host.Host.f23master.cmd11] ============================================================================== [ipa.ipatests.test_integration.host.Host.f23master.cmd11] This program will set up the FreeIPA Server. [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [ipa.ipatests.test_integration.host.Host.f23master.cmd11] This includes: [ipa.ipatests.test_integration.host.Host.f23master.cmd11] * Configure a stand-alone CA (dogtag) for certificate management [ipa.ipatests.test_integration.host.Host.f23master.cmd11] * Configure the Network Time Daemon (ntpd) [ipa.ipatests.test_integration.host.Host.f23master.cmd11] * Create and configure an instance of Directory Server [ipa.ipatests.test_integration.host.Host.f23master.cmd11] * Create and configure a Kerberos Key Distribution Center (KDC) [ipa.ipatests.test_integration.host.Host.f23master.cmd11] * Configure Apache (httpd) [ipa.ipatests.test_integration.host.Host.f23master.cmd11] * Configure DNS (bind) [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Warning: skipping DNS resolution of host f23master.pesen.net [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Checking DNS domain pesen.net., please wait ... [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [ipa.ipatests.test_integration.host.Host.f23master.cmd11] The IPA Master Server will be configured with: [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Hostname: f23master.pesen.net [ipa.ipatests.test_integration.host.Host.f23master.cmd11] IP address(es): 192.168.122.63 [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Domain name: pesen.net [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Realm name: PESEN.NET [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [ipa.ipatests.test_integration.host.Host.f23master.cmd11] BIND DNS server will be configured to serve IPA domain with: [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Forwarders: No forwarders [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Reverse zone(s): No reverse zone [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [1/28]: creating certificate server user [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [2/28]: configuring certificate server instance [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [3/28]: stopping certificate server instance to update CS.cfg [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [4/28]: backing up CS.cfg [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [5/28]: disabling nonces [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [6/28]: set up CRL publishing [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [7/28]: enable PKIX certificate path discovery and validation [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [8/28]: starting certificate server instance [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [9/28]: creating RA agent certificate database [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [10/28]: importing CA chain to RA certificate database [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [11/28]: fixing RA database permissions [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [12/28]: setting up signing cert profile [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [13/28]: setting audit signing renewal to 2 years [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [14/28]: restarting certificate server [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [15/28]: requesting RA certificate from CA [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [16/28]: issuing RA agent certificate [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [17/28]: adding RA agent as a trusted user [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [18/28]: authorizing RA to modify profiles [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [19/28]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [20/28]: configure certificate renewals [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [21/28]: configure RA certificate renewal [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [22/28]: configure Server-Cert certificate renewal [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [23/28]: Configure HTTP to proxy connections [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [24/28]: restarting certificate server [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [25/28]: migrating certificate profiles to LDAP [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [26/28]: importing IPA certificate profiles [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [27/28]: adding default CA ACL [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [28/28]: updating IPA configuration [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Done configuring certificate server (pki-tomcatd). [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Configuring directory server (dirsrv). Estimated time: 10 seconds [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [1/3]: configuring ssl for ds instance [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [2/3]: restarting directory server [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [3/3]: adding CA certificate entry [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Done configuring directory server (dirsrv). [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [1/9]: adding kerberos container to the directory [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [2/9]: configuring KDC [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [3/9]: initialize kerberos container [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [4/9]: adding default ACIs [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [5/9]: creating a keytab for the directory [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [6/9]: creating a keytab for the machine [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [7/9]: adding the password extension to the directory [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [8/9]: starting the KDC [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [9/9]: configuring KDC to start on boot [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Done configuring Kerberos KDC (krb5kdc). [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Configuring kadmin [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [1/2]: starting kadmin [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [2/2]: configuring kadmin to start on boot [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Done configuring kadmin. [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Configuring ipa_memcached [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [1/2]: starting ipa_memcached [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [2/2]: configuring ipa_memcached to start on boot [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Done configuring ipa_memcached. [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Configuring ipa-otpd [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [1/2]: starting ipa-otpd [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [2/2]: configuring ipa-otpd to start on boot [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Done configuring ipa-otpd. [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Configuring ipa-custodia [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [1/5]: Generating ipa-custodia config file [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [2/5]: Making sure custodia container exists [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [3/5]: Generating ipa-custodia keys [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [4/5]: starting ipa-custodia [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [5/5]: configuring ipa-custodia to start on boot [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Done configuring ipa-custodia. [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Configuring the web interface (httpd). Estimated time: 1 minute [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [1/21]: setting mod_nss port to 443 [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [2/21]: setting mod_nss cipher suite [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [3/21]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [4/21]: setting mod_nss password file [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [5/21]: enabling mod_nss renegotiate [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [6/21]: adding URL rewriting rules [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [7/21]: configuring httpd [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [8/21]: configure certmonger for renewals [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [9/21]: setting up httpd keytab [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [10/21]: setting up ssl [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [11/21]: importing CA certificates from LDAP [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [12/21]: setting up browser autoconfig [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [13/21]: publish CA cert [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [14/21]: clean up any existing httpd ccache [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [15/21]: configuring SELinux for httpd [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [16/21]: create KDC proxy user [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [17/21]: create KDC proxy config [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [18/21]: enable KDC proxy [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [19/21]: restarting httpd [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [20/21]: configuring httpd to start on boot [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [21/21]: enabling oddjobd [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Done configuring the web interface (httpd). [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Applying LDAP updates [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Upgrading IPA: [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [1/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [2/9]: saving configuration [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [3/9]: disabling listeners [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [4/9]: enabling DS global lock [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [5/9]: starting directory server [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [6/9]: upgrading server [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [7/9]: stopping directory server [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [8/9]: restoring configuration [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [9/9]: starting directory server [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Done. [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Restarting the directory server [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Restarting the KDC [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Configuring DNS (named) [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [1/11]: generating rndc key file [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [2/11]: adding DNS container [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [3/11]: setting up our zone [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [4/11]: setting up our own record [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [5/11]: setting up records for other masters [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [6/11]: adding NS record to the zones [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [7/11]: setting up CA record [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [8/11]: setting up kerberos principal [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [9/11]: setting up named.conf [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [10/11]: configuring named to start on boot [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [11/11]: changing resolv.conf to point to ourselves [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Done configuring DNS (named). [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Configuring DNS key synchronization service (ipa-dnskeysyncd) [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [1/7]: checking status [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [2/7]: setting up bind-dyndb-ldap working directory [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [3/7]: setting up kerberos principal [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [4/7]: setting up SoftHSM [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [5/7]: adding DNSSEC containers [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [6/7]: creating replica keys [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [7/7]: configuring ipa-dnskeysyncd to start on boot [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Done configuring DNS key synchronization service (ipa-dnskeysyncd). [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Restarting ipa-dnskeysyncd [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Restarting named [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Restarting the web server [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Configuring client side components [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Using existing certificate '/etc/ipa/ca.crt'. [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Client hostname: f23master.pesen.net [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Realm: PESEN.NET [ipa.ipatests.test_integration.host.Host.f23master.cmd11] DNS Domain: pesen.net [ipa.ipatests.test_integration.host.Host.f23master.cmd11] IPA Server: f23master.pesen.net [ipa.ipatests.test_integration.host.Host.f23master.cmd11] BaseDN: dc=pesen,dc=net [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Skipping synchronizing time with NTP server. [ipa.ipatests.test_integration.host.Host.f23master.cmd11] New SSSD config will be created [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Configured sudoers in /etc/nsswitch.conf [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Configured /etc/sssd/sssd.conf [ipa.ipatests.test_integration.host.Host.f23master.cmd11] trying https://f23master.pesen.net/ipa/json [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Forwarding 'ping' to json server 'https://f23master.pesen.net/ipa/json' [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Forwarding 'ca_is_enabled' to json server 'https://f23master.pesen.net/ipa/json' [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Forwarding 'host_mod' to json server 'https://f23master.pesen.net/ipa/json' [ipa.ipatests.test_integration.host.Host.f23master.cmd11] SSSD enabled [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Configured /etc/openldap/ldap.conf [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Configured /etc/ssh/ssh_config [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Configured /etc/ssh/sshd_config [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Configuring pesen.net as NIS domain. [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Client configuration complete. [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [ipa.ipatests.test_integration.host.Host.f23master.cmd11] ============================================================================== [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Setup complete [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Next steps: [ipa.ipatests.test_integration.host.Host.f23master.cmd11] 1. You must make sure these network ports are open: [ipa.ipatests.test_integration.host.Host.f23master.cmd11] TCP Ports: [ipa.ipatests.test_integration.host.Host.f23master.cmd11] * 80, 443: HTTP/HTTPS [ipa.ipatests.test_integration.host.Host.f23master.cmd11] * 389, 636: LDAP/LDAPS [ipa.ipatests.test_integration.host.Host.f23master.cmd11] * 88, 464: kerberos [ipa.ipatests.test_integration.host.Host.f23master.cmd11] * 53: bind [ipa.ipatests.test_integration.host.Host.f23master.cmd11] UDP Ports: [ipa.ipatests.test_integration.host.Host.f23master.cmd11] * 88, 464: kerberos [ipa.ipatests.test_integration.host.Host.f23master.cmd11] * 53: bind [ipa.ipatests.test_integration.host.Host.f23master.cmd11] * 123: ntp [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [ipa.ipatests.test_integration.host.Host.f23master.cmd11] 2. You can now obtain a kerberos ticket using the command: 'kinit admin' [ipa.ipatests.test_integration.host.Host.f23master.cmd11] This ticket will allow you to use the IPA tools (e.g., ipa user-add) [ipa.ipatests.test_integration.host.Host.f23master.cmd11] and the web user interface. [ipa.ipatests.test_integration.host.Host.f23master.cmd11] [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Be sure to back up the CA certificates stored in /root/cacert.p12 [ipa.ipatests.test_integration.host.Host.f23master.cmd11] These files are required to create replicas. The password for these [ipa.ipatests.test_integration.host.Host.f23master.cmd11] files is the Directory Manager password [ipa.ipatests.test_integration.host.Host.f23master.cmd11] Exit code: 0 [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.f23master.cmd12] RUN ['kinit', 'admin'] [ipa.ipatests.test_integration.host.Host.f23master.cmd12] Password for admin at PESEN.NET: [ipa.ipatests.test_integration.host.Host.f23master.cmd12] Exit code: 0 [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN ['ipa', 'user-show', 'admin'] [ipa.ipatests.test_integration.host.Host.f23master.cmd13] RUN ['ipa', 'user-show', 'admin'] [ipa.ipatests.test_integration.host.Host.f23master.cmd13] User login: admin [ipa.ipatests.test_integration.host.Host.f23master.cmd13] Last name: Administrator [ipa.ipatests.test_integration.host.Host.f23master.cmd13] Home directory: /home/admin [ipa.ipatests.test_integration.host.Host.f23master.cmd13] Login shell: /bin/bash [ipa.ipatests.test_integration.host.Host.f23master.cmd13] UID: 269200000 [ipa.ipatests.test_integration.host.Host.f23master.cmd13] GID: 269200000 [ipa.ipatests.test_integration.host.Host.f23master.cmd13] Account disabled: False [ipa.ipatests.test_integration.host.Host.f23master.cmd13] Password: True [ipa.ipatests.test_integration.host.Host.f23master.cmd13] Member of groups: admins, trust admins [ipa.ipatests.test_integration.host.Host.f23master.cmd13] Kerberos keys available: True [ipa.ipatests.test_integration.host.Host.f23master.cmd13] Exit code: 0 .[ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.f23master.cmd14] RUN ['ipa', 'domainlevel-get'] [ipa.ipatests.test_integration.host.Host.f23master.cmd14] ----------------------- [ipa.ipatests.test_integration.host.Host.f23master.cmd14] Current domain level: 1 [ipa.ipatests.test_integration.host.Host.f23master.cmd14] ----------------------- [ipa.ipatests.test_integration.host.Host.f23master.cmd14] Exit code: 0 [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.f23master.cmd15] RUN ['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect'] [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Shutting down all IPA services [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Unconfiguring ntpd [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Configuring certmonger to stop tracking system certificates for KRA [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Configuring certmonger to stop tracking system certificates for CA [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Unconfiguring CA [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Unconfiguring named [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Unconfiguring ipa-dnskeysyncd [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Unconfiguring web server [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Unconfiguring krb5kdc [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Unconfiguring kadmin [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Unconfiguring directory server [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Unconfiguring ipa-custodia [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Unconfiguring ipa_memcached [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Unconfiguring ipa-otpd [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Removing Kerberos service principals from /etc/krb5.keytab [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r PESEN.NET' returned non-zero exit status 5 [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Disabling client Kerberos and LDAP configurations [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Restoring client configuration files [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Unconfiguring the NIS domain. [ipa.ipatests.test_integration.host.Host.f23master.cmd15] nscd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.f23master.cmd15] nslcd daemon is not installed, skip configuration [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Systemwide CA database updated. [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Client uninstall complete. [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Removing IPA client configuration [ipa.ipatests.test_integration.host.Host.f23master.cmd15] Exit code: 0 [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.f23master.cmd16] RUN ['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'] [ipa.ipatests.test_integration.host.Host.f23master.cmd16] ERROR: PKI instance '/var/lib/pki/pki-tomcat' does NOT exist! [ipa.ipatests.test_integration.host.Host.f23master.cmd16] [ipa.ipatests.test_integration.host.Host.f23master.cmd16] Exit code: 255 [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-f23master.pesen.net.gpg'] [ipa.ipatests.test_integration.host.Host.f23master.cmd17] RUN ['rm', '-rf', '/var/log/pki/pki-tomcat', '/etc/sysconfig/pki-tomcat', '/etc/sysconfig/pki/tomcat/pki-tomcat', '/var/lib/pki/pki-tomcat', '/etc/pki/pki-tomcat', '/var/lib/ipa/replica-info-f23master.pesen.net.gpg'] [ipa.ipatests.test_integration.host.Host.f23master.cmd17] Exit code: 0 [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.f23master.cmd18] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.f23master.cmd18] find: ?/home/ofayans/ipatests/file_backup?: No such file or directory [ipa.ipatests.test_integration.host.Host.f23master.cmd18] Exit code: 0 [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.f23master.cmd19] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.f23master.cmd19] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.f23master.cmd19] Exit code: 1 [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.f23master.cmd20] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.f23master.cmd20] Exit code: 0 [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.tasks] No hostname backed up on f23master.pesen.net [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.f23master.cmd21] RUN if [ -d '/home/ofayans/ipatests/file_backup'/ ]; then cp -arvf '/home/ofayans/ipatests/file_backup'/* /; fi ; (find /home/ofayans/ipatests/file_backup | sed 's/\/home\/ofayans\/ipatests\/file_backup//g' | sed '/^$/d' | xargs -d ' ' /sbin/restorecon -v ||:) [ipa.ipatests.test_integration.host.Host.f23master.cmd21] find: ?/home/ofayans/ipatests/file_backup?: No such file or directory [ipa.ipatests.test_integration.host.Host.f23master.cmd21] Exit code: 0 [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.f23master.cmd22] RUN ['xargs', '-d', '\\n', '-a', '/home/ofayans/ipatests/file_remove', 'rm', '-vf'] [ipa.ipatests.test_integration.host.Host.f23master.cmd22] xargs: Cannot open input file ?/home/ofayans/ipatests/file_remove?: No such file or directory [ipa.ipatests.test_integration.host.Host.f23master.cmd22] Exit code: 1 [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.f23master.cmd23] RUN ['rm', '-rvf', '/home/ofayans/ipatests/file_backup', '/home/ofayans/ipatests/file_remove'] [ipa.ipatests.test_integration.host.Host.f23master.cmd23] Exit code: 0 [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] READ /home/ofayans/ipatests/backup_hostname [ipa.ipatests.test_integration.tasks] No hostname backed up on f23master.pesen.net [ipa.ipatests.test_integration.host.Host.f23master.ParamikoTransport] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.f23master.cmd24] RUN ['rm', '-rvf', '/home/ofayans/ipatests'] [ipa.ipatests.test_integration.host.Host.f23master.cmd24] removed ?/home/ofayans/ipatests/env.sh? [ipa.ipatests.test_integration.host.Host.f23master.cmd24] removed ?/home/ofayans/ipatests/noise.txt? [ipa.ipatests.test_integration.host.Host.f23master.cmd24] removed ?/home/ofayans/ipatests/pwdfile.txt? [ipa.ipatests.test_integration.host.Host.f23master.cmd24] removed ?/home/ofayans/ipatests/testdb/secmod.db? [ipa.ipatests.test_integration.host.Host.f23master.cmd24] removed ?/home/ofayans/ipatests/testdb/cert8.db? [ipa.ipatests.test_integration.host.Host.f23master.cmd24] removed ?/home/ofayans/ipatests/testdb/key3.db? [ipa.ipatests.test_integration.host.Host.f23master.cmd24] removed ?/home/ofayans/ipatests/testdb/ipa.crt? [ipa.ipatests.test_integration.host.Host.f23master.cmd24] removed ?/home/ofayans/ipatests/testdb/ca.crt? [ipa.ipatests.test_integration.host.Host.f23master.cmd24] removed directory: ?/home/ofayans/ipatests/testdb? [ipa.ipatests.test_integration.host.Host.f23master.cmd24] removed directory: ?/home/ofayans/ipatests? [ipa.ipatests.test_integration.host.Host.f23master.cmd24] Exit code: 0 ========================== 1 passed in 397.84 seconds ========================== From pvoborni at redhat.com Mon Mar 21 14:55:27 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 21 Mar 2016 15:55:27 +0100 Subject: [Freeipa-devel] [PATCH 0143-0144] different errors/warnings for different LDAP limit type exceeded In-Reply-To: <56EFDA20.9090005@redhat.com> References: <56EBCA37.6020306@redhat.com> <56EBF959.3060807@redhat.com> <56EFBC2C.8030300@redhat.com> <56EFDA20.9090005@redhat.com> Message-ID: <56F00B5F.8060407@redhat.com> On 03/21/2016 12:25 PM, Jan Cholasta wrote: > On 21.3.2016 10:17, Petr Spacek wrote: >> On 18.3.2016 13:49, Rob Crittenden wrote: >>> Martin Babinsky wrote: >>>> These patches implement behavior agreed upon during discussion of >>>> https://fedorahosted.org/freeipa/ticket/5677 >>>> >>>> However I'm not sure if we want to push them into 4-3 branch (the >>>> ticket >>>> is triaged into 4.3.2 milestone) since they modify the framework >>>> behavior quite a bit. >>>> >>>> If there is no need to have it there (CC'ing Milan since he is the >>>> reporter), I would retriage it into 4.4 milestone. >>> >>> >>> + desc="while getting entries (search base: '{}'," >>> + "filter: {})".format(base_dn, filter)) >>> >>> This is going to expose parts of the DIT in an error message to >>> users. We have >>> tried in the past to hide the implementation. I'd propose logging the >>> error >>> and making the exception less verbose. > > I agree with Rob here, we shouldn't expose internal stuff in error > messages for users. > > In this particular case, even if we included internal stuff in the error > message, it should be the error message returned by the server rather > than this ad-hoc message. > >> >> IMHO it actually helps to print the DN. At very least the user can see >> if the >> error is happening always with the same DN or if it keeps changing. >> >> In other words, for user it is not that important to understand >> meaning of the >> DN but it might be important to see if it is the same or not. > > I can't imagine a situation where it would actually be useful for the > user (as opposed to the admin, who has access to logs) to know the base > DN of some arbitrary LDAP search operation. Could you give an example? > +1 for the internal info to be only in logs. -- Petr Vobornik From pvoborni at redhat.com Mon Mar 21 15:28:27 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 21 Mar 2016 16:28:27 +0100 Subject: [Freeipa-devel] Announcing FreeIPA 4.2.4 Message-ID: <56F0131B.4050209@redhat.com> The FreeIPA team would like to announce FreeIPA v4.2.4 bug fixing release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 23. https://bodhi.fedoraproject.org/updates/freeipa-4.2.4-1.fc23 This release notes are also available on http://www.freeipa.org/page/Releases/4.2.4 == Highlights in 4.2.4 == FreeIPA 4.2.4 is a bugfix release to improve upgrade experience from FreeIPA 4.1 for Fedora 23. === Bug fixes === * Fixed issue in installation of server with external CA where second step of installation "forgot" options from previous step which could lead, e.g., to DNS server not being installed. #5556 * Fixed issue in ipa-adtrust-install when a dash character was used in NetBIOS name * Fixed issue with migration from old self-sign IPA(e.g. CentOS 6) and upgrading it to a server with CA #5611, #5598, #5602, #5595, #5636, #4492, #5506 * Fixed issue with bind not starting after update due to wrong file permissions. #5520 * Fixed issue in installation of server without CA when certmonger was not running. #5519 * Fixed issue in upgrade of NIS maps. #5507 * Fixed issue in handling of empty cookies. It prevented users from log in to Web UI using forms-based authentication. #5709 * Fixed issue with installation of KRA on a replica. #5346 * Fixed issue with DNSSEC key purging not being handled properly #5334 * Fixed issue in replica installation after update of master from previous version where certificate profiles and CA ACL were not properly added. #5269 * Fixed issue in installation of replica with external CA, when multiple certificates with the same nickname were provided. #5117 * Fixed issue after upgrade of sidgen and extdom plugins which prevented from generation of Security Identifiers(SIDs). As a result, all AD trust created after the upgrade did not work while advertising that the trust was established correctly. #5665 * Fixed issue with starting FreeIPA after upgrade which happened when FreeIPA server was turned off. #5655 * Fixed internal error during an upgrade from FreeIPA 4.0 to 4.2 which prevented the upgrade process from upgrading forward zones properly. #5472 * Fixed issue with missing "System: Read Replication Agreements" ACI on new replicas. #5631 * Fixed issue on Web UI password reset page where user was not notified when he entered invalid password #5567 === Enhancements === * ipa-replica-prepare and ipa-replica-install no longer fails if PTR record is not resolvable #5686 == Upgrading == Upgrade instructions are available on upgrade page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Detailed Changelog since 4.2.3 == === Abhijeet Kasurde (2) === * Fixed small typo in stage-user documentation * Fixed login error message box in LoginScreen page === Alexander Bokovoy (1) === * slapi-nis: update configuration to allow external members of IPA groups === Christian Heimes (1) === * Require Dogtag 10.2.6-13 to fix KRA uninstall === David Kupka (5) === * ipa-cacert-renew: Fix connection to ldap. * ipa-otptoken-import: Fix connection to ldap. * test: Temporarily increase timeout in vault test. * installer: Propagate option values from components instead of copying them. * installer: Fix logic of reading option values from cache. === Fraser Tweedale (5) === * TLS and Dogtag HTTPS request logging improvements * Avoid race condition caused by profile delete and recreate * Do not erroneously reinit NSS in Dogtag interface * Add profiles and default CA ACL on migration * Do not decode HTTP reason phrase from Dogtag === Gabe Alford (2) === * Incomplete ports for IPA AD Trust * Check if IPA is configured before attempting a winsync migration === Jan Cholasta (9) === * install: fix command line option validation * install: export KRA agent PEM file in ipa-kra-install * cert renewal: make renewal of ipaCert atomic * client install: do not corrupt OpenSSH config with Match sections * ipalib: assume version 2.0 when skip_version_check is enabled * cert renewal: import all external CA certs on IPA CA cert renewal * CA install: explicitly set dogtag_version to 10 * replica install: validate DS and HTTP server certificates * certdb: never use the -r option of certutil === Lenka Doudova (2) === * Adding descriptive IDs to stageuser tests * Tests: Fix tests for (stage)user plugin === Martin Babinsky (13) === * fix error reporting when installer option is supplied with invalid choice * suppress errors arising from adding existing LDAP entries during KRA install * update idrange tests to reflect disabled modification of local ID ranges * disconnect ldap2 backend after adding default CA ACL profiles * do not disconnect when using existing connection to check default CA ACLs * fix error message assertion in negative forced client reenrollment tests * prevent crash of CA-less server upgrade due to absent certmonger * use FFI call to rpmvercmp function for version comparison * fix standalone installation of externally signed CA on IPA master * always start certmonger during IPA server configuration upgrade * upgrade: unconditional import of certificate profiles into LDAP * CI tests: use old schema when testing hostmask-based sudo rules * use LDAPS during standalone CA/KRA subsystem deployment === Martin Ba?ti (27) === * fix caching in get_ipa_config * upgrade: fix migration of old dns forward zones * Fix upgrade of forwardzones when zone is in realmdomains * ipa-getkeytab: do not return error when translations cannot be loaded * KRA: do not stop certmonger during standalone uninstall * ipa-kra-install: allow to install first KRA on replica * Modify error message to install first instance of KRA * Fix version comparison * DNS: fix file permissions * Explicitly call chmod on newly created directories * Fix: replace mkdir with chmod * FIX: ipa_kdb_principals: add missing break statement * Allow to used mixed case for sysrestore * Upgrade: Fix upgrade of NIS Server configuration * Tests: DNS replace 192.0.2.0/24 with 198.18.0.0/15 range * make lint: use config file and plugin for pylint * Disable new pylint checks * upgrade: fix config of sidgen and extdom plugins * trusts: use ipaNTTrustPartner attribute to detect trust entries * Warn user if trust is broken * fix upgrade: wait for proper DS socket after DS restart * Pylint: add missing attributes of errors to definitions * fix permission: Read Replication Agreements * Make PTR records check optional for IPA installation * Fix connections to DS during installation * pylint: supress false positive no-member errors * Fix broken trust warnings === Milan Kubik (1) === * Applied tier0 and tier1 marks on unit tests and xmlrpc tests === Milan Kub?k (1) === * ipatests: Fix missed module import in ipaserver tests === Petr Voborn?k (3) === * advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins * cookie parser: do not fail on cookie with empty value * fix incorrect name of ipa-winsync-migrate command in help === Petr ?pa?ek (12) === * Makefile: disable parallel build * DNSSEC: Improve error reporting from ipa-ods-exporter * DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP * DNSSEC: Make sure that current key state in LDAP matches key state in BIND * DNSSEC: remove obsolete TODO note * DNSSEC: add debug mode to ldapkeydb.py * DNSSEC: logging improvements in ipa-ods-exporter * DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP * DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP * DNSSEC: ipa-ods-exporter: add ldap-cleanup command * DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal * DNSSEC: Log debug messages at log level DEBUG === Simo Sorce (2) === * Return default TL_DATA is krbExtraData is missing * Insure the admin_conn is disconnected on stop === Sumit Bose (4) === * ipasam: fix wrong usage of talloc_new() * ipasam: use more restrictive search filter for group lookup * ipasam: fix a use-after-free issue * ipa-kdb: map_groups() consider all results === Tom?? Babej (4) === * tests: Fix incorrect uninstall method invocation * tests: Add hostmask detection for sudo rules validating on hostmask * ipa-adtrust-install: Allow dash in the NETBIOS name * spec: Bump required sssd version to 1.13.3-5 -- Petr Vobornik From pspacek at redhat.com Mon Mar 21 15:51:45 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 21 Mar 2016 16:51:45 +0100 Subject: [Freeipa-devel] [PATCH 0088-0095] Add --forward-policy option into installers In-Reply-To: <20160310211744.GD32482@mail.corp.redhat.com> References: <56E1E3B2.3070907@redhat.com> <20160310211744.GD32482@mail.corp.redhat.com> Message-ID: <56F01891.5030704@redhat.com> On 10.3.2016 22:17, Lukas Slebodnik wrote: > On (10/03/16 22:14), Petr Spacek wrote: >> Hello, >> >> I forgot to send a patches before I leave, so here it is: >> >> Auto-detect default value for --forward-policy option in installers >> >> See >> https://fedorahosted.org/freeipa/ticket/5710 >> commit messages, and design page >> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/AutomaticEmptyZones >> >> >> I did not have time to test it thoroughly but it LGTM :-D >> >> Please note that this is first part, it does not solve upgrade (yet) and >> warnings in forwardzone-* interface. >> >> This can be solved in another patch set, this can be pushed if it passes review. >> > ENOPATH LOL, here it is. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0088-Remove-function-ipapython.ipautil.host_exists.patch Type: text/x-patch Size: 2546 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0089-Extend-installers-with-forward-policy-option.patch Type: text/x-patch Size: 8158 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0090-Move-automatic-empty-zone-list-into-ipapython.dnsuti.patch Type: text/x-patch Size: 8307 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0091-Add-assert_absolute_dnsname-helper-to-ipapython.dnsu.patch Type: text/x-patch Size: 1574 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0092-Move-function-is_auto_empty_zone-into-ipapython.dnsu.patch Type: text/x-patch Size: 2212 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0093-Use-shared-sanity-check-and-tests-ipapython.dnsutil..patch Type: text/x-patch Size: 1299 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0094-Add-function-ipapython.dnsutil.inside_auto_empty_zon.patch Type: text/x-patch Size: 1508 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0095-Auto-detect-default-value-for-forward-policy-option-.patch Type: text/x-patch Size: 5505 bytes Desc: not available URL: From pspacek at redhat.com Mon Mar 21 15:52:30 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 21 Mar 2016 16:52:30 +0100 Subject: [Freeipa-devel] [PATCHES 0442-0449] Pylint: sunday code cleanup In-Reply-To: <20160321125040.GE5897@mail.corp.redhat.com> References: <56EF0E82.5090301@redhat.com> <56EFBEF9.5050509@redhat.com> <56EFBFEA.4080103@redhat.com> <56EFDB60.7060002@redhat.com> <20160321125040.GE5897@mail.corp.redhat.com> Message-ID: <56F018BE.4080301@redhat.com> On 21.3.2016 13:50, Lukas Slebodnik wrote: > On (21/03/16 12:30), Martin Basti wrote: >> On 21.03.2016 10:33, Christian Heimes wrote: >>> On 2016-03-21 10:29, Petr Spacek wrote: >>>> On 20.3.2016 21:56, Martin Basti wrote: >>>>> Patches attached. >>>> I do not really like >>>> freeipa-mbasti-0442-pylint-remove-bare-except >>>> because it replaces most of >>>> >>>> try: ... except: >>>> >>>> with >>>> >>>> try: ... except Exception: >>>> >>>> >>>> which AFAIK does not add any value. It would be better to replace Exception >>>> with more specific exception so the code raises an error instead of continuing >>>> when something really unexpected happens. >>> It adds some value. A bare except also excepts signals like >>> KeyboardInterrupt and SystemExit. except Exception doesn't block these >>> exceptions. >>> >>> But yes, more specific exceptions are better. >>> >>> Christian >>> >>> >>> >>> >> 'except Exception' is another pylint check :D >> >> I replaced bare except with a particular exception in cases where it was >> clear. For other occurrences of bare except it covers too much Exception >> types, so catch Exception is more sensible, or I need crystal ball to detect >> what kind of exceptions can be raised there. >> > Agree. > > It can be changed to more specific exceptions type of Exception in future. > This change is less risky. > > pylint passed on fedora {23, 24, rawhide} > > ACK Okay, it makes sense. -- Petr^2 Spacek From pspacek at redhat.com Mon Mar 21 15:54:09 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 21 Mar 2016 16:54:09 +0100 Subject: [Freeipa-devel] [PATCH 0143-0144] different errors/warnings for different LDAP limit type exceeded In-Reply-To: <56EFDA20.9090005@redhat.com> References: <56EBCA37.6020306@redhat.com> <56EBF959.3060807@redhat.com> <56EFBC2C.8030300@redhat.com> <56EFDA20.9090005@redhat.com> Message-ID: <56F01921.7030204@redhat.com> On 21.3.2016 12:25, Jan Cholasta wrote: > On 21.3.2016 10:17, Petr Spacek wrote: >> On 18.3.2016 13:49, Rob Crittenden wrote: >>> Martin Babinsky wrote: >>>> These patches implement behavior agreed upon during discussion of >>>> https://fedorahosted.org/freeipa/ticket/5677 >>>> >>>> However I'm not sure if we want to push them into 4-3 branch (the ticket >>>> is triaged into 4.3.2 milestone) since they modify the framework >>>> behavior quite a bit. >>>> >>>> If there is no need to have it there (CC'ing Milan since he is the >>>> reporter), I would retriage it into 4.4 milestone. >>> >>> >>> + desc="while getting entries (search base: '{}'," >>> + "filter: {})".format(base_dn, filter)) >>> >>> This is going to expose parts of the DIT in an error message to users. We have >>> tried in the past to hide the implementation. I'd propose logging the error >>> and making the exception less verbose. > > I agree with Rob here, we shouldn't expose internal stuff in error messages > for users. > > In this particular case, even if we included internal stuff in the error > message, it should be the error message returned by the server rather than > this ad-hoc message. > >> >> IMHO it actually helps to print the DN. At very least the user can see if the >> error is happening always with the same DN or if it keeps changing. >> >> In other words, for user it is not that important to understand meaning of the >> DN but it might be important to see if it is the same or not. > > I can't imagine a situation where it would actually be useful for the user (as > opposed to the admin, who has access to logs) to know the base DN of some > arbitrary LDAP search operation. Could you give an example? I meant anyone who is facing an issue. I always prefer messages 'operation XYZ failed' over 'an operation failed'. Anyway, you are right that admin can look into logs so I'm pulling my comment above. -- Petr^2 Spacek From mbasti at redhat.com Mon Mar 21 16:54:40 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 21 Mar 2016 17:54:40 +0100 Subject: [Freeipa-devel] [PATCH 0142] spec: require python-cryptography newer than 0.9 In-Reply-To: <56EBC7D2.5080603@redhat.com> References: <56EAEBFC.6050607@redhat.com> <56EBC7D2.5080603@redhat.com> Message-ID: <56F02750.8020001@redhat.com> On 18.03.2016 10:18, Martin Basti wrote: > > > On 17.03.2016 18:40, Martin Babinsky wrote: >> https://fedorahosted.org/freeipa/ticket/5744 >> >> >> > ACK > > Pushed to: master: aa749957360b85fecaed2f9f8dc286f560b89e0b ipa-4-3: 85d2cc054046aad9731f409bc92e1cbb5b09dde4 -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvomacka at redhat.com Mon Mar 21 17:57:41 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 21 Mar 2016 18:57:41 +0100 Subject: [Freeipa-devel] [PATCH] 0005 webui: topology graph: canvas resizes itself according to the window size In-Reply-To: <56E9993F.6000705@redhat.com> References: <56BC7105.3020609@redhat.com> <56BDD5A6.8010108@redhat.com> <56C1ECA4.2070900@redhat.com> <56C4ADF0.4080702@redhat.com> <56CF1498.8080302@redhat.com> <56E1AA07.5040102@redhat.com> <56E28B54.8090204@redhat.com> <56E9993F.6000705@redhat.com> Message-ID: <56F03615.1020109@redhat.com> On 03/16/2016 06:34 PM, Petr Vobornik wrote: > On 03/11/2016 10:09 AM, Pavel Vomacka wrote: >> >> >> On 03/10/2016 06:08 PM, Petr Vobornik wrote: >>> On 02/25/2016 03:50 PM, Pavel Vomacka wrote: >>>> >>>> >>>> On 02/17/2016 06:29 PM, Petr Vobornik wrote: >>>>> On 02/15/2016 04:20 PM, Pavel Vomacka wrote: >>>>>> >>>>>> >>>>>> On 02/12/2016 01:52 PM, Pavel Vomacka wrote: >>>>>>> >>>>>>> >>>>>>> On 02/11/2016 12:31 PM, Pavel Vomacka wrote: >>>>>>>> Hello, >>>>>>>> >>>>>>>> The canvas of the graph had static size. This patch fixes this >>>>>>>> issue >>>>>>>> and from now the graph canvas is resized according to the window >>>>>>>> size. >>>>>>>> >>>>>>>> Pavel Vomacka >>>>>>>> >>>>>>>> >>>>>>> Because of changes in previous patch I'm sending also this one >>>>>>> again. >>>>>>> Plus I fixed some jslint warnings. >>>>>>> >>>>>>> And again a link to the ticket: >>>>>>> https://fedorahosted.org/freeipa/ticket/5647 . >>>>>>> >>>>>>> -- >>>>>>> Pavel^3 Vomacka >>>>>>> >>>>>>> >>>>>> And another change in the code. This patch adds checking whether >>>>>> a svg >>>>>> element even exists. And don't add 'col-sm-12' class to the svg >>>>>> element >>>>>> any more. This class just added useless paddings to the element. >>>>>> >>>>>> -- >>>>>> Pavel^3 Vomacka >>>>>> >>>>> >>>>> Hi, >>>>> >>>>> thanks for the patch. >>>> Hi, >>>> >>>> thank you for reviewing. >>>>> >>>>> 1. I don't like the fact that the resize handler registered in >>>>> initialize method is active forever, even when viewing other facets. >>>> I moved the handler to the topology graph facet. It is also removed >>>> after hide event is emited. >>>>> 2. The code will probably fail if there is other svg element present >>>>> on the page. >>>>> >>>>> $('svg') searches for all svg elements in DOM, such search is usually >>>>> slow and undeterministic. It is better to use a stored reference(if >>>>> possible) or limit the search to some parent element, e.g. TopoGraph >>>>> can store and then use its container. >>>>> >>>>> Would be funny if there were 2 graphs. >>>> Yep, you are right. I avoid using this type of searching in this >>>> patch. >>>> >>>>> >>>>> 3. Why is there the toFixed(1) call? Or more specifically on that >>>>> position? It hides the fact that toFixed transforms Number to String >>>>> and then '-' operator with Number on the right casts it back to >>>>> Number. >>>> The toFixed(1) was used just because we don't need so accurate >>>> numbers, >>>> but in this patch this function is not used any more. >>>>> >>>>> 4. width could be just: this._svg.parent().width() >>>> The width is now solved by using this.content.width() in topology >>>> graph >>>> facet. I think that the calculating of width and height should be >>>> at the >>>> same place. That is why I didn't put calculating of width into the >>>> TopoGraph. >>>>> >>>>> 5. Your approach for bottom padding works well but I don't like that >>>>> the component assumes that there is some col-sm-12 element on a page >>>>> whose right padding is actually equal to space on the left of the >>>>> svg. >>>> I agree, fixed. >>>>> >>>>> #1 and #5 makes me think that the resize logic should be moved >>>>> topology facet. Something like: >>>>> >>>>> * register resize handler on facet's 'show' event >>>>> * unregister resize handler on facet's 'hide' event (will solve #1) >>>>> * on window resize, compute the size in topology facet, call new >>>>> .resize(width, height) method of TopoGraph >>>>> >>>>> Then, we wouldn't have to search whole DOM for 'svg' elements to >>>>> check >>>>> if page is visible. The bottom padding can be obtained by: >>>>> parseInt(this.content.css('paddingLeft')) where 'this' is facet. >>>>> >>>> I followed these tips and here is a new patch. >>>> >>>> -- >>>> Pavel^3 Vomacka >>> >>> >>> 1. >>> - width: 960, >>> - height: 500, >>> >>> Graph even without this patch allows to set initial size in a >>> constructor, e.g.: >>> >>> E.g. so he could also use: >>> this.graph = new topology_graph.TopoGraph({ >>> nodes: data.nodes, >>> links: data.links, >>> suffixes: data.suffixes >>> height: height, >>> width: width >>> }); >>> >>> IMO we should leave some default size there, e.g. the old 960x500 so >>> that the graph is shown even without explicit configuration. >>> >> Ok, I put the default size back, but into graph specification as you >> write here. > > Ah, I badly expressed myself, sorry. I wanted to leave the original > code on its place(TopoGraph). The above was just example what is > possible with or without the change because it is not obvious from code. Default size is returned back now. > >> >>> 2. >>> - update: function() { >>> + update: function(height, width) { >>> >>> Update method should not required size params. E.g. if it should >>> trigger only data update. So it should contain at least a doc string >>> that the values are optional. Maybe it should be a single param. >>> >>> >> These parameters are not required so I add doc string and also changed >> them to single param. > > Looks good. > >> >> -- >> Pavel^3 Vomacka > > -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0005-6-Resize-topology-graph-canvas-according-to-window-siz.patch Type: text/x-patch Size: 4735 bytes Desc: not available URL: From mbasti at redhat.com Tue Mar 22 09:23:37 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 22 Mar 2016 10:23:37 +0100 Subject: [Freeipa-devel] [PATCHES 0442-0449] Pylint: sunday code cleanup In-Reply-To: <56F018BE.4080301@redhat.com> References: <56EF0E82.5090301@redhat.com> <56EFBEF9.5050509@redhat.com> <56EFBFEA.4080103@redhat.com> <56EFDB60.7060002@redhat.com> <20160321125040.GE5897@mail.corp.redhat.com> <56F018BE.4080301@redhat.com> Message-ID: <56F10F19.9070501@redhat.com> On 21.03.2016 16:52, Petr Spacek wrote: > On 21.3.2016 13:50, Lukas Slebodnik wrote: >> On (21/03/16 12:30), Martin Basti wrote: >>> On 21.03.2016 10:33, Christian Heimes wrote: >>>> On 2016-03-21 10:29, Petr Spacek wrote: >>>>> On 20.3.2016 21:56, Martin Basti wrote: >>>>>> Patches attached. >>>>> I do not really like >>>>> freeipa-mbasti-0442-pylint-remove-bare-except >>>>> because it replaces most of >>>>> >>>>> try: ... except: >>>>> >>>>> with >>>>> >>>>> try: ... except Exception: >>>>> >>>>> >>>>> which AFAIK does not add any value. It would be better to replace Exception >>>>> with more specific exception so the code raises an error instead of continuing >>>>> when something really unexpected happens. >>>> It adds some value. A bare except also excepts signals like >>>> KeyboardInterrupt and SystemExit. except Exception doesn't block these >>>> exceptions. >>>> >>>> But yes, more specific exceptions are better. >>>> >>>> Christian >>>> >>>> >>>> >>>> >>> 'except Exception' is another pylint check :D >>> >>> I replaced bare except with a particular exception in cases where it was >>> clear. For other occurrences of bare except it covers too much Exception >>> types, so catch Exception is more sensible, or I need crystal ball to detect >>> what kind of exceptions can be raised there. >>> >> Agree. >> >> It can be changed to more specific exceptions type of Exception in future. >> This change is less risky. >> >> pylint passed on fedora {23, 24, rawhide} >> >> ACK > Okay, it makes sense. > master: * 491447cc5ab8c5eff2be57d609201cefb79f7053 pylint: remove bare except * e93e89e1ae27e4f0ef23001f6c1247c45695ae24 Pylint: fix definition of global variables * 5add0f94cf9253a72224ccaf5be38540468ea589 Pylint: enable pointless-except check * d46cd5d956d1c03b863bf90d0fd0ff4870448183 Pylint: enable reimported check * 195e50b93b63e4f30ce83dbcfef278727d48aea2 Pylint: use list comprehension instead of iteration * b66028af1815fbf7666b82ebeaa81ad56996a74f Pylint: import max one module per line * da0318d4d7dd369be136449e686b6fb46d0cc5d8 Pylint: remove unnecessary-semicolon * 4a396dd68b1bc6cc68765f502f7e952a087064a8 Pylint: enable invalid-name check From mbasti at redhat.com Tue Mar 22 09:29:24 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 22 Mar 2016 10:29:24 +0100 Subject: [Freeipa-devel] [PATCH 0428] SPEC: do not execute upgrade when ipa server is not installed In-Reply-To: <56EBFEB9.7070105@redhat.com> References: <56D5E8D3.5020709@redhat.com> <56D5E9DF.1080201@redhat.com> <56D5EA6C.4030005@redhat.com> <56D5EF32.7090006@redhat.com> <56D68798.60603@redhat.com> <56EBFEB9.7070105@redhat.com> Message-ID: <56F11074.8080504@redhat.com> On 18.03.2016 14:12, Martin Babinsky wrote: > On 03/02/2016 07:26 AM, Jan Cholasta wrote: >> On 1.3.2016 20:36, Rob Crittenden wrote: >>> Martin Basti wrote: >>>> >>>> >>>> On 01.03.2016 20:13, Rob Crittenden wrote: >>>>> Martin Basti wrote: >>>>>> https://fedorahosted.org/freeipa/ticket/5704 >>>>>> >>>>>> Patch attached. >>>>>> >>>>>> >>>>> Would it be safer to integrate this into ipa-upgrade itself? You'd >>>>> just >>>>> need to return 0 for the case where IPA isn't installed. >>>>> >>>>> rob >>>> How about the case when ipa-server-upgrade is called by user from CLI? >>>> It should fail because IPA is not installed, instead of returning >>>> success. That check is in specfile anyway due service restart. >>>> >>>> Martin^2 >>> >>> Yeah, I was hoping you'd miss that :-) >>> >>> It just seems to me, as you point out, that it should check when run by >>> anything, user or spec, so adding it only to the spec seems wrong. I'm >>> not a huge fan of option bloat but that would be one way around this, >>> --graceful-exit or something. Could make it a hidden option if you >>> wanted. >> >> I don't think adding the option is worth the effort, as we will be soon >> moving away from running the upgrade script directly from the spec file >> to a service based solution (#4552, #5373). >> > I am not a big fan of adding a special option and the related magic to > the upgrade code itself either. > > I will ACK this patch unless there is some strong opposition towards > this approach. > Pushed to: master: 4f25b296054076abf3d6e44f6b2e7552f993fb1c ipa-4-3: 0bd34fa78952b1abefde290f5b3bf7b4a67e73dc From mbasti at redhat.com Tue Mar 22 09:43:18 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 22 Mar 2016 10:43:18 +0100 Subject: [Freeipa-devel] [PATCH 0029] Move user/group constants for PKI and DS into ipaplatform In-Reply-To: <56EBDE21.7000200@redhat.com> References: <569E381B.3040104@redhat.com> <20160120015428.GJ31821@dhcp-40-8.bne.redhat.com> <569F6826.2060608@redhat.com> <1542878923.39274119.1456758177069.JavaMail.zimbra@redhat.com> <56EBC8D9.9050501@redhat.com> <56EBDE21.7000200@redhat.com> Message-ID: <56F113B6.9070103@redhat.com> On 18.03.2016 11:53, Christian Heimes wrote: > On 2016-03-18 10:22, Martin Basti wrote: >> >> On 29.02.2016 16:02, David Kupka wrote: >>> Hello Christian, >>> sorry for letting this patch rot for so long. I've forget about it the minute Fraser replied. >>> To compensate a little I've fixed pep8 error, rebased it and attaching two versions for master and for 4.3 branch. >>> I haven't found any missing cases and it works for me. If you're OK with the modified patches it can be pushed. >>> >>> David >>> >>> ----- Original Message ----- >>> From: "Christian Heimes" >>> To: "Fraser Tweedale" >>> Cc: "freeipa-devel" >>> Sent: Wednesday, January 20, 2016 11:57:42 AM >>> Subject: Re: [Freeipa-devel] [PATCH 0029] Move user/group constants for PKI and DS into ipaplatform >>> >>> On 2016-01-20 02:54, Fraser Tweedale wrote: >>>> On Tue, Jan 19, 2016 at 02:20:27PM +0100, Christian Heimes wrote: >>>>> ipaplatform.constants has platform specific names for a couple of system >>>>> users like Apache HTTPD. The user names for PKI_USER, PKI_GROUP, DS_USER >>>>> and DS_GROUP are defined in other modules. Similar to #5587 the patch my >>>>> patch moves the constants into the platform module. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/5619 >>>> I see a few remaining cases: >>>> >>>> ipaserver/install/dsinstance.py >>>> 712: pent = pwd.getpwnam("dirsrv") >>>> >>>> ipatests/test_integration/test_backup_and_restore.py >>>> 167: self.master.run_command(['userdel', 'dirsrv']) >>>> 168: self.master.run_command(['userdel', 'pkiuser']) >>>> >>>> ipaplatform/redhat/tasks.py >>>> 441: if name == 'pkiuser': >>>> >>>> When these are included, ACK. >>> Good catch! >>> >>> My new patch takes care of remaining cases. >>> >>> >>> >>> >> Christian do you agree with proposed changes, can we push it? >> Martin^2 > Oh, the patch is still open? ACK! > > Pushed to ipa-4-3: e3bf65f2df9c50873f0967b96a6a2a5975a87f79 Pushed to master: 49be6c8d3cc20902dbe8e92a74e31aed2fd21d9f From cheimes at redhat.com Tue Mar 22 10:29:27 2016 From: cheimes at redhat.com (Christian Heimes) Date: Tue, 22 Mar 2016 11:29:27 +0100 Subject: [Freeipa-devel] Converting plugin output In-Reply-To: <56EFD4CA.8080502@redhat.com> References: <56EC1028.40600@redhat.com> <56EFD4CA.8080502@redhat.com> Message-ID: <56F11E87.8070305@redhat.com> On 2016-03-21 12:02, Jan Cholasta wrote: > Hi, > > On 18.3.2016 15:26, Christian Heimes wrote: >> Hi, >> >> I'd like to use FreeIPA's RPC interface from Ansible directly. But the >> output of plugins is rather unfriendly and unpythonic: >> >>>>> print(api.Command.dnsconfig_show()) >> {u'result': {u'dn': u'cn=dns,dc=ipa,dc=example', u'idnsallowsyncptr': >> (u'FALSE',)}, u'value': None, u'summary': None} >> >> Please notice (u'FALSE',) instead of False. > > This is how the framework does things - there is no internal consistency > and no singular place where coding of values is handled, lot of the > output is generated by ad-hoc code somewhere in post_callbacks. > Unfortunately this is not easily fixable. Yes, it's a bit unfortunate. FreeIPA has a rich and powerful RPC-API. The under-documented and nested output makes the RPCs hard to use from Python code. I'd wish we had something like JSON schema for input and output documentation. >> But it is failing for some plugins like user_find(). The plugin returns >> u'memberof_group': (u'admins', u'trust admins'). However >> global_output_params defines the value as an optional and single valued >> string: >> >> Str('memberof_group?', label=_('Member of groups')). >> >> I think the definition is wrong. memberof_group and some other fields >> should be defined as optional and multivalued fields insteads. Even the >> field's label uses a plural form. >> >> What do you think? > > Yes, the definition is wrong, but I don't think it's worth fixing, since > you can't rely on a single-value param having a single value in the > output for any other command and param anyway. I think it's a low-hanging fruit. All memberof and indirectmemberof params should be multivalued. That's an easy fix. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From akasurde at redhat.com Tue Mar 22 11:02:10 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Tue, 22 Mar 2016 16:32:10 +0530 Subject: [Freeipa-devel] [PATCH] Added fix for notifying user about account expiration in Web UI In-Reply-To: <56EC0C2A.3020009@redhat.com> References: <56EC00CC.2080300@redhat.com> <56EC0C2A.3020009@redhat.com> Message-ID: <56F12632.40903@redhat.com> Hi All, Please find the updated patches as per review comments. On 03/18/2016 07:39 PM, Petr Vobornik wrote: > On 03/18/2016 02:21 PM, Abhijeet Kasurde wrote: >> Hi All, >> >> Please review these patches. >> >> Fixes : https://fedorahosted.org/freeipa/ticket/5077 >> >> Thanks, >> Abhijeet Kasurde >> > > 'invalid' is a default and right now is meant for invalid password(not > correct, see below). So by reading the patch, it will break the case > when user sets invalid password. > > Better would be to process kinit output in rpcserver.py:login_password > and set e.g: 'krbprincipal-expired' reason. > > Then add it to a list of known errors in ipa.js:login_password:498. We > should probaly add also 'invalid-password' to the list. > > Then do the change as in this patch but only with: > 'krbprincipal-expired'. > > If 'invalid-password' is added to the list of know errors then we > should change the default error from "The password or username you > entered is incorrect. " to e.g.: 'Login failed from unknown reason" > Thanks Petr for suggestions. Thanks, Abhijeet Kasurde -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-akasurde-0006-2-Added-fix-for-notifying-user-about-Kerberos-principa.patch Type: text/x-patch Size: 7187 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-akasurde-0006-2-Added-fix-for-notifying-user-about-Kerberos-principa-ipa-4-2.patch Type: text/x-patch Size: 7233 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-akasurde-0006-2-Added-fix-for-notifying-user-about-Kerberos-principa-ipa-4-3.patch Type: text/x-patch Size: 7233 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Mar 22 11:28:13 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 22 Mar 2016 12:28:13 +0100 Subject: [Freeipa-devel] [PATCH 0139] otptoken-add: improve the robustness of QR code printing to tty In-Reply-To: <56E95CEA.3070509@redhat.com> References: <56DEEDEF.6020105@redhat.com> <56DEFF59.7020907@redhat.com> <56DF01C0.2010207@redhat.com> <56DFBD6F.8010100@redhat.com> <56E81DE1.4020904@redhat.com> <56E83E5F.8060601@redhat.com> <1458076973.21679.20.camel@redhat.com> <56E8FC42.1000605@redhat.com> <1458131710.2518.0.camel@redhat.com> <56E95CEA.3070509@redhat.com> Message-ID: <56F12C4D.70906@redhat.com> On 03/16/2016 02:17 PM, Martin Babinsky wrote: > On 03/16/2016 01:35 PM, Nathaniel McCallum wrote: >> On Wed, 2016-03-16 at 07:25 +0100, Jan Cholasta wrote: >>> On 15.3.2016 22:22, Nathaniel McCallum wrote: >>>> >>>> On Tue, 2016-03-15 at 17:54 +0100, Martin Babinsky wrote: >>>>> >>>>> On 03/15/2016 03:36 PM, Martin Babinsky wrote: >>>>>> >>>>>> >>>>>> On 03/09/2016 07:06 AM, Jan Cholasta wrote: >>>>>>> >>>>>>> >>>>>>> On 8.3.2016 17:45, Martin Babinsky wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 03/08/2016 05:35 PM, Jan Cholasta wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> On 8.3.2016 16:21, Martin Babinsky wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5700 >>>>>>>>> 1) Instead of checking for utf-8 in particular, I would >>>>>>>>> prefer a more >>>>>>>>> robust approach: >>>>>>>>> >>>>>>>>> try: >>>>>>>>> qr = qrcode.QRCode() >>>>>>>>> qr.add_data('test') >>>>>>>>> qr.make() >>>>>>>>> qr.print_ascii(tty=True) >>>>>>>>> except UnicodeError: >>>>>>>>> # it is not printable >>>>>>>>> else: >>>>>>>>> # it is printable >>>>>>>>> >>>>>>>> Now you mean the check in the _check_qrcode_capability() or >>>>>>>> the >>>>>>>> _print_qrcode() method itself? >>>>>>> _check_qrcode_capability() of course. >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> 2) There is no os.isatty() check to see if stdout is >>>>>>>>> actually >>>>>>>>> a tty. >>>>>>>>> >>>>>>>> This check is performed inside both print_ascii() and >>>>>>>> print_tty() >>>>>>>> methods of QRCode object, but you probably mean that I >>>>>>>> should >>>>>>>> put the >>>>>>>> check also into _check_qrcode_capability() method, right? >>>>>>> Yes. If stdout is not a tty, we should at least not tty=True >>>>>>> in >>>>>>> print_ascii(). >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Honza >>>>>>>>> >>>>>> Attaching updated patch. After the discussion with other >>>>>> developers >>>>>> we >>>>>> decided to just print warnings when non-UTF-8 encoding is used >>>>>> and >>>>>> tty >>>>>> width is smaller that the QR code size. >>>>>> >>>>>> >>>>>> >>>>> Found some minor errors in the patch, attaching updated version. >>>> NACK >>>> >>>> This patch has the major problem that tokens are added but then >>>> unusable because they can't be provisioned to the devices. You need >>>> to >>>> check if qrcode output is possible before the token is added to >>>> LDAP. >>> We discussed this on the IPA devel meeting and the decision was that >>> since the otpauth URI is always displayed, a warning is sufficient >>> when >>> the QR code cannot be printed. >>> >>> If you disagree, could you explain why the URI is not sufficient for >>> provisioning the token? >> >> I guess that is okay. >> > > Thank you Nathaniel. > > Jan had some offline comments to the patch. Attaching updated version. > > > Attaching updated patches. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-3-mbabinsk-0139.4-otptoken-add-improve-the-robustness-of-QR-code-print.patch Type: text/x-patch Size: 5378 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0139.4-otptoken-add-improve-the-robustness-of-QR-code-print.patch Type: text/x-patch Size: 5344 bytes Desc: not available URL: From mbasti at redhat.com Tue Mar 22 12:02:30 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 22 Mar 2016 13:02:30 +0100 Subject: [Freeipa-devel] [PATCH 0141] ipa-replica-manage: print traceback on unexpected error when in verbose mode In-Reply-To: <56EBFC51.7050606@redhat.com> References: <56E18BC8.1000700@redhat.com> <56E6F430.4020900@redhat.com> <56E82439.2040108@redhat.com> <56EBF6CF.8000607@redhat.com> <56EBFC51.7050606@redhat.com> Message-ID: <56F13456.4030606@redhat.com> On 18.03.2016 14:02, Martin Babinsky wrote: > On 03/18/2016 01:38 PM, Martin Basti wrote: >> >> >> On 15.03.2016 16:03, Martin Babinsky wrote: >>> On 03/14/2016 06:26 PM, Martin Basti wrote: >>>> >>>> >>>> On 10.03.2016 15:59, Martin Babinsky wrote: >>>>> https://fedorahosted.org/freeipa/ticket/5380 >>>>> >>>>> >>>>> >>>> NACK >>>> >>>> 1) >>>> Maybe we should print traceback in verbose mode for RuntimeError as >>>> well. >>>> >>>> 2) >>>> IMO would be better to print traceback first and then, print error >>>> >>>> Martin^2 >>> >>> Attaching updated patch. >>> >> I changed my mind, RuntimeError should stay as it is now. Sorry > > No problem. > ACK Pushed to master: e7e1b8c58ed592e8957b4a25838a9e7814ddd01a From dkupka at redhat.com Tue Mar 22 12:36:01 2016 From: dkupka at redhat.com (David Kupka) Date: Tue, 22 Mar 2016 13:36:01 +0100 Subject: [Freeipa-devel] [PATCH 0099] Look up HTTPD_USER's UID and GID during installation. Message-ID: <56F13C31.7080705@redhat.com> https://fedorahosted.org/freeipa/ticket/5712 -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0099.0-Look-up-HTTPD_USER-s-UID-and-GID-during-installation.patch Type: text/x-patch Size: 2726 bytes Desc: not available URL: From mbasti at redhat.com Tue Mar 22 12:50:21 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 22 Mar 2016 13:50:21 +0100 Subject: [Freeipa-devel] [TEST][Patch-0027] Fixed test failure during in-tree session, ticket N 5736 In-Reply-To: <56EFAC9C.7070309@redhat.com> References: <56E92E7D.7030205@redhat.com> <56E96214.7050609@redhat.com> <56E966B4.2030709@redhat.com> <56E96A25.7080504@redhat.com> <56E96F20.6080009@redhat.com> <56EFAC9C.7070309@redhat.com> Message-ID: <56F13F8D.4000204@redhat.com> On 21.03.2016 09:11, Oleg Fayans wrote: > Hi Martin, > > On 03/16/2016 03:35 PM, Martin Basti wrote: >> >> On 16.03.2016 15:13, Martin Basti wrote: >>> >>> On 16.03.2016 14:59, Oleg Fayans wrote: >>>> Hi Martin >>>> >>>> On 03/16/2016 02:39 PM, Martin Basti wrote: >>>>> On 16.03.2016 10:59, Oleg Fayans wrote: >>>>>> With this patch applied integration tests pass and in-tree tests are >>>>>> gracefully skipped. >>>>>> >>>>>> @mkubik, It is not possible to put the decorator to util.py as per our >>>>>> discussion, because it uses tasks, so tasks must be imported. But >>>>>> tasks >>>>>> already import util, which leads to circular imports. So I've put >>>>>> it to >>>>>> tasks.py >>>>>> >>>>>> >>>>>> >>>>> NACK >>>>> >>>>> 1) >>>>> Use right ticket in commit message (#5723) >>>> But (#5736) is exactly the issue that is being addressed. Probably note >>>> both tickets in the commit message? >>> But as I wrote in ticket #5736, this ticket should be closed, because >>> issue is caused by ticket which is not finished yet, so we should >>> continue just with original ticket. > Done > >>>>> 2) >>>>> Link to ticket should be last in the commit message > Done > >>>>> 3) >>>>> dereplicafy >>>>> >>>>> 3a) >>>>> wrong doc string, it removes *only* replicas not clients >>>> No, in fact it removes both: >>>> uninstall_replica(args[0].master, host) >>>> uninstall_client(host) >>>> >>>> Both tasks have raiseonerr set to False, which means that even if >>>> replica was not installed but the client was - it will also be removed >>> I see just >>> for host in args[0].replicas >>> >>> I don't see any >>> for host in args[0].clients >>> there >>> >>> Also uninstall_client should not be there. ipa-server-install >>> --uninstall removes client too. The extra call of uninstall client is >>> IMO there just because an ancient bug that is already fixed. > That's done because some tests install client separately and then > deliberately install replica the wrong way to test that the installer > fails in a predicted way. That's why this separate uninstall_client > call. The doc string was corrected. > > >>>>> 3b) >>>>> can we rename it to something different? (replicas_cleanup, >>>>> replicas_uninstall, replicas_teardown) >>>> replicas_cleanup, or even topo_cleanup sounds OK to me. > replicas_cleanup it is > >>>>> 4) >>>>> Please fix commit message >>>>> - Wile trated correctly >>>>> - followiong >>>>> - rewrote -> rewrite >>>> Will do > Done > >>>>> 5) >>>>> decorator >>>>> + def wrapped(*args): >>>>> + func(*args) >>>>> + for host in args[0].replicas: >>>>> >>>>> Shouldn't be there try-finally around func() call, or something? >>>> No, the wrapped function is a test_* method: if it fails we need to see >>>> the original failure >>> but if something raise an exception in func(), cleanup will not be >>> executed. >>> >>> You can do >>> In [4]: try: >>> ...: raise ValueError('Hello') >>> ...: finally: >>> ...: try: >>> ...: raise ValueError('Cleanup') >>> ...: except Exception: >>> ...: pass >>> ...: >>> --------------------------------------------------------------------------- >>> >>> ValueError Traceback (most recent call >>> last) >>> in () >>> 1 try: >>> ----> 2 raise ValueError('Hello') >>> 3 finally: >>> 4 try: >>> 5 raise ValueError('Cleanup') >>> >>> ValueError: Hello >> On the other hand, I do not want cleanup with --pdb option, so maybe it >> should just fail >> >>>>> Are you sure that there is no need to return result of func()? >>>> The same applies here: we never return results from test_* methods >>> ok >>>>> *) Please create additional patch that will add licence there >>>>> >>>>> >>>> Will do :) >>>> >>>> > The license-related patch is attached too > Patch 0029 pushed to: master: c2042900382190b1c9d7a44bd719cacd804749b3 ipa-4-3: 1d5b8b8781e5d6300c5029bdd68c6ddf98f6ecd3 Patch 27 is on review From mbasti at redhat.com Tue Mar 22 13:06:40 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 22 Mar 2016 14:06:40 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <56F00B16.90402@redhat.com> References: <56D93B28.2020302@redhat.com> <56D93B98.4090307@redhat.com> <56D9AA4B.103@redhat.com> <56D9B8CB.3040507@redhat.com> <56DEB998.3070501@redhat.com> <56DF0ABD.4040603@redhat.com> <56DF256E.8010000@redhat.com> <56E1F09D.10405@redhat.com> <20160317102835.GB19342@mail.corp.redhat.com> <56EAC67D.8040701@redhat.com> <20160317193747.GB23625@mail.corp.redhat.com> <56F00B16.90402@redhat.com> Message-ID: <56F14360.5050802@redhat.com> On 21.03.2016 15:54, Oleg Fayans wrote: > Hi Lukas, Martin, > > Looks I've implemented the approach proposed by Martin. The issue seems > to have gone (see the external_ca_out for external_ca test output). > Would like you to take a look and tell me what'd you think. > > > On 03/17/2016 08:37 PM, Lukas Slebodnik wrote: >> On (17/03/16 16:00), Oleg Fayans wrote: >>> Hi Lukas, >>> >>> On 03/17/2016 11:28 AM, Lukas Slebodnik wrote: >>>> On (10/03/16 23:09), Oleg Fayans wrote: >>>>> Hi Martin, >>>>> >>>>> >>>>> >>>>> On 03/08/2016 08:18 PM, Martin Basti wrote: >>>>>> >>>>>> On 08.03.2016 18:24, Martin Basti wrote: >>>>>>> >>>>>>> On 08.03.2016 12:38, Oleg Fayans wrote: >>>>>>>> The patches were rebased against the current master >>>>>>>> >>>>>>>> On 03/04/2016 05:33 PM, Martin Basti wrote: >>>>>>>>> * old messages have been removed * >>>>>>>>>>>>> 1) >>>>>>>>>>>>> this method is unused please remove it >>>>>>>>>>>>> >>>>>>>>>>>>> def test_kra_install_master(self): >>>>>>>>>> Well, in fact it is used twice: in both domain levels, so I'd better >>>>>>>>>> keep it: >>>>>>>>>> >>>>>>>>>> -bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py >>>>>>>>>> --collect-only >>>>>>>>>> ==================================================================================== >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> test session starts >>>>>>>>>> ===================================================================================== >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>>>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>>>>>> pytest.ini >>>>>>>>>> plugins: sourceorder, multihost >>>>>>>>>> collected 8 items >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> aah my bad, I forgot that pytest executes it when it begins with test_* >>>>>>>>> even in parent class >>>>>>>>>>>>> 2) >>>>>>>>>>>>> Why are these there? I do not see any usage >>>>>>>>>>>>> >>>>>>>>>>>>> from env_config import get_global_config >>>>>>>>>>>>> config = get_global_config() >>>>>>>>>> Removed >>>>>>>>>> >>>>>>>>>>>>> 3) nitpick >>>>>>>>>>>>> + num_clients = 0 >>>>>>>>>>>>> this is set by default >>>>>>>>>> Removed >>>>>>>>>> >>>>>>>>>>>>> otherwise LGTM >>>>>>>>>>>>> >>>>>>>>>>>>> Results of testing tomorrow. >>>>>>>>>>>>> >>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>> >>>>>>>>>>>> I applied all patches including workarounds, but test failed. >>>>>>>>>>>> >>>>>>>>>>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] RUN >>>>>>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>>>>>>>> '--setup-ca', '--ip-address', '192.168.144.102', >>>>>>>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] The host >>>>>>>>>>>> replica1.ipa.test already exists on the master server. >>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] You should >>>>>>>>>>>> remove it before proceeding: >>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] % ipa >>>>>>>>>>>> host-del replica1.ipa.test >>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>>>>>>> ipa-replica-install command failed. See >>>>>>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] Exit >>>>>>>>>>>> code: 3 >>>>>>>>>>>> FAILED >>>>>>>>>> this is exactly the error that happens when a workaround for 5627 >>>>>>>>>> is not >>>>>>>>>> applied. I have re-run the tests with all the patches and everything >>>>>>>>>> passed. Could you please double-check, whether patch 0027 was applied >>>>>>>>>> correctly? >>>>>>>>>> >>>>>>>>>> bash-4.3$ ipa-run-tests test_integration/test_replica_promotion.py >>>>>>>>>> --pdb >>>>>>>>>> ==================================================================================== >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> test session starts >>>>>>>>>> ===================================================================================== >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>>>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>>>>>> pytest.ini >>>>>>>>>> plugins: sourceorder, multihost >>>>>>>>>> collected 8 items >>>>>>>>>> >>>>>>>>>> test_integration/test_replica_promotion.py ........ >>>>>>>>>> >>>>>>>>>> ================================================================================ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 8 passed in 7561.93 seconds >>>>>>>>>> ================================================================================= >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> I will >>>>>>>>> >>>>>>>>>>> And it needs ticket, otherwise it will not be in 4-3 branch. >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5723 >>>>>>> NACK >>>>>>> >>>>>>> 1) >>>>>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>>>>> >>>>>>> >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', >>>>>>> 'IPA.TEST'] >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] RUN >>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>>> '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] IPA client is >>>>>>> already configured on this system, ignoring the --domain, --server, >>>>>>> --realm, --hostname, --password and --keytab options. >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Your system >>>>>>> may be partly configured. >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Run >>>>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>>>>>> provide a file generated by ipa-replica-prepare to create a replica >>>>>>> when the domain is at level 0. >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>> ipa-replica-install command failed. See >>>>>>> /var/log/ipareplica-install.log for more information >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Exit code: 1 >>>>>>> FAILED >>>>>>> >>>>>>> 2) >>>>>>> ipatests.test_integration.test_replica_promotion.TestKRAInstall >>>>>>> >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', >>>>>>> 'IPA.TEST'] >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>>> '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA client is >>>>>>> already configured on this system, ignoring the --domain, --server, >>>>>>> --realm, --hostname, --password and --keytab options. >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your system >>>>>>> may be partly configured. >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >>>>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>>>>>> provide a file generated by ipa-replica-prepare to create a replica >>>>>>> when the domain is at level 0. >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>> ipa-replica-install command failed. See >>>>>>> /var/log/ipareplica-install.log for more information >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit code: 1 >>>>>>> FAILED >>>>>>> >>>>>>> >>>>>>> 3) >>>>>>> ipatests.test_integration.test_replica_promotion.TestCAInstall >>>>>>> >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>> 'Secret123', '--setup-dns', '--forwarder', '10.34.78.1', >>>>>>> '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>>> '--setup-dns', '--forwarder', '10.34.78.1', '--ip-address', >>>>>>> '192.168.200.103', '-r', 'IPA.TEST'] >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA client is >>>>>>> already configured on this system, ignoring the --domain, --server, >>>>>>> --realm, --hostname, --password and --keytab options. >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your system >>>>>>> may be partly configured. >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >>>>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>>>>>> provide a file generated by ipa-replica-prepare to create a replica >>>>>>> when the domain is at level 0. >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>> ipa-replica-install command failed. See >>>>>>> /var/log/ipareplica-install.log for more information >>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit code: 1 >>>>>>> FAILED >>>>>>> >>>>>>> >>>>>>> Reason: >>>>>>> >>>>>>> def install_replica(master, replica, setup_ca=True, setup_dns=False, >>>>>>> - setup_kra=False, extra_args=()): >>>>>>> + setup_kra=False, extra_args=(), domain_level=None): >>>>>>> + if domain_level is None: >>>>>>> + domain_level = domainlevel(master) >>>>> Oops. Sorry, must have been a result of inaccurate rebase. Fixed >>>>> The successful run is attached >>>>> >>>>>>> - if domainlevel(master) == DOMAIN_LEVEL_0: >>>>>>> + if domainlevel == DOMAIN_LEVEL_0: >>>>>>> >>>>>>> domain_level variable is actually unused >>>>>>> >>>>>> Also with your patch that removes host_prepare, I see many following >>>>>> errors in test debug output >>>>>> >>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: line 1: >>>>>> cd: /root/ipatests: No such file or directory >>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: line 2: >>>>>> /root/ipatests/env.sh: No such file or directory >>>>>> >>>>>> >>>>>> I do not see these errors in current tests, so the patch does not seem >>>>>> right to me. >>>>> http://jenkins.idm.lab.eng.brq.redhat.com:8080/job/freeipa-integration-f23master-customized_ds_config_install-domlevel-1/23/consoleFull >>>>> >>>>> I've been experimenting a lot to find get rid of it but was >>>>> unsuccessful. Seemingly it does not affect the tests. >>>>> >>>> Oleg it looks like you broke something >>>> in the test_integration/test_external_ca.py >>>> >>>> _______________________ TestExternalCA.test_external_ca ________________________ >>>> >>>> self = >>>> >>>> def test_external_ca(self): >>>> # Step 1 of ipa-server-install >>>> self.master.run_command([ >>>> 'ipa-server-install', '-U', >>>> '-a', self.master.config.admin_password, >>>> '-p', self.master.config.dirman_password, >>>> '--setup-dns', '--no-forwarders', >>>> '-n', self.master.domain.name, >>>> '-r', self.master.domain.realm, >>>> '--domain-level=%i' % self.master.config.domain_level, >>>> '--external-ca' >>>> ]) >>>> >>>> nss_db = os.path.join(self.master.config.test_dir, 'testdb') >>>> external_cert_file = os.path.join(nss_db, 'ipa.crt') >>>> external_ca_file = os.path.join(nss_db, 'ca.crt') >>>> noisefile = os.path.join(self.master.config.test_dir, 'noise.txt') >>>> pwdfile = os.path.join(self.master.config.test_dir, 'pwdfile.txt') >>>> >>>> # Create noise and password files for NSS database >>>>> self.master.run_command('date | sha256sum > %s' % noisefile) >>>> test_integration/test_external_ca.py:49: >>>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>>> ../pytest_multihost/host.py:246: in run_command >>>> command.wait(raiseonerr=raiseonerr) >>>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>>> >>>> self = >>>> raiseonerr = True >>>> >>>> def wait(self, raiseonerr=True): >>>> """Wait for the remote process to exit >>>> >>>> Raises an excption if the exit code is not 0, unless raiseonerr is >>>> true. >>>> """ >>>> if self._done: >>>> return self.returncode >>>> >>>> self._end_process() >>>> >>>> self._done = True >>>> >>>> if raiseonerr and self.returncode: >>>> self.log.error('Exit code: %s', self.returncode) >>>>> raise subprocess.CalledProcessError(self.returncode, self.argv) >>>> E CalledProcessError: Command 'date | sha256sum > /root/ipatests/noise.txt' returned non-zero exit status 1 >>>> >>>> ../pytest_multihost/transport.py:159: CalledProcessError >>>> ---------------------------- Captured stdout setup ----------------------------- >>>> >>>> ========================== 1 failed in 32.25 seconds =========================== >>>> >>>> >>>> >>>> The command "date | sha256sum > /root/ipatests/noise.txt" >>>> >>>> The only explanation is that the directory /root/ipatests/ does not exist. >>> Obviously this is caused by my patch N 0025 >>> freeipa-ofayans-0025-Removed-a-constantly-failing-call-to-prepare_host.patch >>> >>> Without it replica_promotion tests would fail. The only compromise I see >>> is to remove this line in unapply_fixes function in >>> ipatests/test_integration/tasks.py: >>> >>> host.run_command(['rm', '-rvf', host.config.test_dir]) >>> >>> Now the biggest question is: why do we keep removing the config folder >>> anyway? All the files (backups of /etc/hosts, etc) that ever get there >>> get overwritten each time anyway so it's quite safe to just keep the >>> folder throughout the whole test execution. >>> >> I do not know why it was removed. IMHO it shoudl be enough >> to remove just content of this directory. >> >> But it will bee godd to fix it ASAP >> and unblock test test_integration/test_external_ca.py >> I hope we want to have green test in 4.3 branch. >> Please also open a ticket so it can be backported to >> stable branch (if needed) >> >> LS >> NACK 0) it is not refactoring, it is bugfixing because it is broken 1) Originally prepare hosts were called for every installation where tasks install_server, install_replica, install_client were used. Now hosts are prepared only in base install class, so all test cases where install classmethod is overriden will have no test directory prepared. Does have py.test any method that is called for each test class before install? 2) I dont like new option in unapply fixes, it breaks symetry, if prepare_host is adding directory, then reverse operation should remove directory, IMO unapply_fixes is reverse operation for prepare_host and it should not have any option that changes behavior. From ofayans at redhat.com Tue Mar 22 13:30:08 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 22 Mar 2016 14:30:08 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <56F14360.5050802@redhat.com> References: <56D93B28.2020302@redhat.com> <56D93B98.4090307@redhat.com> <56D9AA4B.103@redhat.com> <56D9B8CB.3040507@redhat.com> <56DEB998.3070501@redhat.com> <56DF0ABD.4040603@redhat.com> <56DF256E.8010000@redhat.com> <56E1F09D.10405@redhat.com> <20160317102835.GB19342@mail.corp.redhat.com> <56EAC67D.8040701@redhat.com> <20160317193747.GB23625@mail.corp.redhat.com> <56F00B16.90402@redhat.com> <56F14360.5050802@redhat.com> Message-ID: <56F148E0.9000907@redhat.com> On 03/22/2016 02:06 PM, Martin Basti wrote: > > > On 21.03.2016 15:54, Oleg Fayans wrote: >> Hi Lukas, Martin, >> >> Looks I've implemented the approach proposed by Martin. The issue seems >> to have gone (see the external_ca_out for external_ca test output). >> Would like you to take a look and tell me what'd you think. >> >> >> On 03/17/2016 08:37 PM, Lukas Slebodnik wrote: >>> On (17/03/16 16:00), Oleg Fayans wrote: >>>> Hi Lukas, >>>> >>>> On 03/17/2016 11:28 AM, Lukas Slebodnik wrote: >>>>> On (10/03/16 23:09), Oleg Fayans wrote: >>>>>> Hi Martin, >>>>>> >>>>>> >>>>>> >>>>>> On 03/08/2016 08:18 PM, Martin Basti wrote: >>>>>>> >>>>>>> On 08.03.2016 18:24, Martin Basti wrote: >>>>>>>> >>>>>>>> On 08.03.2016 12:38, Oleg Fayans wrote: >>>>>>>>> The patches were rebased against the current master >>>>>>>>> >>>>>>>>> On 03/04/2016 05:33 PM, Martin Basti wrote: >>>>>>>>>> * old messages have been removed * >>>>>>>>>>>>>> 1) >>>>>>>>>>>>>> this method is unused please remove it >>>>>>>>>>>>>> >>>>>>>>>>>>>> def test_kra_install_master(self): >>>>>>>>>>> Well, in fact it is used twice: in both domain levels, so I'd >>>>>>>>>>> better >>>>>>>>>>> keep it: >>>>>>>>>>> >>>>>>>>>>> -bash-4.3$ ipa-run-tests >>>>>>>>>>> test_integration/test_replica_promotion.py >>>>>>>>>>> --collect-only >>>>>>>>>>> ==================================================================================== >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> test session starts >>>>>>>>>>> ===================================================================================== >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>>>>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>>>>>>> pytest.ini >>>>>>>>>>> plugins: sourceorder, multihost >>>>>>>>>>> collected 8 items >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> aah my bad, I forgot that pytest executes it when it begins >>>>>>>>>> with test_* >>>>>>>>>> even in parent class >>>>>>>>>>>>>> 2) >>>>>>>>>>>>>> Why are these there? I do not see any usage >>>>>>>>>>>>>> >>>>>>>>>>>>>> from env_config import get_global_config >>>>>>>>>>>>>> config = get_global_config() >>>>>>>>>>> Removed >>>>>>>>>>> >>>>>>>>>>>>>> 3) nitpick >>>>>>>>>>>>>> + num_clients = 0 >>>>>>>>>>>>>> this is set by default >>>>>>>>>>> Removed >>>>>>>>>>> >>>>>>>>>>>>>> otherwise LGTM >>>>>>>>>>>>>> >>>>>>>>>>>>>> Results of testing tomorrow. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>> >>>>>>>>>>>>> I applied all patches including workarounds, but test failed. >>>>>>>>>>>>> >>>>>>>>>>>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] RUN >>>>>>>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>>>>>>>> 'Secret123', >>>>>>>>>>>>> '--setup-ca', '--ip-address', '192.168.144.102', >>>>>>>>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>>>>>>> The host >>>>>>>>>>>>> replica1.ipa.test already exists on the master server. >>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>>>>>>> You should >>>>>>>>>>>>> remove it before proceeding: >>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] % ipa >>>>>>>>>>>>> host-del replica1.ipa.test >>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>>>>>>>> ipa-replica-install command failed. See >>>>>>>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] Exit >>>>>>>>>>>>> code: 3 >>>>>>>>>>>>> FAILED >>>>>>>>>>> this is exactly the error that happens when a workaround for >>>>>>>>>>> 5627 >>>>>>>>>>> is not >>>>>>>>>>> applied. I have re-run the tests with all the patches and >>>>>>>>>>> everything >>>>>>>>>>> passed. Could you please double-check, whether patch 0027 was >>>>>>>>>>> applied >>>>>>>>>>> correctly? >>>>>>>>>>> >>>>>>>>>>> bash-4.3$ ipa-run-tests >>>>>>>>>>> test_integration/test_replica_promotion.py >>>>>>>>>>> --pdb >>>>>>>>>>> ==================================================================================== >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> test session starts >>>>>>>>>>> ===================================================================================== >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>>>>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>>>>>>> pytest.ini >>>>>>>>>>> plugins: sourceorder, multihost >>>>>>>>>>> collected 8 items >>>>>>>>>>> >>>>>>>>>>> test_integration/test_replica_promotion.py ........ >>>>>>>>>>> >>>>>>>>>>> ================================================================================ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 8 passed in 7561.93 seconds >>>>>>>>>>> ================================================================================= >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> I will >>>>>>>>>> >>>>>>>>>>>> And it needs ticket, otherwise it will not be in 4-3 branch. >>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5723 >>>>>>>> NACK >>>>>>>> >>>>>>>> 1) >>>>>>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>>>> >>>>>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>>> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', >>>>>>>> 'IPA.TEST'] >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] RUN >>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>>>> '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] IPA >>>>>>>> client is >>>>>>>> already configured on this system, ignoring the --domain, --server, >>>>>>>> --realm, --hostname, --password and --keytab options. >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Your >>>>>>>> system >>>>>>>> may be partly configured. >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Run >>>>>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>>>>>>> provide a file generated by ipa-replica-prepare to create a replica >>>>>>>> when the domain is at level 0. >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>>> ipa-replica-install command failed. See >>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Exit >>>>>>>> code: 1 >>>>>>>> FAILED >>>>>>>> >>>>>>>> 2) >>>>>>>> ipatests.test_integration.test_replica_promotion.TestKRAInstall >>>>>>>> >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>>>> >>>>>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>>> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', >>>>>>>> 'IPA.TEST'] >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>>>> '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA >>>>>>>> client is >>>>>>>> already configured on this system, ignoring the --domain, --server, >>>>>>>> --realm, --hostname, --password and --keytab options. >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your >>>>>>>> system >>>>>>>> may be partly configured. >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >>>>>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>>>>>>> provide a file generated by ipa-replica-prepare to create a replica >>>>>>>> when the domain is at level 0. >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>>> ipa-replica-install command failed. See >>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit >>>>>>>> code: 1 >>>>>>>> FAILED >>>>>>>> >>>>>>>> >>>>>>>> 3) >>>>>>>> ipatests.test_integration.test_replica_promotion.TestCAInstall >>>>>>>> >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>>>> >>>>>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>>> 'Secret123', '--setup-dns', '--forwarder', '10.34.78.1', >>>>>>>> '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>>>> '--setup-dns', '--forwarder', '10.34.78.1', '--ip-address', >>>>>>>> '192.168.200.103', '-r', 'IPA.TEST'] >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA >>>>>>>> client is >>>>>>>> already configured on this system, ignoring the --domain, --server, >>>>>>>> --realm, --hostname, --password and --keytab options. >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your >>>>>>>> system >>>>>>>> may be partly configured. >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >>>>>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>>>>>>> provide a file generated by ipa-replica-prepare to create a replica >>>>>>>> when the domain is at level 0. >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>>> ipa-replica-install command failed. See >>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit >>>>>>>> code: 1 >>>>>>>> FAILED >>>>>>>> >>>>>>>> >>>>>>>> Reason: >>>>>>>> >>>>>>>> def install_replica(master, replica, setup_ca=True, >>>>>>>> setup_dns=False, >>>>>>>> - setup_kra=False, extra_args=()): >>>>>>>> + setup_kra=False, extra_args=(), >>>>>>>> domain_level=None): >>>>>>>> + if domain_level is None: >>>>>>>> + domain_level = domainlevel(master) >>>>>> Oops. Sorry, must have been a result of inaccurate rebase. Fixed >>>>>> The successful run is attached >>>>>> >>>>>>>> - if domainlevel(master) == DOMAIN_LEVEL_0: >>>>>>>> + if domainlevel == DOMAIN_LEVEL_0: >>>>>>>> >>>>>>>> domain_level variable is actually unused >>>>>>>> >>>>>>> Also with your patch that removes host_prepare, I see many following >>>>>>> errors in test debug output >>>>>>> >>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: >>>>>>> line 1: >>>>>>> cd: /root/ipatests: No such file or directory >>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: >>>>>>> line 2: >>>>>>> /root/ipatests/env.sh: No such file or directory >>>>>>> >>>>>>> >>>>>>> I do not see these errors in current tests, so the patch does not >>>>>>> seem >>>>>>> right to me. >>>>>> http://jenkins.idm.lab.eng.brq.redhat.com:8080/job/freeipa-integration-f23master-customized_ds_config_install-domlevel-1/23/consoleFull >>>>>> >>>>>> >>>>>> I've been experimenting a lot to find get rid of it but was >>>>>> unsuccessful. Seemingly it does not affect the tests. >>>>>> >>>>> Oleg it looks like you broke something >>>>> in the test_integration/test_external_ca.py >>>>> >>>>> _______________________ TestExternalCA.test_external_ca >>>>> ________________________ >>>>> >>>>> self = >>>> object at 0x7ff560a51750> >>>>> >>>>> def test_external_ca(self): >>>>> # Step 1 of ipa-server-install >>>>> self.master.run_command([ >>>>> 'ipa-server-install', '-U', >>>>> '-a', self.master.config.admin_password, >>>>> '-p', self.master.config.dirman_password, >>>>> '--setup-dns', '--no-forwarders', >>>>> '-n', self.master.domain.name, >>>>> '-r', self.master.domain.realm, >>>>> '--domain-level=%i' % self.master.config.domain_level, >>>>> '--external-ca' >>>>> ]) >>>>> nss_db = os.path.join(self.master.config.test_dir, >>>>> 'testdb') >>>>> external_cert_file = os.path.join(nss_db, 'ipa.crt') >>>>> external_ca_file = os.path.join(nss_db, 'ca.crt') >>>>> noisefile = os.path.join(self.master.config.test_dir, >>>>> 'noise.txt') >>>>> pwdfile = os.path.join(self.master.config.test_dir, >>>>> 'pwdfile.txt') >>>>> # Create noise and password files for NSS database >>>>>> self.master.run_command('date | sha256sum > %s' % noisefile) >>>>> test_integration/test_external_ca.py:49: >>>>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>>>> _ _ _ _ _ _ >>>>> ../pytest_multihost/host.py:246: in run_command >>>>> command.wait(raiseonerr=raiseonerr) >>>>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>>>> _ _ _ _ _ _ >>>>> >>>>> self = >>>> 0x7ff5609eb610> >>>>> raiseonerr = True >>>>> >>>>> def wait(self, raiseonerr=True): >>>>> """Wait for the remote process to exit >>>>> Raises an excption if the exit code is not 0, >>>>> unless raiseonerr is >>>>> true. >>>>> """ >>>>> if self._done: >>>>> return self.returncode >>>>> self._end_process() >>>>> self._done = True >>>>> if raiseonerr and self.returncode: >>>>> self.log.error('Exit code: %s', self.returncode) >>>>>> raise subprocess.CalledProcessError(self.returncode, >>>>>> self.argv) >>>>> E CalledProcessError: Command 'date | sha256sum > >>>>> /root/ipatests/noise.txt' returned non-zero exit status 1 >>>>> >>>>> ../pytest_multihost/transport.py:159: CalledProcessError >>>>> ---------------------------- Captured stdout setup >>>>> ----------------------------- >>>>> >>>>> ========================== 1 failed in 32.25 seconds >>>>> =========================== >>>>> >>>>> >>>>> >>>>> The command "date | sha256sum > /root/ipatests/noise.txt" >>>>> >>>>> The only explanation is that the directory /root/ipatests/ does not >>>>> exist. >>>> Obviously this is caused by my patch N 0025 >>>> freeipa-ofayans-0025-Removed-a-constantly-failing-call-to-prepare_host.patch >>>> >>>> >>>> Without it replica_promotion tests would fail. The only compromise I >>>> see >>>> is to remove this line in unapply_fixes function in >>>> ipatests/test_integration/tasks.py: >>>> >>>> host.run_command(['rm', '-rvf', host.config.test_dir]) >>>> >>>> Now the biggest question is: why do we keep removing the config folder >>>> anyway? All the files (backups of /etc/hosts, etc) that ever get there >>>> get overwritten each time anyway so it's quite safe to just keep the >>>> folder throughout the whole test execution. >>>> >>> I do not know why it was removed. IMHO it shoudl be enough >>> to remove just content of this directory. >>> >>> But it will bee godd to fix it ASAP >>> and unblock test test_integration/test_external_ca.py >>> I hope we want to have green test in 4.3 branch. >>> Please also open a ticket so it can be backported to >>> stable branch (if needed) >>> >>> LS >>> > > NACK > > 0) > it is not refactoring, it is bugfixing because it is broken > > 1) > Originally prepare hosts were called for every installation where tasks > install_server, install_replica, install_client were used. Now hosts are > prepared only in base install class, so all test cases where install > classmethod is overriden will have no test directory prepared. Does have > py.test any method that is called for each test class before install? Well, we can revert my changes from patch-0025 that actually removed prepare_host call from a mh fixture in ipatests/pytest_plugins/integration.py Then we probably do not need most of the changes from this patch except the try-except section in prepare_host method itself. > > 2) > I dont like new option in unapply fixes, it breaks symetry, if > prepare_host is adding directory, then reverse operation should remove > directory, IMO unapply_fixes is reverse operation for prepare_host and > it should not have any option that changes behavior. Agreed. Will remove it. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From mbasti at redhat.com Tue Mar 22 14:03:09 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 22 Mar 2016 15:03:09 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <56F148E0.9000907@redhat.com> References: <56D93B28.2020302@redhat.com> <56D93B98.4090307@redhat.com> <56D9AA4B.103@redhat.com> <56D9B8CB.3040507@redhat.com> <56DEB998.3070501@redhat.com> <56DF0ABD.4040603@redhat.com> <56DF256E.8010000@redhat.com> <56E1F09D.10405@redhat.com> <20160317102835.GB19342@mail.corp.redhat.com> <56EAC67D.8040701@redhat.com> <20160317193747.GB23625@mail.corp.redhat.com> <56F00B16.90402@redhat.com> <56F14360.5050802@redhat.com> <56F148E0.9000907@redhat.com> Message-ID: <56F1509D.2010908@redhat.com> On 22.03.2016 14:30, Oleg Fayans wrote: > > On 03/22/2016 02:06 PM, Martin Basti wrote: >> >> On 21.03.2016 15:54, Oleg Fayans wrote: >>> Hi Lukas, Martin, >>> >>> Looks I've implemented the approach proposed by Martin. The issue seems >>> to have gone (see the external_ca_out for external_ca test output). >>> Would like you to take a look and tell me what'd you think. >>> >>> >>> On 03/17/2016 08:37 PM, Lukas Slebodnik wrote: >>>> On (17/03/16 16:00), Oleg Fayans wrote: >>>>> Hi Lukas, >>>>> >>>>> On 03/17/2016 11:28 AM, Lukas Slebodnik wrote: >>>>>> On (10/03/16 23:09), Oleg Fayans wrote: >>>>>>> Hi Martin, >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 03/08/2016 08:18 PM, Martin Basti wrote: >>>>>>>> On 08.03.2016 18:24, Martin Basti wrote: >>>>>>>>> On 08.03.2016 12:38, Oleg Fayans wrote: >>>>>>>>>> The patches were rebased against the current master >>>>>>>>>> >>>>>>>>>> On 03/04/2016 05:33 PM, Martin Basti wrote: >>>>>>>>>>> * old messages have been removed * >>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>> this method is unused please remove it >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> def test_kra_install_master(self): >>>>>>>>>>>> Well, in fact it is used twice: in both domain levels, so I'd >>>>>>>>>>>> better >>>>>>>>>>>> keep it: >>>>>>>>>>>> >>>>>>>>>>>> -bash-4.3$ ipa-run-tests >>>>>>>>>>>> test_integration/test_replica_promotion.py >>>>>>>>>>>> --collect-only >>>>>>>>>>>> ==================================================================================== >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> test session starts >>>>>>>>>>>> ===================================================================================== >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>>>>>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>>>>>>>> pytest.ini >>>>>>>>>>>> plugins: sourceorder, multihost >>>>>>>>>>>> collected 8 items >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> aah my bad, I forgot that pytest executes it when it begins >>>>>>>>>>> with test_* >>>>>>>>>>> even in parent class >>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>> Why are these there? I do not see any usage >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> from env_config import get_global_config >>>>>>>>>>>>>>> config = get_global_config() >>>>>>>>>>>> Removed >>>>>>>>>>>> >>>>>>>>>>>>>>> 3) nitpick >>>>>>>>>>>>>>> + num_clients = 0 >>>>>>>>>>>>>>> this is set by default >>>>>>>>>>>> Removed >>>>>>>>>>>> >>>>>>>>>>>>>>> otherwise LGTM >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Results of testing tomorrow. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>>> >>>>>>>>>>>>>> I applied all patches including workarounds, but test failed. >>>>>>>>>>>>>> >>>>>>>>>>>>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] RUN >>>>>>>>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>>>>>>>>> 'Secret123', >>>>>>>>>>>>>> '--setup-ca', '--ip-address', '192.168.144.102', >>>>>>>>>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>>>>>>>> The host >>>>>>>>>>>>>> replica1.ipa.test already exists on the master server. >>>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>>>>>>>> You should >>>>>>>>>>>>>> remove it before proceeding: >>>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] % ipa >>>>>>>>>>>>>> host-del replica1.ipa.test >>>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>>>>>>>>> ipa-replica-install command failed. See >>>>>>>>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] Exit >>>>>>>>>>>>>> code: 3 >>>>>>>>>>>>>> FAILED >>>>>>>>>>>> this is exactly the error that happens when a workaround for >>>>>>>>>>>> 5627 >>>>>>>>>>>> is not >>>>>>>>>>>> applied. I have re-run the tests with all the patches and >>>>>>>>>>>> everything >>>>>>>>>>>> passed. Could you please double-check, whether patch 0027 was >>>>>>>>>>>> applied >>>>>>>>>>>> correctly? >>>>>>>>>>>> >>>>>>>>>>>> bash-4.3$ ipa-run-tests >>>>>>>>>>>> test_integration/test_replica_promotion.py >>>>>>>>>>>> --pdb >>>>>>>>>>>> ==================================================================================== >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> test session starts >>>>>>>>>>>> ===================================================================================== >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>>>>>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>>>>>>>> pytest.ini >>>>>>>>>>>> plugins: sourceorder, multihost >>>>>>>>>>>> collected 8 items >>>>>>>>>>>> >>>>>>>>>>>> test_integration/test_replica_promotion.py ........ >>>>>>>>>>>> >>>>>>>>>>>> ================================================================================ >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 8 passed in 7561.93 seconds >>>>>>>>>>>> ================================================================================= >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> I will >>>>>>>>>>> >>>>>>>>>>>>> And it needs ticket, otherwise it will not be in 4-3 branch. >>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5723 >>>>>>>>> NACK >>>>>>>>> >>>>>>>>> 1) >>>>>>>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>>>>> >>>>>>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>>>> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', >>>>>>>>> 'IPA.TEST'] >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] RUN >>>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>>>>> '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] IPA >>>>>>>>> client is >>>>>>>>> already configured on this system, ignoring the --domain, --server, >>>>>>>>> --realm, --hostname, --password and --keytab options. >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Your >>>>>>>>> system >>>>>>>>> may be partly configured. >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Run >>>>>>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>>>>>>>> provide a file generated by ipa-replica-prepare to create a replica >>>>>>>>> when the domain is at level 0. >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>>>> ipa-replica-install command failed. See >>>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Exit >>>>>>>>> code: 1 >>>>>>>>> FAILED >>>>>>>>> >>>>>>>>> 2) >>>>>>>>> ipatests.test_integration.test_replica_promotion.TestKRAInstall >>>>>>>>> >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>>>>> >>>>>>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>>>> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', '-r', >>>>>>>>> 'IPA.TEST'] >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >>>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>>>>> '--setup-ca', '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA >>>>>>>>> client is >>>>>>>>> already configured on this system, ignoring the --domain, --server, >>>>>>>>> --realm, --hostname, --password and --keytab options. >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your >>>>>>>>> system >>>>>>>>> may be partly configured. >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >>>>>>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>>>>>>>> provide a file generated by ipa-replica-prepare to create a replica >>>>>>>>> when the domain is at level 0. >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>>>> ipa-replica-install command failed. See >>>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit >>>>>>>>> code: 1 >>>>>>>>> FAILED >>>>>>>>> >>>>>>>>> >>>>>>>>> 3) >>>>>>>>> ipatests.test_integration.test_replica_promotion.TestCAInstall >>>>>>>>> >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>>>>> >>>>>>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>>>> 'Secret123', '--setup-dns', '--forwarder', '10.34.78.1', >>>>>>>>> '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >>>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', 'Secret123', >>>>>>>>> '--setup-dns', '--forwarder', '10.34.78.1', '--ip-address', >>>>>>>>> '192.168.200.103', '-r', 'IPA.TEST'] >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA >>>>>>>>> client is >>>>>>>>> already configured on this system, ignoring the --domain, --server, >>>>>>>>> --realm, --hostname, --password and --keytab options. >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your >>>>>>>>> system >>>>>>>>> may be partly configured. >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >>>>>>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You must >>>>>>>>> provide a file generated by ipa-replica-prepare to create a replica >>>>>>>>> when the domain is at level 0. >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>>>> ipa-replica-install command failed. See >>>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit >>>>>>>>> code: 1 >>>>>>>>> FAILED >>>>>>>>> >>>>>>>>> >>>>>>>>> Reason: >>>>>>>>> >>>>>>>>> def install_replica(master, replica, setup_ca=True, >>>>>>>>> setup_dns=False, >>>>>>>>> - setup_kra=False, extra_args=()): >>>>>>>>> + setup_kra=False, extra_args=(), >>>>>>>>> domain_level=None): >>>>>>>>> + if domain_level is None: >>>>>>>>> + domain_level = domainlevel(master) >>>>>>> Oops. Sorry, must have been a result of inaccurate rebase. Fixed >>>>>>> The successful run is attached >>>>>>> >>>>>>>>> - if domainlevel(master) == DOMAIN_LEVEL_0: >>>>>>>>> + if domainlevel == DOMAIN_LEVEL_0: >>>>>>>>> >>>>>>>>> domain_level variable is actually unused >>>>>>>>> >>>>>>>> Also with your patch that removes host_prepare, I see many following >>>>>>>> errors in test debug output >>>>>>>> >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: >>>>>>>> line 1: >>>>>>>> cd: /root/ipatests: No such file or directory >>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: >>>>>>>> line 2: >>>>>>>> /root/ipatests/env.sh: No such file or directory >>>>>>>> >>>>>>>> >>>>>>>> I do not see these errors in current tests, so the patch does not >>>>>>>> seem >>>>>>>> right to me. >>>>>>> http://jenkins.idm.lab.eng.brq.redhat.com:8080/job/freeipa-integration-f23master-customized_ds_config_install-domlevel-1/23/consoleFull >>>>>>> >>>>>>> >>>>>>> I've been experimenting a lot to find get rid of it but was >>>>>>> unsuccessful. Seemingly it does not affect the tests. >>>>>>> >>>>>> Oleg it looks like you broke something >>>>>> in the test_integration/test_external_ca.py >>>>>> >>>>>> _______________________ TestExternalCA.test_external_ca >>>>>> ________________________ >>>>>> >>>>>> self = >>>>> object at 0x7ff560a51750> >>>>>> >>>>>> def test_external_ca(self): >>>>>> # Step 1 of ipa-server-install >>>>>> self.master.run_command([ >>>>>> 'ipa-server-install', '-U', >>>>>> '-a', self.master.config.admin_password, >>>>>> '-p', self.master.config.dirman_password, >>>>>> '--setup-dns', '--no-forwarders', >>>>>> '-n', self.master.domain.name, >>>>>> '-r', self.master.domain.realm, >>>>>> '--domain-level=%i' % self.master.config.domain_level, >>>>>> '--external-ca' >>>>>> ]) >>>>>> nss_db = os.path.join(self.master.config.test_dir, >>>>>> 'testdb') >>>>>> external_cert_file = os.path.join(nss_db, 'ipa.crt') >>>>>> external_ca_file = os.path.join(nss_db, 'ca.crt') >>>>>> noisefile = os.path.join(self.master.config.test_dir, >>>>>> 'noise.txt') >>>>>> pwdfile = os.path.join(self.master.config.test_dir, >>>>>> 'pwdfile.txt') >>>>>> # Create noise and password files for NSS database >>>>>>> self.master.run_command('date | sha256sum > %s' % noisefile) >>>>>> test_integration/test_external_ca.py:49: >>>>>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>>>>> _ _ _ _ _ _ >>>>>> ../pytest_multihost/host.py:246: in run_command >>>>>> command.wait(raiseonerr=raiseonerr) >>>>>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>>>>> _ _ _ _ _ _ >>>>>> >>>>>> self = >>>>> 0x7ff5609eb610> >>>>>> raiseonerr = True >>>>>> >>>>>> def wait(self, raiseonerr=True): >>>>>> """Wait for the remote process to exit >>>>>> Raises an excption if the exit code is not 0, >>>>>> unless raiseonerr is >>>>>> true. >>>>>> """ >>>>>> if self._done: >>>>>> return self.returncode >>>>>> self._end_process() >>>>>> self._done = True >>>>>> if raiseonerr and self.returncode: >>>>>> self.log.error('Exit code: %s', self.returncode) >>>>>>> raise subprocess.CalledProcessError(self.returncode, >>>>>>> self.argv) >>>>>> E CalledProcessError: Command 'date | sha256sum > >>>>>> /root/ipatests/noise.txt' returned non-zero exit status 1 >>>>>> >>>>>> ../pytest_multihost/transport.py:159: CalledProcessError >>>>>> ---------------------------- Captured stdout setup >>>>>> ----------------------------- >>>>>> >>>>>> ========================== 1 failed in 32.25 seconds >>>>>> =========================== >>>>>> >>>>>> >>>>>> >>>>>> The command "date | sha256sum > /root/ipatests/noise.txt" >>>>>> >>>>>> The only explanation is that the directory /root/ipatests/ does not >>>>>> exist. >>>>> Obviously this is caused by my patch N 0025 >>>>> freeipa-ofayans-0025-Removed-a-constantly-failing-call-to-prepare_host.patch >>>>> >>>>> >>>>> Without it replica_promotion tests would fail. The only compromise I >>>>> see >>>>> is to remove this line in unapply_fixes function in >>>>> ipatests/test_integration/tasks.py: >>>>> >>>>> host.run_command(['rm', '-rvf', host.config.test_dir]) >>>>> >>>>> Now the biggest question is: why do we keep removing the config folder >>>>> anyway? All the files (backups of /etc/hosts, etc) that ever get there >>>>> get overwritten each time anyway so it's quite safe to just keep the >>>>> folder throughout the whole test execution. >>>>> >>>> I do not know why it was removed. IMHO it shoudl be enough >>>> to remove just content of this directory. >>>> >>>> But it will bee godd to fix it ASAP >>>> and unblock test test_integration/test_external_ca.py >>>> I hope we want to have green test in 4.3 branch. >>>> Please also open a ticket so it can be backported to >>>> stable branch (if needed) >>>> >>>> LS >>>> >> NACK >> >> 0) >> it is not refactoring, it is bugfixing because it is broken >> >> 1) >> Originally prepare hosts were called for every installation where tasks >> install_server, install_replica, install_client were used. Now hosts are >> prepared only in base install class, so all test cases where install >> classmethod is overriden will have no test directory prepared. Does have >> py.test any method that is called for each test class before install? > Well, we can revert my changes from patch-0025 that actually removed > prepare_host call from a mh fixture in > ipatests/pytest_plugins/integration.py > Then we probably do not need most of the changes from this patch except > the try-except section in prepare_host method itself. OK > >> 2) >> I dont like new option in unapply fixes, it breaks symetry, if >> prepare_host is adding directory, then reverse operation should remove >> directory, IMO unapply_fixes is reverse operation for prepare_host and >> it should not have any option that changes behavior. > Agreed. Will remove it. > From mbabinsk at redhat.com Tue Mar 22 15:11:06 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 22 Mar 2016 16:11:06 +0100 Subject: [Freeipa-devel] [PATCH 0143-0144] different errors/warnings for different LDAP limit type exceeded In-Reply-To: <56EFDA20.9090005@redhat.com> References: <56EBCA37.6020306@redhat.com> <56EBF959.3060807@redhat.com> <56EFBC2C.8030300@redhat.com> <56EFDA20.9090005@redhat.com> Message-ID: <56F1608A.4060805@redhat.com> On 03/21/2016 12:25 PM, Jan Cholasta wrote: > On 21.3.2016 10:17, Petr Spacek wrote: >> On 18.3.2016 13:49, Rob Crittenden wrote: >>> Martin Babinsky wrote: >>>> These patches implement behavior agreed upon during discussion of >>>> https://fedorahosted.org/freeipa/ticket/5677 >>>> >>>> However I'm not sure if we want to push them into 4-3 branch (the >>>> ticket >>>> is triaged into 4.3.2 milestone) since they modify the framework >>>> behavior quite a bit. >>>> >>>> If there is no need to have it there (CC'ing Milan since he is the >>>> reporter), I would retriage it into 4.4 milestone. >>> >>> >>> + desc="while getting entries (search base: '{}'," >>> + "filter: {})".format(base_dn, filter)) >>> >>> This is going to expose parts of the DIT in an error message to >>> users. We have >>> tried in the past to hide the implementation. I'd propose logging the >>> error >>> and making the exception less verbose. > > I agree with Rob here, we shouldn't expose internal stuff in error > messages for users. > > In this particular case, even if we included internal stuff in the error > message, it should be the error message returned by the server rather > than this ad-hoc message. > >> >> IMHO it actually helps to print the DN. At very least the user can see >> if the >> error is happening always with the same DN or if it keeps changing. >> >> In other words, for user it is not that important to understand >> meaning of the >> DN but it might be important to see if it is the same or not. > > I can't imagine a situation where it would actually be useful for the > user (as opposed to the admin, who has access to logs) to know the base > DN of some arbitrary LDAP search operation. Could you give an example? > Right, attaching updated patches. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0143.1-differentiate-between-limit-types-when-LDAP-search-e.patch Type: text/x-patch Size: 12808 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0144.1-specify-type-of-exceeded-limit-when-warning-about-tr.patch Type: text/x-patch Size: 4901 bytes Desc: not available URL: From ofayans at redhat.com Tue Mar 22 15:23:52 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 22 Mar 2016 16:23:52 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <56F1509D.2010908@redhat.com> References: <56D93B28.2020302@redhat.com> <56D93B98.4090307@redhat.com> <56D9AA4B.103@redhat.com> <56D9B8CB.3040507@redhat.com> <56DEB998.3070501@redhat.com> <56DF0ABD.4040603@redhat.com> <56DF256E.8010000@redhat.com> <56E1F09D.10405@redhat.com> <20160317102835.GB19342@mail.corp.redhat.com> <56EAC67D.8040701@redhat.com> <20160317193747.GB23625@mail.corp.redhat.com> <56F00B16.90402@redhat.com> <56F14360.5050802@redhat.com> <56F148E0.9000907@redhat.com> <56F1509D.2010908@redhat.com> Message-ID: <56F16388.7060503@redhat.com> Hi Martin, As per discussion, reverted 0025 patch and added try-catch in prepare_host method to make replica promotion tests pass On 03/22/2016 03:03 PM, Martin Basti wrote: > > > On 22.03.2016 14:30, Oleg Fayans wrote: >> >> On 03/22/2016 02:06 PM, Martin Basti wrote: >>> >>> On 21.03.2016 15:54, Oleg Fayans wrote: >>>> Hi Lukas, Martin, >>>> >>>> Looks I've implemented the approach proposed by Martin. The issue seems >>>> to have gone (see the external_ca_out for external_ca test output). >>>> Would like you to take a look and tell me what'd you think. >>>> >>>> >>>> On 03/17/2016 08:37 PM, Lukas Slebodnik wrote: >>>>> On (17/03/16 16:00), Oleg Fayans wrote: >>>>>> Hi Lukas, >>>>>> >>>>>> On 03/17/2016 11:28 AM, Lukas Slebodnik wrote: >>>>>>> On (10/03/16 23:09), Oleg Fayans wrote: >>>>>>>> Hi Martin, >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 03/08/2016 08:18 PM, Martin Basti wrote: >>>>>>>>> On 08.03.2016 18:24, Martin Basti wrote: >>>>>>>>>> On 08.03.2016 12:38, Oleg Fayans wrote: >>>>>>>>>>> The patches were rebased against the current master >>>>>>>>>>> >>>>>>>>>>> On 03/04/2016 05:33 PM, Martin Basti wrote: >>>>>>>>>>>> * old messages have been removed * >>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>> this method is unused please remove it >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> def test_kra_install_master(self): >>>>>>>>>>>>> Well, in fact it is used twice: in both domain levels, so I'd >>>>>>>>>>>>> better >>>>>>>>>>>>> keep it: >>>>>>>>>>>>> >>>>>>>>>>>>> -bash-4.3$ ipa-run-tests >>>>>>>>>>>>> test_integration/test_replica_promotion.py >>>>>>>>>>>>> --collect-only >>>>>>>>>>>>> ==================================================================================== >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> test session starts >>>>>>>>>>>>> ===================================================================================== >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>>>>>>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>>>>>>>>> pytest.ini >>>>>>>>>>>>> plugins: sourceorder, multihost >>>>>>>>>>>>> collected 8 items >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> aah my bad, I forgot that pytest executes it when it begins >>>>>>>>>>>> with test_* >>>>>>>>>>>> even in parent class >>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>> Why are these there? I do not see any usage >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> from env_config import get_global_config >>>>>>>>>>>>>>>> config = get_global_config() >>>>>>>>>>>>> Removed >>>>>>>>>>>>> >>>>>>>>>>>>>>>> 3) nitpick >>>>>>>>>>>>>>>> + num_clients = 0 >>>>>>>>>>>>>>>> this is set by default >>>>>>>>>>>>> Removed >>>>>>>>>>>>> >>>>>>>>>>>>>>>> otherwise LGTM >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Results of testing tomorrow. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I applied all patches including workarounds, but test >>>>>>>>>>>>>>> failed. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] RUN >>>>>>>>>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>>>>>>>>>> 'Secret123', >>>>>>>>>>>>>>> '--setup-ca', '--ip-address', '192.168.144.102', >>>>>>>>>>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>>>>>>>>> The host >>>>>>>>>>>>>>> replica1.ipa.test already exists on the master server. >>>>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>>>>>>>>> You should >>>>>>>>>>>>>>> remove it before proceeding: >>>>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>>>>>>>>> % ipa >>>>>>>>>>>>>>> host-del replica1.ipa.test >>>>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR >>>>>>>>>>>>>>> The >>>>>>>>>>>>>>> ipa-replica-install command failed. See >>>>>>>>>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>>>>>>>>> Exit >>>>>>>>>>>>>>> code: 3 >>>>>>>>>>>>>>> FAILED >>>>>>>>>>>>> this is exactly the error that happens when a workaround for >>>>>>>>>>>>> 5627 >>>>>>>>>>>>> is not >>>>>>>>>>>>> applied. I have re-run the tests with all the patches and >>>>>>>>>>>>> everything >>>>>>>>>>>>> passed. Could you please double-check, whether patch 0027 was >>>>>>>>>>>>> applied >>>>>>>>>>>>> correctly? >>>>>>>>>>>>> >>>>>>>>>>>>> bash-4.3$ ipa-run-tests >>>>>>>>>>>>> test_integration/test_replica_promotion.py >>>>>>>>>>>>> --pdb >>>>>>>>>>>>> ==================================================================================== >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> test session starts >>>>>>>>>>>>> ===================================================================================== >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>>>>>>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>>>>>>>>> pytest.ini >>>>>>>>>>>>> plugins: sourceorder, multihost >>>>>>>>>>>>> collected 8 items >>>>>>>>>>>>> >>>>>>>>>>>>> test_integration/test_replica_promotion.py ........ >>>>>>>>>>>>> >>>>>>>>>>>>> ================================================================================ >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 8 passed in 7561.93 seconds >>>>>>>>>>>>> ================================================================================= >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> I will >>>>>>>>>>>> >>>>>>>>>>>>>> And it needs ticket, otherwise it will not be in 4-3 branch. >>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5723 >>>>>>>>>> NACK >>>>>>>>>> >>>>>>>>>> 1) >>>>>>>>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>>>>> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', >>>>>>>>>> '-r', >>>>>>>>>> 'IPA.TEST'] >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] RUN >>>>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>>>>> 'Secret123', >>>>>>>>>> '--setup-ca', '--ip-address', '192.168.200.103', '-r', >>>>>>>>>> 'IPA.TEST'] >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] IPA >>>>>>>>>> client is >>>>>>>>>> already configured on this system, ignoring the --domain, >>>>>>>>>> --server, >>>>>>>>>> --realm, --hostname, --password and --keytab options. >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Your >>>>>>>>>> system >>>>>>>>>> may be partly configured. >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Run >>>>>>>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You >>>>>>>>>> must >>>>>>>>>> provide a file generated by ipa-replica-prepare to create a >>>>>>>>>> replica >>>>>>>>>> when the domain is at level 0. >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>>>>> ipa-replica-install command failed. See >>>>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Exit >>>>>>>>>> code: 1 >>>>>>>>>> FAILED >>>>>>>>>> >>>>>>>>>> 2) >>>>>>>>>> ipatests.test_integration.test_replica_promotion.TestKRAInstall >>>>>>>>>> >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>>>>> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', >>>>>>>>>> '-r', >>>>>>>>>> 'IPA.TEST'] >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >>>>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>>>>> 'Secret123', >>>>>>>>>> '--setup-ca', '--ip-address', '192.168.200.103', '-r', >>>>>>>>>> 'IPA.TEST'] >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA >>>>>>>>>> client is >>>>>>>>>> already configured on this system, ignoring the --domain, >>>>>>>>>> --server, >>>>>>>>>> --realm, --hostname, --password and --keytab options. >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your >>>>>>>>>> system >>>>>>>>>> may be partly configured. >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >>>>>>>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You >>>>>>>>>> must >>>>>>>>>> provide a file generated by ipa-replica-prepare to create a >>>>>>>>>> replica >>>>>>>>>> when the domain is at level 0. >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>>>>> ipa-replica-install command failed. See >>>>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit >>>>>>>>>> code: 1 >>>>>>>>>> FAILED >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 3) >>>>>>>>>> ipatests.test_integration.test_replica_promotion.TestCAInstall >>>>>>>>>> >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>>>>> 'Secret123', '--setup-dns', '--forwarder', '10.34.78.1', >>>>>>>>>> '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >>>>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>>>>> 'Secret123', >>>>>>>>>> '--setup-dns', '--forwarder', '10.34.78.1', '--ip-address', >>>>>>>>>> '192.168.200.103', '-r', 'IPA.TEST'] >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA >>>>>>>>>> client is >>>>>>>>>> already configured on this system, ignoring the --domain, >>>>>>>>>> --server, >>>>>>>>>> --realm, --hostname, --password and --keytab options. >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your >>>>>>>>>> system >>>>>>>>>> may be partly configured. >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >>>>>>>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You >>>>>>>>>> must >>>>>>>>>> provide a file generated by ipa-replica-prepare to create a >>>>>>>>>> replica >>>>>>>>>> when the domain is at level 0. >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>>>>> ipa-replica-install command failed. See >>>>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit >>>>>>>>>> code: 1 >>>>>>>>>> FAILED >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Reason: >>>>>>>>>> >>>>>>>>>> def install_replica(master, replica, setup_ca=True, >>>>>>>>>> setup_dns=False, >>>>>>>>>> - setup_kra=False, extra_args=()): >>>>>>>>>> + setup_kra=False, extra_args=(), >>>>>>>>>> domain_level=None): >>>>>>>>>> + if domain_level is None: >>>>>>>>>> + domain_level = domainlevel(master) >>>>>>>> Oops. Sorry, must have been a result of inaccurate rebase. Fixed >>>>>>>> The successful run is attached >>>>>>>> >>>>>>>>>> - if domainlevel(master) == DOMAIN_LEVEL_0: >>>>>>>>>> + if domainlevel == DOMAIN_LEVEL_0: >>>>>>>>>> >>>>>>>>>> domain_level variable is actually unused >>>>>>>>>> >>>>>>>>> Also with your patch that removes host_prepare, I see many >>>>>>>>> following >>>>>>>>> errors in test debug output >>>>>>>>> >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: >>>>>>>>> line 1: >>>>>>>>> cd: /root/ipatests: No such file or directory >>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: >>>>>>>>> line 2: >>>>>>>>> /root/ipatests/env.sh: No such file or directory >>>>>>>>> >>>>>>>>> >>>>>>>>> I do not see these errors in current tests, so the patch does not >>>>>>>>> seem >>>>>>>>> right to me. >>>>>>>> http://jenkins.idm.lab.eng.brq.redhat.com:8080/job/freeipa-integration-f23master-customized_ds_config_install-domlevel-1/23/consoleFull >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> I've been experimenting a lot to find get rid of it but was >>>>>>>> unsuccessful. Seemingly it does not affect the tests. >>>>>>>> >>>>>>> Oleg it looks like you broke something >>>>>>> in the test_integration/test_external_ca.py >>>>>>> >>>>>>> _______________________ TestExternalCA.test_external_ca >>>>>>> ________________________ >>>>>>> >>>>>>> self = >>>>>> object at 0x7ff560a51750> >>>>>>> >>>>>>> def test_external_ca(self): >>>>>>> # Step 1 of ipa-server-install >>>>>>> self.master.run_command([ >>>>>>> 'ipa-server-install', '-U', >>>>>>> '-a', self.master.config.admin_password, >>>>>>> '-p', self.master.config.dirman_password, >>>>>>> '--setup-dns', '--no-forwarders', >>>>>>> '-n', self.master.domain.name, >>>>>>> '-r', self.master.domain.realm, >>>>>>> '--domain-level=%i' % self.master.config.domain_level, >>>>>>> '--external-ca' >>>>>>> ]) >>>>>>> nss_db = os.path.join(self.master.config.test_dir, >>>>>>> 'testdb') >>>>>>> external_cert_file = os.path.join(nss_db, 'ipa.crt') >>>>>>> external_ca_file = os.path.join(nss_db, 'ca.crt') >>>>>>> noisefile = os.path.join(self.master.config.test_dir, >>>>>>> 'noise.txt') >>>>>>> pwdfile = os.path.join(self.master.config.test_dir, >>>>>>> 'pwdfile.txt') >>>>>>> # Create noise and password files for NSS database >>>>>>>> self.master.run_command('date | sha256sum > %s' % >>>>>>>> noisefile) >>>>>>> test_integration/test_external_ca.py:49: >>>>>>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>>>>>> _ _ _ _ _ _ >>>>>>> ../pytest_multihost/host.py:246: in run_command >>>>>>> command.wait(raiseonerr=raiseonerr) >>>>>>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>>>>>> _ _ _ _ _ _ >>>>>>> >>>>>>> self = >>>>>> 0x7ff5609eb610> >>>>>>> raiseonerr = True >>>>>>> >>>>>>> def wait(self, raiseonerr=True): >>>>>>> """Wait for the remote process to exit >>>>>>> Raises an excption if the exit code is not 0, >>>>>>> unless raiseonerr is >>>>>>> true. >>>>>>> """ >>>>>>> if self._done: >>>>>>> return self.returncode >>>>>>> self._end_process() >>>>>>> self._done = True >>>>>>> if raiseonerr and self.returncode: >>>>>>> self.log.error('Exit code: %s', self.returncode) >>>>>>>> raise subprocess.CalledProcessError(self.returncode, >>>>>>>> self.argv) >>>>>>> E CalledProcessError: Command 'date | sha256sum > >>>>>>> /root/ipatests/noise.txt' returned non-zero exit status 1 >>>>>>> >>>>>>> ../pytest_multihost/transport.py:159: CalledProcessError >>>>>>> ---------------------------- Captured stdout setup >>>>>>> ----------------------------- >>>>>>> >>>>>>> ========================== 1 failed in 32.25 seconds >>>>>>> =========================== >>>>>>> >>>>>>> >>>>>>> >>>>>>> The command "date | sha256sum > /root/ipatests/noise.txt" >>>>>>> >>>>>>> The only explanation is that the directory /root/ipatests/ does not >>>>>>> exist. >>>>>> Obviously this is caused by my patch N 0025 >>>>>> freeipa-ofayans-0025-Removed-a-constantly-failing-call-to-prepare_host.patch >>>>>> >>>>>> >>>>>> >>>>>> Without it replica_promotion tests would fail. The only compromise I >>>>>> see >>>>>> is to remove this line in unapply_fixes function in >>>>>> ipatests/test_integration/tasks.py: >>>>>> >>>>>> host.run_command(['rm', '-rvf', host.config.test_dir]) >>>>>> >>>>>> Now the biggest question is: why do we keep removing the config >>>>>> folder >>>>>> anyway? All the files (backups of /etc/hosts, etc) that ever get >>>>>> there >>>>>> get overwritten each time anyway so it's quite safe to just keep the >>>>>> folder throughout the whole test execution. >>>>>> >>>>> I do not know why it was removed. IMHO it shoudl be enough >>>>> to remove just content of this directory. >>>>> >>>>> But it will bee godd to fix it ASAP >>>>> and unblock test test_integration/test_external_ca.py >>>>> I hope we want to have green test in 4.3 branch. >>>>> Please also open a ticket so it can be backported to >>>>> stable branch (if needed) >>>>> >>>>> LS >>>>> >>> NACK >>> >>> 0) >>> it is not refactoring, it is bugfixing because it is broken >>> >>> 1) >>> Originally prepare hosts were called for every installation where tasks >>> install_server, install_replica, install_client were used. Now hosts are >>> prepared only in base install class, so all test cases where install >>> classmethod is overriden will have no test directory prepared. Does have >>> py.test any method that is called for each test class before install? >> Well, we can revert my changes from patch-0025 that actually removed >> prepare_host call from a mh fixture in >> ipatests/pytest_plugins/integration.py >> Then we probably do not need most of the changes from this patch except >> the try-except section in prepare_host method itself. > OK >> >>> 2) >>> I dont like new option in unapply fixes, it breaks symetry, if >>> prepare_host is adding directory, then reverse operation should remove >>> directory, IMO unapply_fixes is reverse operation for prepare_host and >>> it should not have any option that changes behavior. >> Agreed. Will remove it. >> > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0028-Fixed-a-bug-with-prepare_host-failing-upon-existing-ipatests-folder.patch Type: text/x-patch Size: 1098 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0031-Reverted-changes-in-mh-fixture.patch Type: text/x-patch Size: 1565 bytes Desc: not available URL: From rcritten at redhat.com Tue Mar 22 15:28:01 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Mar 2016 11:28:01 -0400 Subject: [Freeipa-devel] [PATCH 0143-0144] different errors/warnings for different LDAP limit type exceeded In-Reply-To: <56F1608A.4060805@redhat.com> References: <56EBCA37.6020306@redhat.com> <56EBF959.3060807@redhat.com> <56EFBC2C.8030300@redhat.com> <56EFDA20.9090005@redhat.com> <56F1608A.4060805@redhat.com> Message-ID: <56F16481.9070304@redhat.com> Martin Babinsky wrote: > On 03/21/2016 12:25 PM, Jan Cholasta wrote: >> On 21.3.2016 10:17, Petr Spacek wrote: >>> On 18.3.2016 13:49, Rob Crittenden wrote: >>>> Martin Babinsky wrote: >>>>> These patches implement behavior agreed upon during discussion of >>>>> https://fedorahosted.org/freeipa/ticket/5677 >>>>> >>>>> However I'm not sure if we want to push them into 4-3 branch (the >>>>> ticket >>>>> is triaged into 4.3.2 milestone) since they modify the framework >>>>> behavior quite a bit. >>>>> >>>>> If there is no need to have it there (CC'ing Milan since he is the >>>>> reporter), I would retriage it into 4.4 milestone. >>>> >>>> >>>> + desc="while getting entries (search base: '{}'," >>>> + "filter: {})".format(base_dn, filter)) >>>> >>>> This is going to expose parts of the DIT in an error message to >>>> users. We have >>>> tried in the past to hide the implementation. I'd propose logging the >>>> error >>>> and making the exception less verbose. >> >> I agree with Rob here, we shouldn't expose internal stuff in error >> messages for users. >> >> In this particular case, even if we included internal stuff in the error >> message, it should be the error message returned by the server rather >> than this ad-hoc message. >> >>> >>> IMHO it actually helps to print the DN. At very least the user can see >>> if the >>> error is happening always with the same DN or if it keeps changing. >>> >>> In other words, for user it is not that important to understand >>> meaning of the >>> DN but it might be important to see if it is the same or not. >> >> I can't imagine a situation where it would actually be useful for the >> user (as opposed to the admin, who has access to logs) to know the base >> DN of some arbitrary LDAP search operation. Could you give an example? >> > Right, attaching updated patches. I may have suggested debug logging the detailed error. I was wrong. This should log at the error level so it always appears in the logs. This may be a spurious error and having the user turn on debug logging to capture the reasons would be asking a lot. rob From mbasti at redhat.com Tue Mar 22 16:23:08 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 22 Mar 2016 17:23:08 +0100 Subject: [Freeipa-devel] [PATCH 0432, 0450] stageuser-activate: noralize manager value + tests In-Reply-To: <56E915B8.8060601@redhat.com> References: <56DEB130.3030005@redhat.com> <56E7D9F9.9030907@redhat.com> <56E915B8.8060601@redhat.com> Message-ID: <56F1716C.6070304@redhat.com> On 16.03.2016 09:13, Martin Basti wrote: > > > On 15.03.2016 10:46, David Kupka wrote: >> On 08/03/16 12:02, Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/5481 >>> >>> Patch attached. >>> >>> >> Works for me, ACK. >> > Pushed to master: 4871cb5b549042f383ee883e527e773c0abe9d87 > Pushed to ipa-4-3: 03743ba1d9191bf0d786116808dba4d7a3522b1f > Fix for tests. Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0450-Fix-stageuser-activate-managers-test.patch Type: text/x-patch Size: 8228 bytes Desc: not available URL: From mbasti at redhat.com Tue Mar 22 16:28:29 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 22 Mar 2016 17:28:29 +0100 Subject: [Freeipa-devel] [PATCH 0451] regression fix: catch Exception instead of more specific exception types Message-ID: <56F172AD.70800@redhat.com> Patch attached, it fixes regression caused by mbasti-442 patch (master only). -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0451-Fix-catch-Exception-instead-of-more-specific-excepti.patch Type: text/x-patch Size: 2488 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Mar 22 16:32:12 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 22 Mar 2016 17:32:12 +0100 Subject: [Freeipa-devel] [PATCH 0451] regression fix: catch Exception instead of more specific exception types In-Reply-To: <56F172AD.70800@redhat.com> References: <56F172AD.70800@redhat.com> Message-ID: <56F1738C.5090205@redhat.com> On 03/22/2016 05:28 PM, Martin Basti wrote: > Patch attached, it fixes regression caused by mbasti-442 patch (master > only). > > ACK -- Martin^3 Babinsky From mbasti at redhat.com Tue Mar 22 16:33:28 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 22 Mar 2016 17:33:28 +0100 Subject: [Freeipa-devel] [PATCH 0451] regression fix: catch Exception instead of more specific exception types In-Reply-To: <56F1738C.5090205@redhat.com> References: <56F172AD.70800@redhat.com> <56F1738C.5090205@redhat.com> Message-ID: <56F173D8.7060308@redhat.com> On 22.03.2016 17:32, Martin Babinsky wrote: > On 03/22/2016 05:28 PM, Martin Basti wrote: >> Patch attached, it fixes regression caused by mbasti-442 patch (master >> only). >> >> > ACK > Pushed to master: d1e29fe60e75a6f40a780eb45e86f2ed87d00e5a From mbasti at redhat.com Tue Mar 22 17:30:36 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 22 Mar 2016 18:30:36 +0100 Subject: [Freeipa-devel] [PATCH 0029] Move user/group constants for PKI and DS into ipaplatform In-Reply-To: <56F113B6.9070103@redhat.com> References: <569E381B.3040104@redhat.com> <20160120015428.GJ31821@dhcp-40-8.bne.redhat.com> <569F6826.2060608@redhat.com> <1542878923.39274119.1456758177069.JavaMail.zimbra@redhat.com> <56EBC8D9.9050501@redhat.com> <56EBDE21.7000200@redhat.com> <56F113B6.9070103@redhat.com> Message-ID: <56F1813C.6010902@redhat.com> On 22.03.2016 10:43, Martin Basti wrote: > > > On 18.03.2016 11:53, Christian Heimes wrote: >> On 2016-03-18 10:22, Martin Basti wrote: >>> >>> On 29.02.2016 16:02, David Kupka wrote: >>>> Hello Christian, >>>> sorry for letting this patch rot for so long. I've forget about it >>>> the minute Fraser replied. >>>> To compensate a little I've fixed pep8 error, rebased it and >>>> attaching two versions for master and for 4.3 branch. >>>> I haven't found any missing cases and it works for me. If you're OK >>>> with the modified patches it can be pushed. >>>> >>>> David >>>> >>>> ----- Original Message ----- >>>> From: "Christian Heimes" >>>> To: "Fraser Tweedale" >>>> Cc: "freeipa-devel" >>>> Sent: Wednesday, January 20, 2016 11:57:42 AM >>>> Subject: Re: [Freeipa-devel] [PATCH 0029] Move user/group constants >>>> for PKI and DS into ipaplatform >>>> >>>> On 2016-01-20 02:54, Fraser Tweedale wrote: >>>>> On Tue, Jan 19, 2016 at 02:20:27PM +0100, Christian Heimes wrote: >>>>>> ipaplatform.constants has platform specific names for a couple of >>>>>> system >>>>>> users like Apache HTTPD. The user names for PKI_USER, PKI_GROUP, >>>>>> DS_USER >>>>>> and DS_GROUP are defined in other modules. Similar to #5587 the >>>>>> patch my >>>>>> patch moves the constants into the platform module. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/5619 >>>>> I see a few remaining cases: >>>>> >>>>> ipaserver/install/dsinstance.py >>>>> 712: pent = pwd.getpwnam("dirsrv") >>>>> >>>>> ipatests/test_integration/test_backup_and_restore.py >>>>> 167: self.master.run_command(['userdel', 'dirsrv']) >>>>> 168: self.master.run_command(['userdel', 'pkiuser']) >>>>> >>>>> ipaplatform/redhat/tasks.py >>>>> 441: if name == 'pkiuser': >>>>> >>>>> When these are included, ACK. >>>> Good catch! >>>> >>>> My new patch takes care of remaining cases. >>>> >>>> >>>> >>>> >>> Christian do you agree with proposed changes, can we push it? >>> Martin^2 >> Oh, the patch is still open? ACK! >> >> > Pushed to ipa-4-3: e3bf65f2df9c50873f0967b96a6a2a5975a87f79 > Pushed to master: 49be6c8d3cc20902dbe8e92a74e31aed2fd21d9f > too-late-NACK This patch broke ipa-restore. please not that 2 modules are imported as same name in ipa_restore.py from ipalib import api, errors, constants from ipaplatform.constants import constants 2016-03-22T16:56:27Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_restore.py", line 218, in run self.backup_dir, constants.FQDN) Martin^2 From pvoborni at redhat.com Tue Mar 22 17:35:44 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 22 Mar 2016 18:35:44 +0100 Subject: [Freeipa-devel] [DRAFT] FreeIPA 4.3.1 release notes Message-ID: <56F18270.2030806@redhat.com> Hello all, I prepared the release notes on FreeIPA.org wiki: http://www.freeipa.org/page/Releases/4.3.1 Updates or improvements to release notes page welcome. Particularly if you think some bug fixes/improvements deserves to be noted out as a highlight, please give a suggestion or edit the page directly Thanks, -- Petr Vobornik From pvoborni at redhat.com Tue Mar 22 18:03:27 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 22 Mar 2016 19:03:27 +0100 Subject: [Freeipa-devel] [PATCH] 0005 webui: topology graph: canvas resizes itself according to the window size In-Reply-To: <56F03615.1020109@redhat.com> References: <56BC7105.3020609@redhat.com> <56BDD5A6.8010108@redhat.com> <56C1ECA4.2070900@redhat.com> <56C4ADF0.4080702@redhat.com> <56CF1498.8080302@redhat.com> <56E1AA07.5040102@redhat.com> <56E28B54.8090204@redhat.com> <56E9993F.6000705@redhat.com> <56F03615.1020109@redhat.com> Message-ID: <56F188EF.8000001@redhat.com> On 03/21/2016 06:57 PM, Pavel Vomacka wrote: >>>> >>>> >>>> 1. >>>> - width: 960, >>>> - height: 500, >>>> >>>> Graph even without this patch allows to set initial size in a >>>> constructor, e.g.: >>>> >>>> E.g. so he could also use: >>>> this.graph = new topology_graph.TopoGraph({ >>>> nodes: data.nodes, >>>> links: data.links, >>>> suffixes: data.suffixes >>>> height: height, >>>> width: width >>>> }); >>>> >>>> IMO we should leave some default size there, e.g. the old 960x500 so >>>> that the graph is shown even without explicit configuration. >>>> >>> Ok, I put the default size back, but into graph specification as you >>> write here. >> >> Ah, I badly expressed myself, sorry. I wanted to leave the original >> code on its place(TopoGraph). The above was just example what is >> possible with or without the change because it is not obvious from code. > Default size is returned back now. ACK pushed to master: * e45f7314e1a2276671435703e190c8dabb320739 Resize topology graph canvas according to window size ipa-4-3: * ffdd64732b0325747b7922b0c9ce5a16a2b5652e Resize topology graph canvas according to window size -- Petr Vobornik From tjaalton at ubuntu.com Tue Mar 22 19:08:29 2016 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Tue, 22 Mar 2016 21:08:29 +0200 Subject: [Freeipa-devel] [PATCH 0029] Move user/group constants for PKI and DS into ipaplatform In-Reply-To: <56F1813C.6010902@redhat.com> References: <569E381B.3040104@redhat.com> <20160120015428.GJ31821@dhcp-40-8.bne.redhat.com> <569F6826.2060608@redhat.com> <1542878923.39274119.1456758177069.JavaMail.zimbra@redhat.com> <56EBC8D9.9050501@redhat.com> <56EBDE21.7000200@redhat.com> <56F113B6.9070103@redhat.com> <56F1813C.6010902@redhat.com> Message-ID: <56F1982D.2060904@ubuntu.com> 22.03.2016, 19:30, Martin Basti kirjoitti: > > > On 22.03.2016 10:43, Martin Basti wrote: >> >> >> On 18.03.2016 11:53, Christian Heimes wrote: >>> On 2016-03-18 10:22, Martin Basti wrote: >>>> >>>> On 29.02.2016 16:02, David Kupka wrote: >>>>> Hello Christian, >>>>> sorry for letting this patch rot for so long. I've forget about it >>>>> the minute Fraser replied. >>>>> To compensate a little I've fixed pep8 error, rebased it and >>>>> attaching two versions for master and for 4.3 branch. >>>>> I haven't found any missing cases and it works for me. If you're OK >>>>> with the modified patches it can be pushed. >>>>> >>>>> David >>>>> >>>>> ----- Original Message ----- >>>>> From: "Christian Heimes" >>>>> To: "Fraser Tweedale" >>>>> Cc: "freeipa-devel" >>>>> Sent: Wednesday, January 20, 2016 11:57:42 AM >>>>> Subject: Re: [Freeipa-devel] [PATCH 0029] Move user/group constants >>>>> for PKI and DS into ipaplatform >>>>> >>>>> On 2016-01-20 02:54, Fraser Tweedale wrote: >>>>>> On Tue, Jan 19, 2016 at 02:20:27PM +0100, Christian Heimes wrote: >>>>>>> ipaplatform.constants has platform specific names for a couple of >>>>>>> system >>>>>>> users like Apache HTTPD. The user names for PKI_USER, PKI_GROUP, >>>>>>> DS_USER >>>>>>> and DS_GROUP are defined in other modules. Similar to #5587 the >>>>>>> patch my >>>>>>> patch moves the constants into the platform module. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/5619 >>>>>> I see a few remaining cases: >>>>>> >>>>>> ipaserver/install/dsinstance.py >>>>>> 712: pent = pwd.getpwnam("dirsrv") >>>>>> >>>>>> ipatests/test_integration/test_backup_and_restore.py >>>>>> 167: self.master.run_command(['userdel', 'dirsrv']) >>>>>> 168: self.master.run_command(['userdel', 'pkiuser']) >>>>>> >>>>>> ipaplatform/redhat/tasks.py >>>>>> 441: if name == 'pkiuser': >>>>>> >>>>>> When these are included, ACK. >>>>> Good catch! >>>>> >>>>> My new patch takes care of remaining cases. >>>>> >>>>> >>>>> >>>>> >>>> Christian do you agree with proposed changes, can we push it? >>>> Martin^2 >>> Oh, the patch is still open? ACK! >>> >>> >> Pushed to ipa-4-3: e3bf65f2df9c50873f0967b96a6a2a5975a87f79 >> Pushed to master: 49be6c8d3cc20902dbe8e92a74e31aed2fd21d9f >> > too-late-NACK > > This patch broke ipa-restore. > > please not that 2 modules are imported as same name in ipa_restore.py > from ipalib import api, errors, constants > from ipaplatform.constants import constants > > 2016-03-22T16:56:27Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in > execute > return_value = self.run() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_restore.py", > line 218, in run > self.backup_dir, constants.FQDN) this should fix it -- t -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tjaalton-0014-ipa_restore-Import-only-FQDN-from-ipalib.constants.patch Type: text/x-diff Size: 1784 bytes Desc: not available URL: From tjaalton at ubuntu.com Tue Mar 22 19:10:01 2016 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Tue, 22 Mar 2016 21:10:01 +0200 Subject: [Freeipa-devel] [PATCH 0012-0013] Improve ipaplatform.constants In-Reply-To: <56EBD8BA.9080304@ubuntu.com> References: <56EBD8BA.9080304@ubuntu.com> Message-ID: <56F19889.50505@ubuntu.com> 18.03.2016, 12:30, Timo Aaltonen kirjoitti: > > Fix some hardcoded uid/gid strings to help with porting. rebased and simplified against current master. -- t -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tjaalton-0012-ipaplatform-Move-remaining-user-group-constants-to-i.patch Type: text/x-diff Size: 12964 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tjaalton-0013-Use-ODS_USER-ODS_GROUP-in-opendnssec_conf.template.patch Type: text/x-diff Size: 1422 bytes Desc: not available URL: From tjaalton at ubuntu.com Tue Mar 22 19:17:12 2016 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Tue, 22 Mar 2016 21:17:12 +0200 Subject: [Freeipa-devel] [PATCH 0099] Look up HTTPD_USER's UID and GID during installation. In-Reply-To: <56F13C31.7080705@redhat.com> References: <56F13C31.7080705@redhat.com> Message-ID: <56F19A38.7020507@ubuntu.com> 22.03.2016, 14:36, David Kupka kirjoitti: > https://fedorahosted.org/freeipa/ticket/5712 sweet, thanks! -- t From tjaalton at ubuntu.com Tue Mar 22 23:30:16 2016 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Wed, 23 Mar 2016 01:30:16 +0200 Subject: [Freeipa-devel] [PATCH 0015] use ipaplatform.paths in kdc.conf.template Message-ID: <56F1D588.7020108@ubuntu.com> https://fedorahosted.org/freeipa/ticket/5343 -- t -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tjaalton-0015-Fix-kdc.conf.template-to-use-ipaplatform.paths.patch Type: text/x-diff Size: 3083 bytes Desc: not available URL: From tjaalton at ubuntu.com Wed Mar 23 06:17:09 2016 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Wed, 23 Mar 2016 08:17:09 +0200 Subject: [Freeipa-devel] [PATCH 0012-0013] Improve ipaplatform.constants In-Reply-To: <56F19889.50505@ubuntu.com> References: <56EBD8BA.9080304@ubuntu.com> <56F19889.50505@ubuntu.com> Message-ID: <56F234E5.5040409@ubuntu.com> 22.03.2016, 21:10, Timo Aaltonen kirjoitti: > 18.03.2016, 12:30, Timo Aaltonen kirjoitti: >> >> Fix some hardcoded uid/gid strings to help with porting. > > rebased and simplified against current master. bah, the second patch needs to use constants.{ODS_USER,ODS_GROUP} now. -- t From mbasti at redhat.com Wed Mar 23 09:09:56 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 23 Mar 2016 10:09:56 +0100 Subject: [Freeipa-devel] [PATCH 0029] Move user/group constants for PKI and DS into ipaplatform In-Reply-To: <56F1982D.2060904@ubuntu.com> References: <569E381B.3040104@redhat.com> <20160120015428.GJ31821@dhcp-40-8.bne.redhat.com> <569F6826.2060608@redhat.com> <1542878923.39274119.1456758177069.JavaMail.zimbra@redhat.com> <56EBC8D9.9050501@redhat.com> <56EBDE21.7000200@redhat.com> <56F113B6.9070103@redhat.com> <56F1813C.6010902@redhat.com> <56F1982D.2060904@ubuntu.com> Message-ID: <56F25D64.30605@redhat.com> On 22.03.2016 20:08, Timo Aaltonen wrote: > 22.03.2016, 19:30, Martin Basti kirjoitti: >> >> On 22.03.2016 10:43, Martin Basti wrote: >>> >>> On 18.03.2016 11:53, Christian Heimes wrote: >>>> On 2016-03-18 10:22, Martin Basti wrote: >>>>> On 29.02.2016 16:02, David Kupka wrote: >>>>>> Hello Christian, >>>>>> sorry for letting this patch rot for so long. I've forget about it >>>>>> the minute Fraser replied. >>>>>> To compensate a little I've fixed pep8 error, rebased it and >>>>>> attaching two versions for master and for 4.3 branch. >>>>>> I haven't found any missing cases and it works for me. If you're OK >>>>>> with the modified patches it can be pushed. >>>>>> >>>>>> David >>>>>> >>>>>> ----- Original Message ----- >>>>>> From: "Christian Heimes" >>>>>> To: "Fraser Tweedale" >>>>>> Cc: "freeipa-devel" >>>>>> Sent: Wednesday, January 20, 2016 11:57:42 AM >>>>>> Subject: Re: [Freeipa-devel] [PATCH 0029] Move user/group constants >>>>>> for PKI and DS into ipaplatform >>>>>> >>>>>> On 2016-01-20 02:54, Fraser Tweedale wrote: >>>>>>> On Tue, Jan 19, 2016 at 02:20:27PM +0100, Christian Heimes wrote: >>>>>>>> ipaplatform.constants has platform specific names for a couple of >>>>>>>> system >>>>>>>> users like Apache HTTPD. The user names for PKI_USER, PKI_GROUP, >>>>>>>> DS_USER >>>>>>>> and DS_GROUP are defined in other modules. Similar to #5587 the >>>>>>>> patch my >>>>>>>> patch moves the constants into the platform module. >>>>>>>> >>>>>>>> https://fedorahosted.org/freeipa/ticket/5619 >>>>>>> I see a few remaining cases: >>>>>>> >>>>>>> ipaserver/install/dsinstance.py >>>>>>> 712: pent = pwd.getpwnam("dirsrv") >>>>>>> >>>>>>> ipatests/test_integration/test_backup_and_restore.py >>>>>>> 167: self.master.run_command(['userdel', 'dirsrv']) >>>>>>> 168: self.master.run_command(['userdel', 'pkiuser']) >>>>>>> >>>>>>> ipaplatform/redhat/tasks.py >>>>>>> 441: if name == 'pkiuser': >>>>>>> >>>>>>> When these are included, ACK. >>>>>> Good catch! >>>>>> >>>>>> My new patch takes care of remaining cases. >>>>>> >>>>>> >>>>>> >>>>>> >>>>> Christian do you agree with proposed changes, can we push it? >>>>> Martin^2 >>>> Oh, the patch is still open? ACK! >>>> >>>> >>> Pushed to ipa-4-3: e3bf65f2df9c50873f0967b96a6a2a5975a87f79 >>> Pushed to master: 49be6c8d3cc20902dbe8e92a74e31aed2fd21d9f >>> >> too-late-NACK >> >> This patch broke ipa-restore. >> >> please not that 2 modules are imported as same name in ipa_restore.py >> from ipalib import api, errors, constants >> from ipaplatform.constants import constants >> >> 2016-03-22T16:56:27Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in >> execute >> return_value = self.run() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_restore.py", >> line 218, in run >> self.backup_dir, constants.FQDN) > this should fix it > ACK Pushed to ipa-4-3: 35eecf1ccd9436c65e4efcca30b155aaa37e7297 Pushed to master: 5b32ffcd1ac4bda9c34545682cc30ec4e2ec7c3b From mkosek at redhat.com Wed Mar 23 11:25:26 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 23 Mar 2016 12:25:26 +0100 Subject: [Freeipa-devel] [DRAFT] FreeIPA 4.3.1 release notes In-Reply-To: <56F18270.2030806@redhat.com> References: <56F18270.2030806@redhat.com> Message-ID: <56F27D26.6090900@redhat.com> On 03/22/2016 06:35 PM, Petr Vobornik wrote: > Hello all, > > I prepared the release notes on FreeIPA.org wiki: > http://www.freeipa.org/page/Releases/4.3.1 > > Updates or improvements to release notes page welcome. Particularly if > you think some bug fixes/improvements deserves to be noted out as a > highlight, please give a suggestion or edit the page directly I would suggest to mention links to tickets and not just numbers. It will provide much better user experience when somebody is interested for more details. This is the "magic" I used: $ sed -r 's/#([0-9]+)/[https:\/\/fedorahosted.org\/freeipa\/ticket\/\1 #\1]/g' /tmp/highlights.txt I also did minor updates to the highlights. HTH, Martin From mbasti at redhat.com Wed Mar 23 11:47:13 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 23 Mar 2016 12:47:13 +0100 Subject: [Freeipa-devel] [TEST][Patch-0027] Fixed test failure during in-tree session, ticket N 5736 In-Reply-To: <56F13F8D.4000204@redhat.com> References: <56E92E7D.7030205@redhat.com> <56E96214.7050609@redhat.com> <56E966B4.2030709@redhat.com> <56E96A25.7080504@redhat.com> <56E96F20.6080009@redhat.com> <56EFAC9C.7070309@redhat.com> <56F13F8D.4000204@redhat.com> Message-ID: <56F28241.2000107@redhat.com> On 22.03.2016 13:50, Martin Basti wrote: > > > On 21.03.2016 09:11, Oleg Fayans wrote: >> Hi Martin, >> >> On 03/16/2016 03:35 PM, Martin Basti wrote: >>> >>> On 16.03.2016 15:13, Martin Basti wrote: >>>> >>>> On 16.03.2016 14:59, Oleg Fayans wrote: >>>>> Hi Martin >>>>> >>>>> On 03/16/2016 02:39 PM, Martin Basti wrote: >>>>>> On 16.03.2016 10:59, Oleg Fayans wrote: >>>>>>> With this patch applied integration tests pass and in-tree tests >>>>>>> are >>>>>>> gracefully skipped. >>>>>>> >>>>>>> @mkubik, It is not possible to put the decorator to util.py as >>>>>>> per our >>>>>>> discussion, because it uses tasks, so tasks must be imported. But >>>>>>> tasks >>>>>>> already import util, which leads to circular imports. So I've put >>>>>>> it to >>>>>>> tasks.py >>>>>>> >>>>>>> >>>>>>> >>>>>> NACK >>>>>> >>>>>> 1) >>>>>> Use right ticket in commit message (#5723) >>>>> But (#5736) is exactly the issue that is being addressed. Probably >>>>> note >>>>> both tickets in the commit message? >>>> But as I wrote in ticket #5736, this ticket should be closed, because >>>> issue is caused by ticket which is not finished yet, so we should >>>> continue just with original ticket. >> Done >> >>>>>> 2) >>>>>> Link to ticket should be last in the commit message >> Done >> >>>>>> 3) >>>>>> dereplicafy >>>>>> >>>>>> 3a) >>>>>> wrong doc string, it removes *only* replicas not clients >>>>> No, in fact it removes both: >>>>> uninstall_replica(args[0].master, host) >>>>> uninstall_client(host) >>>>> >>>>> Both tasks have raiseonerr set to False, which means that even if >>>>> replica was not installed but the client was - it will also be >>>>> removed >>>> I see just >>>> for host in args[0].replicas >>>> >>>> I don't see any >>>> for host in args[0].clients >>>> there >>>> >>>> Also uninstall_client should not be there. ipa-server-install >>>> --uninstall removes client too. The extra call of uninstall client is >>>> IMO there just because an ancient bug that is already fixed. >> That's done because some tests install client separately and then >> deliberately install replica the wrong way to test that the installer >> fails in a predicted way. That's why this separate uninstall_client >> call. The doc string was corrected. >> >> >>>>>> 3b) >>>>>> can we rename it to something different? (replicas_cleanup, >>>>>> replicas_uninstall, replicas_teardown) >>>>> replicas_cleanup, or even topo_cleanup sounds OK to me. >> replicas_cleanup it is >> >>>>>> 4) >>>>>> Please fix commit message >>>>>> - Wile trated correctly >>>>>> - followiong >>>>>> - rewrote -> rewrite >>>>> Will do >> Done >> >>>>>> 5) >>>>>> decorator >>>>>> + def wrapped(*args): >>>>>> + func(*args) >>>>>> + for host in args[0].replicas: >>>>>> >>>>>> Shouldn't be there try-finally around func() call, or something? >>>>> No, the wrapped function is a test_* method: if it fails we need >>>>> to see >>>>> the original failure >>>> but if something raise an exception in func(), cleanup will not be >>>> executed. >>>> >>>> You can do >>>> In [4]: try: >>>> ...: raise ValueError('Hello') >>>> ...: finally: >>>> ...: try: >>>> ...: raise ValueError('Cleanup') >>>> ...: except Exception: >>>> ...: pass >>>> ...: >>>> --------------------------------------------------------------------------- >>>> >>>> >>>> ValueError Traceback (most recent call >>>> last) >>>> in () >>>> 1 try: >>>> ----> 2 raise ValueError('Hello') >>>> 3 finally: >>>> 4 try: >>>> 5 raise ValueError('Cleanup') >>>> >>>> ValueError: Hello >>> On the other hand, I do not want cleanup with --pdb option, so maybe it >>> should just fail >>> >>>>>> Are you sure that there is no need to return result of func()? >>>>> The same applies here: we never return results from test_* methods >>>> ok >>>>>> *) Please create additional patch that will add licence there >>>>>> >>>>>> >>>>> Will do :) >>>>> >>>>> >> The license-related patch is attached too >> > Patch 0029 pushed to: > master: c2042900382190b1c9d7a44bd719cacd804749b3 > ipa-4-3: 1d5b8b8781e5d6300c5029bdd68c6ddf98f6ecd3 > > > Patch 27 is on review > ACK Pushed to: ipa-4-3: 2ddae844dca5860398a46979ecf984f1cfd9a6ac master: d58cd04e8a618b0bf33d36099f782149c93dbd33 From dkupka at redhat.com Wed Mar 23 12:14:16 2016 From: dkupka at redhat.com (David Kupka) Date: Wed, 23 Mar 2016 13:14:16 +0100 Subject: [Freeipa-devel] [PATCH 0012-0013] Improve ipaplatform.constants In-Reply-To: <56F234E5.5040409@ubuntu.com> References: <56EBD8BA.9080304@ubuntu.com> <56F19889.50505@ubuntu.com> <56F234E5.5040409@ubuntu.com> Message-ID: <56F28898.7060303@redhat.com> On 23/03/16 07:17, Timo Aaltonen wrote: > 22.03.2016, 21:10, Timo Aaltonen kirjoitti: >> 18.03.2016, 12:30, Timo Aaltonen kirjoitti: >>> >>> Fix some hardcoded uid/gid strings to help with porting. >> >> rebased and simplified against current master. > > bah, the second patch needs to use constants.{ODS_USER,ODS_GROUP} now. > > Hello, thanks for the patches. I've done few minor changes: - using constants.ODS_{USER,GROUP} in second patch as you've mentioned - added ticket URL to commit messages for future reference - rebased the first patch to ipa-4-3 branch Now it works for me, ACK. -- David Kupka -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tjaalton-0012.1-43-ipaplatform-Move-remaining-user-group-constants-to-i.patch Type: text/x-patch Size: 13715 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tjaalton-0012.1-ipaplatform-Move-remaining-user-group-constants-to-i.patch Type: text/x-patch Size: 13740 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-tjaalton-0013.1-Use-ODS_USER-ODS_GROUP-in-opendnssec_conf.template.patch Type: text/x-patch Size: 1623 bytes Desc: not available URL: From dkupka at redhat.com Wed Mar 23 12:14:59 2016 From: dkupka at redhat.com (David Kupka) Date: Wed, 23 Mar 2016 13:14:59 +0100 Subject: [Freeipa-devel] [PATCH 0015] use ipaplatform.paths in kdc.conf.template In-Reply-To: <56F1D588.7020108@ubuntu.com> References: <56F1D588.7020108@ubuntu.com> Message-ID: <56F288C3.6050206@redhat.com> On 23/03/16 00:30, Timo Aaltonen wrote: > > https://fedorahosted.org/freeipa/ticket/5343 > > > Thanks for the patch, works for me, ACK. -- David Kupka From mbasti at redhat.com Wed Mar 23 12:15:19 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 23 Mar 2016 13:15:19 +0100 Subject: [Freeipa-devel] user-* commands performance issues In-Reply-To: <56F00A50.6000602@redhat.com> References: <56EAC8AC.2030805@redhat.com> <56EFC657.20803@redhat.com> <56EFDE9B.8030503@redhat.com> <56EFE2E0.7030304@redhat.com> <56F00A50.6000602@redhat.com> Message-ID: <56F288D7.6010109@redhat.com> On 21.03.2016 15:50, Petr Vobornik wrote: > On 03/21/2016 01:02 PM, Martin Basti wrote: >> >> >> On 21.03.2016 12:44, Jan Cholasta wrote: >>> On 21.3.2016 11:00, Petr Vobornik wrote: >>>> On 03/17/2016 04:09 PM, Martin Basti wrote: >>>>> Hello all, >>>>> >>>>> I would like to discuss the way how we should improve the speed of >>>>> user-find commands (and other commands too if possible): >>>>> >>>>> 0) >>>>> Do not do extra search for ipasshpubkey. This is clear, patch posted >>>>> for >>>>> review. >>>>> https://fedorahosted.org/freeipa/ticket/3376 >>>>> >>>>> commands: user, stageuser, host, idview >>>>> >>>>> 1) >>>>> make --no-members option visible in CLI >>>>> https://fedorahosted.org/freeipa/ticket/4995 >>>> >>>> There was a discussion around devconf that --no-members should be a >>>> default behavior of xxx-find commands and I'm for it. >>> >>> +1, although we should be backward compatible with old clients which >>> expect the attributes to be there. >> Ok, I agree to have --no-members as default for *-find commands, but it >> doesn't contradict to exposing --no-member option for all commands. > > +1, xxx-show can have --no-members > >> >>> >>>> >>>> Reasoning: use case: 'find me all groups which satisfy this filter'. >>>> Showing members clutters the output(one group with >500 member >>>> makes it >>>> unusable) and makes things slow(both on server and CLI side). >>>> >>>> For xxx-show commands it is a question where I don't have a strong >>>> opinion. >>> >>> I think it shouldn't hurt to keep them in -show commands, as there is >>> always only a single entry to process. >> +1 >> >>> >>>> >>>>> >>>>> I don't think we should implement also --no-indirect-members, I think >>>>> that this kind of granularity is not needed. >>>>> If --no-members is used, then indirect members will be ignored too. >>>> >>>> +1 >>> >>> +1 >>> >>>> >>>>> >>>>> commands: all which use members >>>>> >>>>> 2) >>>>> Limit the amount of searches for memberof[indirect] (group, netgroup, >>>>> role, hbacrule, sudorule) and search for each dn only once in find >>>>> commands. >>>>> >>>>> We can have configurable option in default.conf (for example >>>>> memberof_search_limit=100 (0 unlimited)). Find commands will get >>>>> members >>>>> only for specified amount and if this limit is exceeded a warning >>>>> message is shown. >>>>> I do not like this idea much, I think it should be all or nothing, I >>>>> prefer to not do this. >>> >>> +1 > > I'd also avoid anything special here. But there are sometimes cases > when the behavior is not good. E.g. a command fails because something > is not able to get members and you actually don't care about the > members. Not sure if it is was "fixed"(sizelimit=0). But with new > member handling it might not be a big issue. > >>> >>>>> >>>>> However I like the idea of temporary caching inside find commands, >>>>> where >>>>> each memberof DN is resolved just once and results are cached in a >>>>> map >>>>> and reused in current context of command. This should be improvement >>>>> mainly for indirect searches, but cache should be faster for direct >>>>> members than doing internal calls of framework objects. This part is >>>>> backward compatible, the first part is not. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/5282 >>>> >>>> What parts of the ticket can be solved with deref plugin? I guess >>>> we can >>>> get the CNs, but not what is a direct member. Maybe it should be >>>> discussed separately. >>> >>> Indirect members are already resolved by a single LDAP search. What >>> kind of additional optimization would you like to do for them? >> >> We can use deref plugin to get pkeys from one search in case that pkeys >> are not part of DN. (I have to investigate if it is worth to do for >> user-find, I'm not sure if any memberof attributes have pkey that is not >> part of DN) > > sudo rule, hbac rule > >> >> For indirect members, it is one search per entry, but for 1000 users, it >> is 1000 searches and I would like to have just one for the particular >> indirect member. > > are we talking about user-find? If so then it is mostly solved with > default --no-member style behavior. > > But if a user or a group is directly/indirectly a member of a lot of > groups(1000) then it might become slow. But caching won't probably > help much, not sure. In case that you have one user in 1000 indirect groups, it will not help, but if you have 500 users in the same 1000 indirect groups, it will be ~500 times faster than without caching. Also we have to find out how to solve case that a user wants to show members for *-find commands. is enough to show members when --all flag is used, or should we add separate option to show members in find command (--members, --get-members)? Martin^2 > >> >> >>> >>>> >>>>> >>>>> commands: user-find, stageuser-find, possibly all find commands >>>>> >>>>> 3) >>>>> Remove userPassword, krbPrincipalKey from search results >>>>> This change is not backward compatible, can we do this? >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/5281 >>>>> >>>>> commands: user-find >>>> >>>> I'm for it, would like to hear other opinions. >>>> >>>> Note: it should be only in user-find commands. 'show' has to >>>> display it. >>> >>> +1 >>> >> > > From mbasti at redhat.com Wed Mar 23 12:33:33 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 23 Mar 2016 13:33:33 +0100 Subject: [Freeipa-devel] [PATCH 0012-0013] Improve ipaplatform.constants In-Reply-To: <56F28898.7060303@redhat.com> References: <56EBD8BA.9080304@ubuntu.com> <56F19889.50505@ubuntu.com> <56F234E5.5040409@ubuntu.com> <56F28898.7060303@redhat.com> Message-ID: <56F28D1D.8070202@redhat.com> On 23.03.2016 13:14, David Kupka wrote: > On 23/03/16 07:17, Timo Aaltonen wrote: >> 22.03.2016, 21:10, Timo Aaltonen kirjoitti: >>> 18.03.2016, 12:30, Timo Aaltonen kirjoitti: >>>> >>>> Fix some hardcoded uid/gid strings to help with porting. >>> >>> rebased and simplified against current master. >> >> bah, the second patch needs to use constants.{ODS_USER,ODS_GROUP} now. >> >> > Hello, thanks for the patches. I've done few minor changes: > - using constants.ODS_{USER,GROUP} in second patch as you've mentioned > - added ticket URL to commit messages for future reference > - rebased the first patch to ipa-4-3 branch > > Now it works for me, ACK. > > > Pushed to: ipa-4-3: * 813dde8ef15f2f16bb0b3451f2b96e16fbbe30ba ipaplatform: Move remaining user/group constants to ipaplatform.constants. * 13e9af3b6f85127645eee17f8fab0e8e60169a4b Use ODS_USER/ODS_GROUP in opendnssec_conf.template master: * 2a2d63669d740396eabc6f46906b8625f001ad3c ipaplatform: Move remaining user/group constants to ipaplatform.constants. * f761051411a83dc15a97c53309cc08652a24d80a Use ODS_USER/ODS_GROUP in opendnssec_conf.template -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Mar 23 12:36:19 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 23 Mar 2016 13:36:19 +0100 Subject: [Freeipa-devel] [PATCH 0015] use ipaplatform.paths in kdc.conf.template In-Reply-To: <56F288C3.6050206@redhat.com> References: <56F1D588.7020108@ubuntu.com> <56F288C3.6050206@redhat.com> Message-ID: <56F28DC3.5060309@redhat.com> On 23.03.2016 13:14, David Kupka wrote: > On 23/03/16 00:30, Timo Aaltonen wrote: >> >> https://fedorahosted.org/freeipa/ticket/5343 >> >> >> > Thanks for the patch, works for me, ACK. > Pushed to: master: b793c9049ec1bf72eb7d3395e9221b229237171b ipa-4-3: d09b8f05fdc3dbe8a5dde3e2c529fb62ea2a503c From mbasti at redhat.com Wed Mar 23 13:46:31 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 23 Mar 2016 14:46:31 +0100 Subject: [Freeipa-devel] [patch 0033] spec file: update the python-polib dependency name to python2-polib In-Reply-To: <56D87216.30506@redhat.com> References: <56C1F0C4.7060707@redhat.com> <56C1F622.3000602@redhat.com> <20160215163920.GM25417@mail.corp.redhat.com> <56CED17A.3050808@redhat.com> <56CED24E.9060207@redhat.com> <56CED260.4080703@redhat.com> <56D87216.30506@redhat.com> Message-ID: <56F29E37.4030609@redhat.com> On 03.03.2016 18:19, Martin Basti wrote: > > > On 25.02.2016 11:07, Milan Kub?k wrote: >> On 02/25/2016 11:07 AM, Jan Cholasta wrote: >>> On 25.2.2016 11:03, Milan Kub?k wrote: >>>> On 02/15/2016 05:39 PM, Lukas Slebodnik wrote: >>>>> On (15/02/16 17:00), Petr Vobornik wrote: >>>>>> On 02/15/2016 04:37 PM, Milan Kub?k wrote: >>>>>>> Reflect the updated name of the package. >>>>>>> >>>>>> Seems to me as a packaging bug in python-polib. It should use >>>>>> python_provide >>>>>> macro to handle the transition. >>>>> There is not a bug in python-polib >>>>> >>>>> sh# rpm -q python2-polib >>>>> python2-polib-1.0.7-2.fc23.noarch >>>>> >>>>> sh# rpm -q --provides python2-polib >>>>> python-polib = 1.0.7-2.fc23 >>>>> python2-polib = 1.0.7-2.fc23 >>>>> >>>>> However it is a change in behaviour in dnf/yum. >>>>> You can see more details in BZ1291850 or better BZ1096506. >>>>> >>>>> This a readon why "dnf builddep" will try to remove package. >>>>> (it's not downgrade from dnf point of view) >>>>> >>>>> sh# dnf builddep freeipa.spec >>>>> Last metadata expiration check performed 0:17:37 ago on Mon Feb 15 >>>>> 16:19:14 >>>>> 2016. >>>>> Package python-setuptools-18.0.1-2.fc23.noarch is already installed, >>>>> skipping. >>>>> Package systemd-222-10.fc23.x86_64 is already installed, skipping. >>>>> Package systemd-222-10.fc23.x86_64 is already installed, skipping. >>>>> Error: installed package python2-polib-1.0.7-2.fc23.noarch obsoletes >>>>> python-polib < 1.0.7-2.fc23 provided by >>>>> python-polib-1.0.3-6.fc23.noarch >>>>> (try to add '--allowerasing' to command line to replace conflicting >>>>> packages) >>>>> >>>>> >>>>> You might try to file a dnf BZ but mine 1291850 was two tiles closed >>>>> as not a >>>>> but and then closed as a duplicate of another bug. >>>>> >>>>> IMHO the simplest solution would to push the patch with better >>>>> explanation >>>>> in's a workaround. >>>>> >>>>> LSommit message becuase it's a workaround. >>>>> >>>>> LS >>>> Updated patch with reworded commit message. >>> >>> Please also add "workaround for >>> https://bugzilla.redhat.com/show_bug.cgi?id=1096506" comment above >>> the changed requires. >>> >> Done. >> >> >> > ACK, but missing ticket > > Pushed to master: fddb74e22e4321cb9cca390d215ddd7b68a740c9 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Mar 23 15:17:20 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 23 Mar 2016 16:17:20 +0100 Subject: [Freeipa-devel] [PATCH 0024] ipa-replica-manage: added --suffix option for certain commands In-Reply-To: <56E9637B.5080307@redhat.com> References: <56E29266.8000501@redhat.com> <56E69B01.6000108@redhat.com> <56E6A589.4050207@redhat.com> <56E6A739.3000505@redhat.com> <56E6D821.7090200@redhat.com> <56E6DED5.3080905@redhat.com> <56E6E43B.4050805@redhat.com> <56E7AADC.3060407@redhat.com> <56E7F642.8010109@redhat.com> <56E90C5C.2020703@redhat.com> <56E925D0.2080305@redhat.com> <56E9637B.5080307@redhat.com> Message-ID: <56F2B380.9030504@redhat.com> On 16.03.2016 14:45, Stanislav Laznicka wrote: > On 03/16/2016 10:22 AM, Jan Cholasta wrote: >> On 16.3.2016 08:33, Stanislav Laznicka wrote: >>> On 03/15/2016 12:47 PM, Petr Vobornik wrote: >>>> On 03/15/2016 07:25 AM, Jan Cholasta wrote: >>>>> On 14.3.2016 17:18, Petr Vobornik wrote: >>>>>> On 03/14/2016 04:55 PM, Jan Cholasta wrote: >>>>>>> On 14.3.2016 16:26, Petr Vobornik wrote: >>>>>>>> On 03/14/2016 12:57 PM, Jan Cholasta wrote: >>>>>>>>> On 14.3.2016 12:50, Martin Basti wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 14.03.2016 12:05, Jan Cholasta wrote: >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> On 11.3.2016 10:39, Stanislav Laznicka wrote: >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> Please see the patch attached. Contrary to the discussion at >>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4987 I also added the >>>>>>>>>>>> suffix >>>>>>>>>>>> option for clean_ruv command. If this command is available for >>>>>>>>>>>> normal >>>>>>>>>>>> RUVs, it should probably be available for CS-RUVs as well (or >>>>>>>>>>>> deprecated >>>>>>>>>>>> for both with advised use of clean_dangling_ruv). >>>>>>>>>>> >>>>>>>>>>> ipa-csreplica-manage is used to manage the CA suffix, so >>>>>>>>>>> ipa-csreplica-manage should be extended instead of adding >>>>>>>>>>> --suffix >>>>>>>>>>> option to ipa-replica-manage. Having half of the CA suffix >>>>>>>>>>> managed by >>>>>>>>>>> ipa-replica-manage and the other half by ipa-replica-manage is >>>>>>>>>>> confusing. >>>>>>>>>>> >>>>>>>>>>> Honza >>>>>>>>>>> >>>>>>>>>> There is a design document about deprecating >>>>>>>>>> ipa-csreplica-manage and >>>>>>>>>> move part of its responsibilities to ipa-replica-manage. >>>>>>>>>> >>>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4#ipa.28cs.29replica_manange_changes >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> So patch is compatible with design. >>>>>>>>> >>>>>>>>> The design is wrong then. >>>>>>>> >>>>>>>> I don't agree. >>>>>>>> >>>>>>>>> >>>>>>>>> Either do it in ipa-csreplica-manage, or make *all* >>>>>>>>> ipa-replica-manage >>>>>>>>> sub-commands respect the --suffix option. Anything else is >>>>>>>>> inconsistent >>>>>>>>> mess. >>>>>>>> >>>>>>>> That's the idea for domain level 1. There is little value in >>>>>>>> extending >>>>>>>> behavior(managing replication agreements) in domain level 0. >>>>>>> >>>>>>> Domain level 0 is still relevant, it won't go away anytime soon. >>>>>>>> >>>>>>>> Main idea is to not care about suffixes and work with all suffixes >>>>>>>> right >>>>>>>> away. This is reflected in clean-dangling-ruv command and these >>>>>>>> extensions are its counterpart - to enable disabling the run. We >>>>>>>> mostly >>>>>>>> care about replica IDs not suffixes they belong to. IMO --suffix >>>>>>>> option >>>>>>>> is not necessary and is mostly for debugging. >>>>>>>> >>>>>>>> One of the reasons why we have all the RUV commands is a mess >>>>>>>> after >>>>>>>> uninstallation when somebody forgets/ignores to run >>>>>>>> `ipa-csreplica-manage del $server` or also `ipa-replica-manage del >>>>>>>> $server` before uninstallation of replica. Users then usually run >>>>>>>> `ipa-replica-manage del $server` --force --clean` but >>>>>>>> `ipa-csreplica-manage del $server` can't be run after it. >>>>>>>> Changes in >>>>>>>> 4.3 and 4.4 tries to prevent this situation (e.g. by calling >>>>>>>> equivalent >>>>>>>> of `ipa-cs+replica-manage del` from `ipa-server-install >>>>>>>> --uninstall`). >>>>>>>> But until then mess is cleaned on all servers, we should deal >>>>>>>> with it >>>>>>>> with the most convenient way - hiding implementation details. >>>>>>>> >>>>>>> >>>>>>> This is actually exposing implementation details by forcing the >>>>>>> user to >>>>>>> use a different command based on the domain level. >>>>>> >>>>>> What different commands? >>>>> >>>>> ipa-replica-manage vs ipa-csreplica-manage cs API commands. >>>>> >>>>>> >>>>>>> Please explain to me how any of the above requires us to introduce >>>>>>> additional inconsistencies and bad UX to IPA. >>>>>> >>>>>> What bad UX? >>>>> >>>>> This is how replicas are managed in domain level 0 without the patch: >>>>> >>>>> suffix both domain ca >>>>> >>>>> list - i-r-m i-c-m >>>>> >>>>> list-ruv - i-r-m - >>>>> >>>>> connect - i-r-m i-c-m >>>>> >>>>> diconnect - i-r-m i-c-m >>>>> >>>>> del - i-r-m i-c-m >>>>> >>>>> re-initialize - i-r-m i-c-m >>>>> >>>>> force-sync - i-r-m i-c-m >>>>> >>>>> clean-ruv - i-r-m - >>>>> >>>>> abort-clean-ruv - i-r-m - >>>>> >>>>> list-clean-ruv i-r-m - - >>>> >>>> isnt' it?: >>>> - i-r-m - >>>> >>> It is AFAIK. >> >> It's not, the command searches all 'cleanallruv' and 'abort >> cleanallruv' tasks without filtering by suffix. > My bad, misread it and thought it was list-ruv. >> >>>> >>>>> >>>>> clean-dangling-ruv i-r-m - - >>>>> >>>>> (i-r-m == ipa-replica-manage, etc.) >>>>> >>>>> >>>>> This is how replicas are managed in domain level 1 with the patch: >>>>> >>>>> suffix both domain ca >>>>> >>>>> list - i-r-m i-c-m >>>>> s-f s-f -ts=d s-f -ts=c >>>>> >>>>> list-ruv i-r-m i-r-m -s=d i-r-m -s=c >>>>> >>>>> connect - ts-a d ts-a c >>>>> >>>>> diconnect - ts-d d ts-d c >>>>> >>>>> del i-r-m - - >>>>> s-d - - >>>>> >>>>> re-initialize - i-r-m i-c-m >>>>> - ts-r d ts-r c >>>>> >>>>> force-sync - i-r-m i-c-m >>>>> >>>>> clean-ruv i-r-m i-r-m -s=d i-r-m -s=c >>>>> >>>>> abort-clean-ruv i-r-m i-r-m -s=d i-r-m -s=c >>>>> >>>>> list-clean-ruv i-r-m - - >>>>> >>>>> clean-dangling-ruv i-r-m - - >>>>> >>>>> (s-f -ts=d == server-find --topologysuffixes=domain, etc.) >>>>> >>>>> >>>>> Maybe it's just me, but I fail to see the pattern here and find this >>>>> very confusing. (Note that I'm not trying to blame this particular >>>>> patch >>>>> for this, I'm just frustrated from the overall state.) >>>> >>>> Yes, backwards compatibility(bc) makes a mess there. But look at the >>>> state in following way (bc hidden): >>>> >>>> suffix both domain ca >>>> >>>> == Normal operations (i.e. all in API) == >>>> >>>> list s-f s-f -ts=d s-f -ts=c >>>> >>>> >>>> >>>> connect - ts-a d ts-a c >>>> >>>> diconnect - ts-d d ts-d c >>>> >>>> del s-d - - >>>> >>>> == Debugging & Fixing == >>>> >>>> re-initialize ts-r d ts-r c >>>> - i-r-m i-c-m >>>> >>>> force-sync - i-r-m i-c-m >>>> >>>> >>>> list-ruv i-r-m >>>> >>>> clean-ruv i-r-m >>>> >>>> abort-clean-ruv i-r-m >>>> >>>> list-clean-ruv i-r-m - - >>>> >>>> clean-dangling-ruv i-r-m - - >>>> >>>> >>>> Then we can see that only issue is force-sync operations which use >>>> case I don't really understand and with re-initialize which should be >>>> improved in API to be more usable (currently there is no progress >>>> status). >>>> >>>> Note: "debugging and fixing" is basically the same on both domain >>>> levels. >>>> >>>> >>>>> >>>>>> >>>>>> It is supposed to be used in following way: >>>>>> ipa-replica-manage clean-dangling-ruvs >>>>>> >>>>>> If from whatever reason some clean ruv task is not finished then: >>>>>> ipa-replica-manage list-clean-ruv >>>>>> [all running task for all suffixes] >>>>>> ipa-replica-manage abort-clean-ruv REPLICATION_ID >>>>>> >>>>>> Nothing else. Works for both domain levels and suffixes from a >>>>>> single >>>>>> tool. Again, --suffix option is not important. >>>>> >>>>> This changes the default behavior in domain level 0. I though we >>>>> are not >>>>> extending domain level 0 anymore, you said it yourself in a comment >>>>> above. >>>> >>>> I meant that we don't need to invest into new features in domain level >>>> 0 but RUV commands doesn't need to behave differently on various >>>> domain levels. There is no reason. >>>> >>>>> >>>>>> >>>>>> Note: clean-ruv subcommand could be probably marked as deprecated >>>>>> or be >>>>>> discouraged to use. >>>>> >>>>> If the commands are deprecated, why further extend them? >>>> >>>> No reason, clean-ruv subcommand doesn't need to be extended. Maybe to >>>> have similar behavior as rest of ruv commands. >>>> >>> It was exactly for that reason. If there's abort-clean-ruv which allows >>> aborting the clean operation for both suffixes, it seems rather natural >>> to have its counterpart to be able to do the same (as long as it's not >>> deprecated, which we might do right now if it seems like a good >>> thing to >>> do). >>>>> >>>>>> >>>>>> If the patch doesn't implement it, then it's wrong. >>>>> >>>>> The patch changes the default behavior of the sub-commands and >>>>> extends >>>>> them even in domain level 0. I would think at least that should be >>>>> fixed. >>>> >>>> Why? >>>> >>>> >>> Given the question of deprecating clean-ruv is answered by now, I >>> should >>> also ask why. >> >> We discussed this with Petr offline. We agreed that it's actually >> desirable to make all clean-ruv commands behave the same on all >> domain levels. We also agreed that it's desirable to make the normal >> operation commands behave the same on all domain levels, which is >> currently not true for the connect and disconnect commands, but >> that's unrelated to this patch. >> >> Therefore, I'm OK with the approach, as long as you either remove the >> --suffix option altogether, or add it to the remaining clean-ruv >> commands (list-clean-ruv and clean-dangling-ruv). I would personally >> just remove it, because as Petr pointed out, it's not actually >> necessary for anything. >> > Modified the patch (removed the --suffix option) and added password > check for clean_dangling_ruv command to be in the same spot as for the > other commands. Can you please update design http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 (mainly the --suffix option)? Also there are missing clean-ruv and list-ruv commands in design, and fix usage at the bottom. 1) I don't understand this expression + if dirman_passwd is None or ( + not dirman_passwd and args[0] in cs_enabled_commands): You already tested if subcommand belongs to cs_enabled_commands few lines above, IMO the 'dirman_password is None' expression is enough. 2) +# tuple of commands that work with ca tree and need Directory Manager password +cs_enabled_commands = ("list-ruv", "clean-ruv", "abort-clean-ruv") this variable is used only toi detect if dirman passwd is needed, I suggest to rename it to commands_req_dirman_passwd, or something better. 3) Q: Do we need is_cs_set() function? A: Yes! I wanted to give you ultimate NACK, but then I checked how get_ruv code works and I changed my mind. Please write a comment where is_cs_set function is used, why we need extra function instead of catching an exception, possibly you can open a refactoring ticket. Shame: 1) + if not test_connection(realm, host, options.nolookup) or\ Please use parentheses instead of backslash 2) + args[0] in cs_enabled_commands: + not dirman_passwd and args[0] in cs_enabled_commands): Indentation is not multiplication of 4 Nitpicks (I don't insist on fixing these): 1) + if servers.get('ca', None): None is default 2) + for (netloc, rid) in servers['ca']: parentheses are not needed 3) + print("\t%s: %s" % (netloc, rid)) Would be nice to use .format() instead of % Martin^2 From dkupka at redhat.com Wed Mar 23 15:37:54 2016 From: dkupka at redhat.com (David Kupka) Date: Wed, 23 Mar 2016 16:37:54 +0100 Subject: [Freeipa-devel] [PATCH 0432, 0450] stageuser-activate: noralize manager value + tests In-Reply-To: <56F1716C.6070304@redhat.com> References: <56DEB130.3030005@redhat.com> <56E7D9F9.9030907@redhat.com> <56E915B8.8060601@redhat.com> <56F1716C.6070304@redhat.com> Message-ID: <56F2B852.3000400@redhat.com> On 22/03/16 17:23, Martin Basti wrote: > > > On 16.03.2016 09:13, Martin Basti wrote: >> >> >> On 15.03.2016 10:46, David Kupka wrote: >>> On 08/03/16 12:02, Martin Basti wrote: >>>> https://fedorahosted.org/freeipa/ticket/5481 >>>> >>>> Patch attached. >>>> >>>> >>> Works for me, ACK. >>> >> Pushed to master: 4871cb5b549042f383ee883e527e773c0abe9d87 >> Pushed to ipa-4-3: 03743ba1d9191bf0d786116808dba4d7a3522b1f >> > Fix for tests. > Patch attached. Works for me, ACK. All-green tests are one step closer, yay! -- David Kupka From mbasti at redhat.com Wed Mar 23 15:38:57 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 23 Mar 2016 16:38:57 +0100 Subject: [Freeipa-devel] [PATCH 0432, 0450] stageuser-activate: noralize manager value + tests In-Reply-To: <56F2B852.3000400@redhat.com> References: <56DEB130.3030005@redhat.com> <56E7D9F9.9030907@redhat.com> <56E915B8.8060601@redhat.com> <56F1716C.6070304@redhat.com> <56F2B852.3000400@redhat.com> Message-ID: <56F2B891.8030609@redhat.com> On 23.03.2016 16:37, David Kupka wrote: > On 22/03/16 17:23, Martin Basti wrote: >> >> >> On 16.03.2016 09:13, Martin Basti wrote: >>> >>> >>> On 15.03.2016 10:46, David Kupka wrote: >>>> On 08/03/16 12:02, Martin Basti wrote: >>>>> https://fedorahosted.org/freeipa/ticket/5481 >>>>> >>>>> Patch attached. >>>>> >>>>> >>>> Works for me, ACK. >>>> >>> Pushed to master: 4871cb5b549042f383ee883e527e773c0abe9d87 >>> Pushed to ipa-4-3: 03743ba1d9191bf0d786116808dba4d7a3522b1f >>> >> Fix for tests. >> Patch attached. > > Works for me, ACK. > > All-green tests are one step closer, yay! > Pushed to: master: ae5bf8291f201a5e56226f43f40702b07510107a ipa-4-3: 9a93172dec4d44127bd7ca3b302bf3a9057bb41a From lhellebr at redhat.com Wed Mar 23 15:41:49 2016 From: lhellebr at redhat.com (=?UTF-8?Q?Luk=c3=a1=c5=a1_Hellebrandt?=) Date: Wed, 23 Mar 2016 16:41:49 +0100 Subject: [Freeipa-devel] URI in HBAC - design page Message-ID: <56F2B93D.5090202@redhat.com> I created a design page for the feature: http://www.freeipa.org/page/URI-based-HBAC-design -- Lukas Hellebrandt Associate Quality Engineer lhellebr at redhat.com From rcritten at redhat.com Wed Mar 23 15:54:55 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 23 Mar 2016 11:54:55 -0400 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <56F2B93D.5090202@redhat.com> References: <56F2B93D.5090202@redhat.com> Message-ID: <56F2BC4F.8030908@redhat.com> Luk?? Hellebrandt wrote: > I created a design page for the feature: > > http://www.freeipa.org/page/URI-based-HBAC-design > > Can you make the ticket reference a link? Is it expected that a full URI will be used, including protocol? Your early examples are http://path/to/somewhere and later you just use /path/to/somewhere. Will protocol be allowed? I ask because it can be problematic because users would have to consider and remember http vs https, for example. What happens if ftp, for example, added HBAC support and wanted to utilize this but wanted different access control by protocol? I think case sensitivity might be pretty important too, though might be best left as an exercise for the user. I'm not sure what you mean by the CLI section. It seems like you are just adding in a uri option so I'd be explicit. Showing possible usage would be handy too. What kind of regex validation can be done, if any? rob From mbasti at redhat.com Wed Mar 23 16:16:19 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 23 Mar 2016 17:16:19 +0100 Subject: [Freeipa-devel] [PATCH 0099] Look up HTTPD_USER's UID and GID during installation. In-Reply-To: <56F19A38.7020507@ubuntu.com> References: <56F13C31.7080705@redhat.com> <56F19A38.7020507@ubuntu.com> Message-ID: <56F2C153.5050302@redhat.com> On 22.03.2016 20:17, Timo Aaltonen wrote: > 22.03.2016, 14:36, David Kupka kirjoitti: >> https://fedorahosted.org/freeipa/ticket/5712 > sweet, thanks! > > ACK Pushed to: master: 03a697489af1ca6e458175b16c710b5fb6578226 ipa-4-3: e52fb361819b03dcbe9458495b7aa8932d22ad2a From mbasti at redhat.com Wed Mar 23 16:22:16 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 23 Mar 2016 17:22:16 +0100 Subject: [Freeipa-devel] [PATCH 016, 024, 025] First part of the replica promotion tests + testplan In-Reply-To: <56F16388.7060503@redhat.com> References: <56D93B28.2020302@redhat.com> <56D93B98.4090307@redhat.com> <56D9AA4B.103@redhat.com> <56D9B8CB.3040507@redhat.com> <56DEB998.3070501@redhat.com> <56DF0ABD.4040603@redhat.com> <56DF256E.8010000@redhat.com> <56E1F09D.10405@redhat.com> <20160317102835.GB19342@mail.corp.redhat.com> <56EAC67D.8040701@redhat.com> <20160317193747.GB23625@mail.corp.redhat.com> <56F00B16.90402@redhat.com> <56F14360.5050802@redhat.com> <56F148E0.9000907@redhat.com> <56F1509D.2010908@redhat.com> <56F16388.7060503@redhat.com> Message-ID: <56F2C2B8.3090305@redhat.com> On 22.03.2016 16:23, Oleg Fayans wrote: > Hi Martin, > > As per discussion, reverted 0025 patch and added try-catch in > prepare_host method to make replica promotion tests pass > > On 03/22/2016 03:03 PM, Martin Basti wrote: >> >> On 22.03.2016 14:30, Oleg Fayans wrote: >>> On 03/22/2016 02:06 PM, Martin Basti wrote: >>>> On 21.03.2016 15:54, Oleg Fayans wrote: >>>>> Hi Lukas, Martin, >>>>> >>>>> Looks I've implemented the approach proposed by Martin. The issue seems >>>>> to have gone (see the external_ca_out for external_ca test output). >>>>> Would like you to take a look and tell me what'd you think. >>>>> >>>>> >>>>> On 03/17/2016 08:37 PM, Lukas Slebodnik wrote: >>>>>> On (17/03/16 16:00), Oleg Fayans wrote: >>>>>>> Hi Lukas, >>>>>>> >>>>>>> On 03/17/2016 11:28 AM, Lukas Slebodnik wrote: >>>>>>>> On (10/03/16 23:09), Oleg Fayans wrote: >>>>>>>>> Hi Martin, >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On 03/08/2016 08:18 PM, Martin Basti wrote: >>>>>>>>>> On 08.03.2016 18:24, Martin Basti wrote: >>>>>>>>>>> On 08.03.2016 12:38, Oleg Fayans wrote: >>>>>>>>>>>> The patches were rebased against the current master >>>>>>>>>>>> >>>>>>>>>>>> On 03/04/2016 05:33 PM, Martin Basti wrote: >>>>>>>>>>>>> * old messages have been removed * >>>>>>>>>>>>>>>>> 1) >>>>>>>>>>>>>>>>> this method is unused please remove it >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> def test_kra_install_master(self): >>>>>>>>>>>>>> Well, in fact it is used twice: in both domain levels, so I'd >>>>>>>>>>>>>> better >>>>>>>>>>>>>> keep it: >>>>>>>>>>>>>> >>>>>>>>>>>>>> -bash-4.3$ ipa-run-tests >>>>>>>>>>>>>> test_integration/test_replica_promotion.py >>>>>>>>>>>>>> --collect-only >>>>>>>>>>>>>> ==================================================================================== >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> test session starts >>>>>>>>>>>>>> ===================================================================================== >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>>>>>>>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>>>>>>>>>> pytest.ini >>>>>>>>>>>>>> plugins: sourceorder, multihost >>>>>>>>>>>>>> collected 8 items >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> aah my bad, I forgot that pytest executes it when it begins >>>>>>>>>>>>> with test_* >>>>>>>>>>>>> even in parent class >>>>>>>>>>>>>>>>> 2) >>>>>>>>>>>>>>>>> Why are these there? I do not see any usage >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> from env_config import get_global_config >>>>>>>>>>>>>>>>> config = get_global_config() >>>>>>>>>>>>>> Removed >>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 3) nitpick >>>>>>>>>>>>>>>>> + num_clients = 0 >>>>>>>>>>>>>>>>> this is set by default >>>>>>>>>>>>>> Removed >>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> otherwise LGTM >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Results of testing tomorrow. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I applied all patches including workarounds, but test >>>>>>>>>>>>>>>> failed. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] RUN >>>>>>>>>>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>>>>>>>>>>> 'Secret123', >>>>>>>>>>>>>>>> '--setup-ca', '--ip-address', '192.168.144.102', >>>>>>>>>>>>>>>> '/root/ipatests/replica-info.gpg'] >>>>>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>>>>>>>>>> The host >>>>>>>>>>>>>>>> replica1.ipa.test already exists on the master server. >>>>>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>>>>>>>>>> You should >>>>>>>>>>>>>>>> remove it before proceeding: >>>>>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>>>>>>>>>> % ipa >>>>>>>>>>>>>>>> host-del replica1.ipa.test >>>>>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>>>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR >>>>>>>>>>>>>>>> The >>>>>>>>>>>>>>>> ipa-replica-install command failed. See >>>>>>>>>>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd51] >>>>>>>>>>>>>>>> Exit >>>>>>>>>>>>>>>> code: 3 >>>>>>>>>>>>>>>> FAILED >>>>>>>>>>>>>> this is exactly the error that happens when a workaround for >>>>>>>>>>>>>> 5627 >>>>>>>>>>>>>> is not >>>>>>>>>>>>>> applied. I have re-run the tests with all the patches and >>>>>>>>>>>>>> everything >>>>>>>>>>>>>> passed. Could you please double-check, whether patch 0027 was >>>>>>>>>>>>>> applied >>>>>>>>>>>>>> correctly? >>>>>>>>>>>>>> >>>>>>>>>>>>>> bash-4.3$ ipa-run-tests >>>>>>>>>>>>>> test_integration/test_replica_promotion.py >>>>>>>>>>>>>> --pdb >>>>>>>>>>>>>> ==================================================================================== >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> test session starts >>>>>>>>>>>>>> ===================================================================================== >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.7.3 >>>>>>>>>>>>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: >>>>>>>>>>>>>> pytest.ini >>>>>>>>>>>>>> plugins: sourceorder, multihost >>>>>>>>>>>>>> collected 8 items >>>>>>>>>>>>>> >>>>>>>>>>>>>> test_integration/test_replica_promotion.py ........ >>>>>>>>>>>>>> >>>>>>>>>>>>>> ================================================================================ >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> 8 passed in 7561.93 seconds >>>>>>>>>>>>>> ================================================================================= >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> I will >>>>>>>>>>>>> >>>>>>>>>>>>>>> And it needs ticket, otherwise it will not be in 4-3 branch. >>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5723 >>>>>>>>>>> NACK >>>>>>>>>>> >>>>>>>>>>> 1) >>>>>>>>>>> ipatests.test_integration.test_replica_promotion.TestReplicaPromotionLevel0 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>>>>>> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', >>>>>>>>>>> '-r', >>>>>>>>>>> 'IPA.TEST'] >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] RUN >>>>>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>>>>>> 'Secret123', >>>>>>>>>>> '--setup-ca', '--ip-address', '192.168.200.103', '-r', >>>>>>>>>>> 'IPA.TEST'] >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] IPA >>>>>>>>>>> client is >>>>>>>>>>> already configured on this system, ignoring the --domain, >>>>>>>>>>> --server, >>>>>>>>>>> --realm, --hostname, --password and --keytab options. >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Your >>>>>>>>>>> system >>>>>>>>>>> may be partly configured. >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Run >>>>>>>>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You >>>>>>>>>>> must >>>>>>>>>>> provide a file generated by ipa-replica-prepare to create a >>>>>>>>>>> replica >>>>>>>>>>> when the domain is at level 0. >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] >>>>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>>>>>> ipa-replica-install command failed. See >>>>>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd65] Exit >>>>>>>>>>> code: 1 >>>>>>>>>>> FAILED >>>>>>>>>>> >>>>>>>>>>> 2) >>>>>>>>>>> ipatests.test_integration.test_replica_promotion.TestKRAInstall >>>>>>>>>>> >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>>>>>> 'Secret123', '--setup-ca', '--ip-address', '192.168.200.103', >>>>>>>>>>> '-r', >>>>>>>>>>> 'IPA.TEST'] >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >>>>>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>>>>>> 'Secret123', >>>>>>>>>>> '--setup-ca', '--ip-address', '192.168.200.103', '-r', >>>>>>>>>>> 'IPA.TEST'] >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA >>>>>>>>>>> client is >>>>>>>>>>> already configured on this system, ignoring the --domain, >>>>>>>>>>> --server, >>>>>>>>>>> --realm, --hostname, --password and --keytab options. >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your >>>>>>>>>>> system >>>>>>>>>>> may be partly configured. >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >>>>>>>>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You >>>>>>>>>>> must >>>>>>>>>>> provide a file generated by ipa-replica-prepare to create a >>>>>>>>>>> replica >>>>>>>>>>> when the domain is at level 0. >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>>>>>> ipa-replica-install command failed. See >>>>>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit >>>>>>>>>>> code: 1 >>>>>>>>>>> FAILED >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 3) >>>>>>>>>>> ipatests.test_integration.test_replica_promotion.TestCAInstall >>>>>>>>>>> >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.ParamikoTransport] >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> RUN ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>>>>>> 'Secret123', '--setup-dns', '--forwarder', '10.34.78.1', >>>>>>>>>>> '--ip-address', '192.168.200.103', '-r', 'IPA.TEST'] >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] RUN >>>>>>>>>>> ['ipa-replica-install', '-U', '-p', 'Secret123', '-w', >>>>>>>>>>> 'Secret123', >>>>>>>>>>> '--setup-dns', '--forwarder', '10.34.78.1', '--ip-address', >>>>>>>>>>> '192.168.200.103', '-r', 'IPA.TEST'] >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] IPA >>>>>>>>>>> client is >>>>>>>>>>> already configured on this system, ignoring the --domain, >>>>>>>>>>> --server, >>>>>>>>>>> --realm, --hostname, --password and --keytab options. >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Your >>>>>>>>>>> system >>>>>>>>>>> may be partly configured. >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Run >>>>>>>>>>> /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR You >>>>>>>>>>> must >>>>>>>>>>> provide a file generated by ipa-replica-prepare to create a >>>>>>>>>>> replica >>>>>>>>>>> when the domain is at level 0. >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] >>>>>>>>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR The >>>>>>>>>>> ipa-replica-install command failed. See >>>>>>>>>>> /var/log/ipareplica-install.log for more information >>>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica2.cmd22] Exit >>>>>>>>>>> code: 1 >>>>>>>>>>> FAILED >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Reason: >>>>>>>>>>> >>>>>>>>>>> def install_replica(master, replica, setup_ca=True, >>>>>>>>>>> setup_dns=False, >>>>>>>>>>> - setup_kra=False, extra_args=()): >>>>>>>>>>> + setup_kra=False, extra_args=(), >>>>>>>>>>> domain_level=None): >>>>>>>>>>> + if domain_level is None: >>>>>>>>>>> + domain_level = domainlevel(master) >>>>>>>>> Oops. Sorry, must have been a result of inaccurate rebase. Fixed >>>>>>>>> The successful run is attached >>>>>>>>> >>>>>>>>>>> - if domainlevel(master) == DOMAIN_LEVEL_0: >>>>>>>>>>> + if domainlevel == DOMAIN_LEVEL_0: >>>>>>>>>>> >>>>>>>>>>> domain_level variable is actually unused >>>>>>>>>>> >>>>>>>>>> Also with your patch that removes host_prepare, I see many >>>>>>>>>> following >>>>>>>>>> errors in test debug output >>>>>>>>>> >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: >>>>>>>>>> line 1: >>>>>>>>>> cd: /root/ipatests: No such file or directory >>>>>>>>>> [ipa.ipatests.test_integration.host.Host.replica1.cmd8] -bash: >>>>>>>>>> line 2: >>>>>>>>>> /root/ipatests/env.sh: No such file or directory >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I do not see these errors in current tests, so the patch does not >>>>>>>>>> seem >>>>>>>>>> right to me. >>>>>>>>> http://jenkins.idm.lab.eng.brq.redhat.com:8080/job/freeipa-integration-f23master-customized_ds_config_install-domlevel-1/23/consoleFull >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> I've been experimenting a lot to find get rid of it but was >>>>>>>>> unsuccessful. Seemingly it does not affect the tests. >>>>>>>>> >>>>>>>> Oleg it looks like you broke something >>>>>>>> in the test_integration/test_external_ca.py >>>>>>>> >>>>>>>> _______________________ TestExternalCA.test_external_ca >>>>>>>> ________________________ >>>>>>>> >>>>>>>> self = >>>>>>> object at 0x7ff560a51750> >>>>>>>> >>>>>>>> def test_external_ca(self): >>>>>>>> # Step 1 of ipa-server-install >>>>>>>> self.master.run_command([ >>>>>>>> 'ipa-server-install', '-U', >>>>>>>> '-a', self.master.config.admin_password, >>>>>>>> '-p', self.master.config.dirman_password, >>>>>>>> '--setup-dns', '--no-forwarders', >>>>>>>> '-n', self.master.domain.name, >>>>>>>> '-r', self.master.domain.realm, >>>>>>>> '--domain-level=%i' % self.master.config.domain_level, >>>>>>>> '--external-ca' >>>>>>>> ]) >>>>>>>> nss_db = os.path.join(self.master.config.test_dir, >>>>>>>> 'testdb') >>>>>>>> external_cert_file = os.path.join(nss_db, 'ipa.crt') >>>>>>>> external_ca_file = os.path.join(nss_db, 'ca.crt') >>>>>>>> noisefile = os.path.join(self.master.config.test_dir, >>>>>>>> 'noise.txt') >>>>>>>> pwdfile = os.path.join(self.master.config.test_dir, >>>>>>>> 'pwdfile.txt') >>>>>>>> # Create noise and password files for NSS database >>>>>>>>> self.master.run_command('date | sha256sum > %s' % >>>>>>>>> noisefile) >>>>>>>> test_integration/test_external_ca.py:49: >>>>>>>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>>>>>>> _ _ _ _ _ _ >>>>>>>> ../pytest_multihost/host.py:246: in run_command >>>>>>>> command.wait(raiseonerr=raiseonerr) >>>>>>>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>>>>>>> _ _ _ _ _ _ >>>>>>>> >>>>>>>> self = >>>>>>> 0x7ff5609eb610> >>>>>>>> raiseonerr = True >>>>>>>> >>>>>>>> def wait(self, raiseonerr=True): >>>>>>>> """Wait for the remote process to exit >>>>>>>> Raises an excption if the exit code is not 0, >>>>>>>> unless raiseonerr is >>>>>>>> true. >>>>>>>> """ >>>>>>>> if self._done: >>>>>>>> return self.returncode >>>>>>>> self._end_process() >>>>>>>> self._done = True >>>>>>>> if raiseonerr and self.returncode: >>>>>>>> self.log.error('Exit code: %s', self.returncode) >>>>>>>>> raise subprocess.CalledProcessError(self.returncode, >>>>>>>>> self.argv) >>>>>>>> E CalledProcessError: Command 'date | sha256sum > >>>>>>>> /root/ipatests/noise.txt' returned non-zero exit status 1 >>>>>>>> >>>>>>>> ../pytest_multihost/transport.py:159: CalledProcessError >>>>>>>> ---------------------------- Captured stdout setup >>>>>>>> ----------------------------- >>>>>>>> >>>>>>>> ========================== 1 failed in 32.25 seconds >>>>>>>> =========================== >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> The command "date | sha256sum > /root/ipatests/noise.txt" >>>>>>>> >>>>>>>> The only explanation is that the directory /root/ipatests/ does not >>>>>>>> exist. >>>>>>> Obviously this is caused by my patch N 0025 >>>>>>> freeipa-ofayans-0025-Removed-a-constantly-failing-call-to-prepare_host.patch >>>>>>> >>>>>>> >>>>>>> >>>>>>> Without it replica_promotion tests would fail. The only compromise I >>>>>>> see >>>>>>> is to remove this line in unapply_fixes function in >>>>>>> ipatests/test_integration/tasks.py: >>>>>>> >>>>>>> host.run_command(['rm', '-rvf', host.config.test_dir]) >>>>>>> >>>>>>> Now the biggest question is: why do we keep removing the config >>>>>>> folder >>>>>>> anyway? All the files (backups of /etc/hosts, etc) that ever get >>>>>>> there >>>>>>> get overwritten each time anyway so it's quite safe to just keep the >>>>>>> folder throughout the whole test execution. >>>>>>> >>>>>> I do not know why it was removed. IMHO it shoudl be enough >>>>>> to remove just content of this directory. >>>>>> >>>>>> But it will bee godd to fix it ASAP >>>>>> and unblock test test_integration/test_external_ca.py >>>>>> I hope we want to have green test in 4.3 branch. >>>>>> Please also open a ticket so it can be backported to >>>>>> stable branch (if needed) >>>>>> >>>>>> LS >>>>>> >>>> NACK >>>> >>>> 0) >>>> it is not refactoring, it is bugfixing because it is broken >>>> >>>> 1) >>>> Originally prepare hosts were called for every installation where tasks >>>> install_server, install_replica, install_client were used. Now hosts are >>>> prepared only in base install class, so all test cases where install >>>> classmethod is overriden will have no test directory prepared. Does have >>>> py.test any method that is called for each test class before install? >>> Well, we can revert my changes from patch-0025 that actually removed >>> prepare_host call from a mh fixture in >>> ipatests/pytest_plugins/integration.py >>> Then we probably do not need most of the changes from this patch except >>> the try-except section in prepare_host method itself. >> OK >>>> 2) >>>> I dont like new option in unapply fixes, it breaks symetry, if >>>> prepare_host is adding directory, then reverse operation should remove >>>> directory, IMO unapply_fixes is reverse operation for prepare_host and >>>> it should not have any option that changes behavior. >>> Agreed. Will remove it. >>> ACK Pushed to: ipa-4-3: * 69335a985dd48c7d47a9e968abd19836d2d075bb Reverted changes in mh fixture causing some tests to fail * df816e34ec8b945d014a45437bf83030a1e2b162 Fixed a bug with prepare_host failing upon existing ipatests folder master: * 7289ad16cb9e33e118f146e1a798e5ed9176cde2 Reverted changes in mh fixture causing some tests to fail * 2fa09526031b770d6c16aacc76b476d1c3c2e3cb Fixed a bug with prepare_host failing upon existing ipatests folder From pvoborni at redhat.com Wed Mar 23 17:39:45 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 23 Mar 2016 18:39:45 +0100 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <56F2B93D.5090202@redhat.com> References: <56F2B93D.5090202@redhat.com> Message-ID: <56F2D4E1.7050001@redhat.com> On 03/23/2016 04:41 PM, Luk?? Hellebrandt wrote: > I created a design page for the feature: > > http://www.freeipa.org/page/URI-based-HBAC-design > > 1. The design page doesn't mention if mod_authnz_pam will be extended or some new 'pam_sss' Apache module will be created. Or is it actually mod_hbacauthz_pam as said in 'how to test'? 2. "in some location in Apache" is vague 3. If it is a conceptual design than OK but in final following needs to be specified: - which LDAP object class is extended with what attribute - which IPA object is extended with what param - what API methods are affected - how will CLI options look 4. what regular expression dialect will be used? -- Petr Vobornik From mbasti at redhat.com Wed Mar 23 19:13:40 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 23 Mar 2016 15:13:40 -0400 (EDT) Subject: [Freeipa-devel] [PATCH 0024] ipa-replica-manage: added --suffix option for certain commands In-Reply-To: <56F2B380.9030504@redhat.com> References: <56E29266.8000501@redhat.com> <56E6E43B.4050805@redhat.com> <56E7AADC.3060407@redhat.com> <56E7F642.8010109@redhat.com> <56E90C5C.2020703@redhat.com> <56E925D0.2080305@redhat.com> <56E9637B.5080307@redhat.com> <56F2B380.9030504@redhat.com> Message-ID: <1183297765.33667649.1458760420403.JavaMail.zimbra@redhat.com> ----- Original Message ----- From: "Martin Basti" To: "Stanislav Laznicka" , "freeipa-devel" Sent: Wednesday, March 23, 2016 4:17:20 PM Subject: Re: [Freeipa-devel] [PATCH 0024] ipa-replica-manage: added --suffix option for certain commands On 16.03.2016 14:45, Stanislav Laznicka wrote: > On 03/16/2016 10:22 AM, Jan Cholasta wrote: >> On 16.3.2016 08:33, Stanislav Laznicka wrote: >>> On 03/15/2016 12:47 PM, Petr Vobornik wrote: >>>> On 03/15/2016 07:25 AM, Jan Cholasta wrote: >>>>> On 14.3.2016 17:18, Petr Vobornik wrote: >>>>>> On 03/14/2016 04:55 PM, Jan Cholasta wrote: >>>>>>> On 14.3.2016 16:26, Petr Vobornik wrote: >>>>>>>> On 03/14/2016 12:57 PM, Jan Cholasta wrote: >>>>>>>>> On 14.3.2016 12:50, Martin Basti wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 14.03.2016 12:05, Jan Cholasta wrote: >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> On 11.3.2016 10:39, Stanislav Laznicka wrote: >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> Please see the patch attached. Contrary to the discussion at >>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/4987 I also added the >>>>>>>>>>>> suffix >>>>>>>>>>>> option for clean_ruv command. If this command is available for >>>>>>>>>>>> normal >>>>>>>>>>>> RUVs, it should probably be available for CS-RUVs as well (or >>>>>>>>>>>> deprecated >>>>>>>>>>>> for both with advised use of clean_dangling_ruv). >>>>>>>>>>> >>>>>>>>>>> ipa-csreplica-manage is used to manage the CA suffix, so >>>>>>>>>>> ipa-csreplica-manage should be extended instead of adding >>>>>>>>>>> --suffix >>>>>>>>>>> option to ipa-replica-manage. Having half of the CA suffix >>>>>>>>>>> managed by >>>>>>>>>>> ipa-replica-manage and the other half by ipa-replica-manage is >>>>>>>>>>> confusing. >>>>>>>>>>> >>>>>>>>>>> Honza >>>>>>>>>>> >>>>>>>>>> There is a design document about deprecating >>>>>>>>>> ipa-csreplica-manage and >>>>>>>>>> move part of its responsibilities to ipa-replica-manage. >>>>>>>>>> >>>>>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4#ipa.28cs.29replica_manange_changes >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> So patch is compatible with design. >>>>>>>>> >>>>>>>>> The design is wrong then. >>>>>>>> >>>>>>>> I don't agree. >>>>>>>> >>>>>>>>> >>>>>>>>> Either do it in ipa-csreplica-manage, or make *all* >>>>>>>>> ipa-replica-manage >>>>>>>>> sub-commands respect the --suffix option. Anything else is >>>>>>>>> inconsistent >>>>>>>>> mess. >>>>>>>> >>>>>>>> That's the idea for domain level 1. There is little value in >>>>>>>> extending >>>>>>>> behavior(managing replication agreements) in domain level 0. >>>>>>> >>>>>>> Domain level 0 is still relevant, it won't go away anytime soon. >>>>>>>> >>>>>>>> Main idea is to not care about suffixes and work with all suffixes >>>>>>>> right >>>>>>>> away. This is reflected in clean-dangling-ruv command and these >>>>>>>> extensions are its counterpart - to enable disabling the run. We >>>>>>>> mostly >>>>>>>> care about replica IDs not suffixes they belong to. IMO --suffix >>>>>>>> option >>>>>>>> is not necessary and is mostly for debugging. >>>>>>>> >>>>>>>> One of the reasons why we have all the RUV commands is a mess >>>>>>>> after >>>>>>>> uninstallation when somebody forgets/ignores to run >>>>>>>> `ipa-csreplica-manage del $server` or also `ipa-replica-manage del >>>>>>>> $server` before uninstallation of replica. Users then usually run >>>>>>>> `ipa-replica-manage del $server` --force --clean` but >>>>>>>> `ipa-csreplica-manage del $server` can't be run after it. >>>>>>>> Changes in >>>>>>>> 4.3 and 4.4 tries to prevent this situation (e.g. by calling >>>>>>>> equivalent >>>>>>>> of `ipa-cs+replica-manage del` from `ipa-server-install >>>>>>>> --uninstall`). >>>>>>>> But until then mess is cleaned on all servers, we should deal >>>>>>>> with it >>>>>>>> with the most convenient way - hiding implementation details. >>>>>>>> >>>>>>> >>>>>>> This is actually exposing implementation details by forcing the >>>>>>> user to >>>>>>> use a different command based on the domain level. >>>>>> >>>>>> What different commands? >>>>> >>>>> ipa-replica-manage vs ipa-csreplica-manage cs API commands. >>>>> >>>>>> >>>>>>> Please explain to me how any of the above requires us to introduce >>>>>>> additional inconsistencies and bad UX to IPA. >>>>>> >>>>>> What bad UX? >>>>> >>>>> This is how replicas are managed in domain level 0 without the patch: >>>>> >>>>> suffix both domain ca >>>>> >>>>> list - i-r-m i-c-m >>>>> >>>>> list-ruv - i-r-m - >>>>> >>>>> connect - i-r-m i-c-m >>>>> >>>>> diconnect - i-r-m i-c-m >>>>> >>>>> del - i-r-m i-c-m >>>>> >>>>> re-initialize - i-r-m i-c-m >>>>> >>>>> force-sync - i-r-m i-c-m >>>>> >>>>> clean-ruv - i-r-m - >>>>> >>>>> abort-clean-ruv - i-r-m - >>>>> >>>>> list-clean-ruv i-r-m - - >>>> >>>> isnt' it?: >>>> - i-r-m - >>>> >>> It is AFAIK. >> >> It's not, the command searches all 'cleanallruv' and 'abort >> cleanallruv' tasks without filtering by suffix. > My bad, misread it and thought it was list-ruv. >> >>>> >>>>> >>>>> clean-dangling-ruv i-r-m - - >>>>> >>>>> (i-r-m == ipa-replica-manage, etc.) >>>>> >>>>> >>>>> This is how replicas are managed in domain level 1 with the patch: >>>>> >>>>> suffix both domain ca >>>>> >>>>> list - i-r-m i-c-m >>>>> s-f s-f -ts=d s-f -ts=c >>>>> >>>>> list-ruv i-r-m i-r-m -s=d i-r-m -s=c >>>>> >>>>> connect - ts-a d ts-a c >>>>> >>>>> diconnect - ts-d d ts-d c >>>>> >>>>> del i-r-m - - >>>>> s-d - - >>>>> >>>>> re-initialize - i-r-m i-c-m >>>>> - ts-r d ts-r c >>>>> >>>>> force-sync - i-r-m i-c-m >>>>> >>>>> clean-ruv i-r-m i-r-m -s=d i-r-m -s=c >>>>> >>>>> abort-clean-ruv i-r-m i-r-m -s=d i-r-m -s=c >>>>> >>>>> list-clean-ruv i-r-m - - >>>>> >>>>> clean-dangling-ruv i-r-m - - >>>>> >>>>> (s-f -ts=d == server-find --topologysuffixes=domain, etc.) >>>>> >>>>> >>>>> Maybe it's just me, but I fail to see the pattern here and find this >>>>> very confusing. (Note that I'm not trying to blame this particular >>>>> patch >>>>> for this, I'm just frustrated from the overall state.) >>>> >>>> Yes, backwards compatibility(bc) makes a mess there. But look at the >>>> state in following way (bc hidden): >>>> >>>> suffix both domain ca >>>> >>>> == Normal operations (i.e. all in API) == >>>> >>>> list s-f s-f -ts=d s-f -ts=c >>>> >>>> >>>> >>>> connect - ts-a d ts-a c >>>> >>>> diconnect - ts-d d ts-d c >>>> >>>> del s-d - - >>>> >>>> == Debugging & Fixing == >>>> >>>> re-initialize ts-r d ts-r c >>>> - i-r-m i-c-m >>>> >>>> force-sync - i-r-m i-c-m >>>> >>>> >>>> list-ruv i-r-m >>>> >>>> clean-ruv i-r-m >>>> >>>> abort-clean-ruv i-r-m >>>> >>>> list-clean-ruv i-r-m - - >>>> >>>> clean-dangling-ruv i-r-m - - >>>> >>>> >>>> Then we can see that only issue is force-sync operations which use >>>> case I don't really understand and with re-initialize which should be >>>> improved in API to be more usable (currently there is no progress >>>> status). >>>> >>>> Note: "debugging and fixing" is basically the same on both domain >>>> levels. >>>> >>>> >>>>> >>>>>> >>>>>> It is supposed to be used in following way: >>>>>> ipa-replica-manage clean-dangling-ruvs >>>>>> >>>>>> If from whatever reason some clean ruv task is not finished then: >>>>>> ipa-replica-manage list-clean-ruv >>>>>> [all running task for all suffixes] >>>>>> ipa-replica-manage abort-clean-ruv REPLICATION_ID >>>>>> >>>>>> Nothing else. Works for both domain levels and suffixes from a >>>>>> single >>>>>> tool. Again, --suffix option is not important. >>>>> >>>>> This changes the default behavior in domain level 0. I though we >>>>> are not >>>>> extending domain level 0 anymore, you said it yourself in a comment >>>>> above. >>>> >>>> I meant that we don't need to invest into new features in domain level >>>> 0 but RUV commands doesn't need to behave differently on various >>>> domain levels. There is no reason. >>>> >>>>> >>>>>> >>>>>> Note: clean-ruv subcommand could be probably marked as deprecated >>>>>> or be >>>>>> discouraged to use. >>>>> >>>>> If the commands are deprecated, why further extend them? >>>> >>>> No reason, clean-ruv subcommand doesn't need to be extended. Maybe to >>>> have similar behavior as rest of ruv commands. >>>> >>> It was exactly for that reason. If there's abort-clean-ruv which allows >>> aborting the clean operation for both suffixes, it seems rather natural >>> to have its counterpart to be able to do the same (as long as it's not >>> deprecated, which we might do right now if it seems like a good >>> thing to >>> do). >>>>> >>>>>> >>>>>> If the patch doesn't implement it, then it's wrong. >>>>> >>>>> The patch changes the default behavior of the sub-commands and >>>>> extends >>>>> them even in domain level 0. I would think at least that should be >>>>> fixed. >>>> >>>> Why? >>>> >>>> >>> Given the question of deprecating clean-ruv is answered by now, I >>> should >>> also ask why. >> >> We discussed this with Petr offline. We agreed that it's actually >> desirable to make all clean-ruv commands behave the same on all >> domain levels. We also agreed that it's desirable to make the normal >> operation commands behave the same on all domain levels, which is >> currently not true for the connect and disconnect commands, but >> that's unrelated to this patch. >> >> Therefore, I'm OK with the approach, as long as you either remove the >> --suffix option altogether, or add it to the remaining clean-ruv >> commands (list-clean-ruv and clean-dangling-ruv). I would personally >> just remove it, because as Petr pointed out, it's not actually >> necessary for anything. >> > Modified the patch (removed the --suffix option) and added password > check for clean_dangling_ruv command to be in the same spot as for the > other commands. Can you please update design http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 (mainly the --suffix option)? Also there are missing clean-ruv and list-ruv commands in design, and fix usage at the bottom. 1) I don't understand this expression + if dirman_passwd is None or ( + not dirman_passwd and args[0] in cs_enabled_commands): You already tested if subcommand belongs to cs_enabled_commands few lines above, IMO the 'dirman_password is None' expression is enough. 2) +# tuple of commands that work with ca tree and need Directory Manager password +cs_enabled_commands = ("list-ruv", "clean-ruv", "abort-clean-ruv") this variable is used only toi detect if dirman passwd is needed, I suggest to rename it to commands_req_dirman_passwd, or something better. 3) Q: Do we need is_cs_set() function? A: Yes! I wanted to give you ultimate NACK, but then I checked how get_ruv code works and I changed my mind. Please write a comment where is_cs_set function is used, why we need extra function instead of catching an exception, possibly you can open a refactoring ticket. Shame: 1) + if not test_connection(realm, host, options.nolookup) or\ Please use parentheses instead of backslash 2) + args[0] in cs_enabled_commands: + not dirman_passwd and args[0] in cs_enabled_commands): Indentation is not multiplication of 4 Nitpicks (I don't insist on fixing these): 1) + if servers.get('ca', None): None is default 2) + for (netloc, rid) in servers['ca']: parentheses are not needed 3) + print("\t%s: %s" % (netloc, rid)) Would be nice to use .format() instead of % Martin^2 I changed my mind, ultimate NACK. Please fix get_ruv function, is_cs_set will not help. In case there are no RUVs but CA is installed, sys.exit there prevents us from removing RUVs (or any else operation) on domain suffix, and vice versa. I propose to move ticket to 4.4 milestone because I would like to avoid breaking something in 4.3, as this will hit many places in ipa-replica-manage. Please provide the refactoring of get_ruv as separate patch a put these patches on top of it. Martin2 From ftweedal at redhat.com Thu Mar 24 01:39:17 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 24 Mar 2016 11:39:17 +1000 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <56F2BC4F.8030908@redhat.com> References: <56F2B93D.5090202@redhat.com> <56F2BC4F.8030908@redhat.com> Message-ID: <20160324013917.GH18277@dhcp-40-8.bne.redhat.com> On Wed, Mar 23, 2016 at 11:54:55AM -0400, Rob Crittenden wrote: > Luk?? Hellebrandt wrote: > >I created a design page for the feature: > > > >http://www.freeipa.org/page/URI-based-HBAC-design > > > > > > Can you make the ticket reference a link? > > Is it expected that a full URI will be used, including protocol? Your early > examples are http://path/to/somewhere and later you just use > /path/to/somewhere. Will protocol be allowed? I ask because it can be > problematic because users would have to consider and remember http vs https, > for example. > > What happens if ftp, for example, added HBAC support and wanted to utilize > this but wanted different access control by protocol? > > I think case sensitivity might be pretty important too, though might be best > left as an exercise for the user. > > I'm not sure what you mean by the CLI section. It seems like you are just > adding in a uri option so I'd be explicit. Showing possible usage would be > handy too. > > What kind of regex validation can be done, if any? > > rob > Further to Rob's points, what about including the method being used (HTTP GET/POST/PUT/PATCH)? In a RESTful world this seems like an important aspect to include. How deep does this rabbit-hole go? :) Cheers, Fraser From mkosek at redhat.com Thu Mar 24 09:03:23 2016 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 24 Mar 2016 10:03:23 +0100 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <56F2B93D.5090202@redhat.com> References: <56F2B93D.5090202@redhat.com> Message-ID: <56F3AD5B.2070904@redhat.com> On 03/23/2016 04:41 PM, Luk?? Hellebrandt wrote: > I created a design page for the feature: > > http://www.freeipa.org/page/URI-based-HBAC-design Technicality update: - I changed the name and moved it to consistent location: http://www.freeipa.org/page/V4/URI-based_HBAC - I removed "version=0.1" from the "Feature box", so that design appears in the right category: http://www.freeipa.org/index.php?title=Category:FreeIPA_Design_Proposal FIY - the version denotes the target version of the FreeIPA (when accepted) and not version of the design. From jpazdziora at redhat.com Thu Mar 24 09:24:47 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Thu, 24 Mar 2016 10:24:47 +0100 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <56F2B93D.5090202@redhat.com> References: <56F2B93D.5090202@redhat.com> Message-ID: <20160324092447.GR16196@redhat.com> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Luk?? Hellebrandt wrote: > I created a design page for the feature: > > http://www.freeipa.org/page/URI-based-HBAC-design The way most web applications (that I see as the first use for this feature) are structured, they have more openly accessible areas at "top" URLs like /application/ which might have unrestricted access, with authenticated or otherwise narrowed access underneath, like /application/users/ with yet more restricted areas in sub-URLs, for example /application/users/admin/ Since obviously allow rule for /application/users/ would match access to /application/users/admin/ as well and we don't want that, there needs to be a way to "override" the /application/users/ rule with a more specific one. You present two solutions to the problem -- deny rules, and regular expressions. Having to use ^/application/users/(?!admin/).* rule to make sure it does not match /application/users/admin/ means that when you add /application/users/helpdesk/ you will not only have to edit that rule, but also amend the ^/application/users/(?!admin/).* rule and add helpdesk there. That will be extremely volatile and error-prone if you have dozens of sub-locations that require separate, more restrictive access. Users cannot be expected to keep these separate rules in sync. My preferred solution would be to treat the URL as left prefix, and maintain for each URL/rule list of/links to sub-URLs/sub-rules for which the URL/rule no longer applies. So when you have rule for /application/users/ and add rule for /application/users/admin/ the first one gets automatically amended to be /application/users/ [ admin/ ] And when you add /application/ it will automatically get /application/ [ users/ ] because there is already a rule that limits the scope. The benefit of this approach is that if you need to evaluate access to say /application/data/ and you already have rule for /application/ [ users/ ] cached either in SSSD or in the application (Apache module), you know you don't have to refetch additional rules because if they existed, their existence would be noted in the sub-URL "exclusion" list. You will achieve similar functionality to what you propose with the regular expression approach, except the computers will do the work of keeping things in sync, not users. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From jpazdziora at redhat.com Thu Mar 24 09:31:47 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Thu, 24 Mar 2016 10:31:47 +0100 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <56F2B93D.5090202@redhat.com> References: <56F2B93D.5090202@redhat.com> Message-ID: <20160324093147.GS16196@redhat.com> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Luk?? Hellebrandt wrote: > I created a design page for the feature: > > http://www.freeipa.org/page/URI-based-HBAC-design In the document, you say In all of them [ approaches ], I use only the part of URI after hostname as hostname and service are already matched as part of selecting HBAC rules to evaluate in terms of matching URI. This is not correct. The hostname of the machine may be cloud-123-567.example.com The service (principal) might be HTTP/cloud-123-567.example.com. The HBAC service (== PAM service) might be 'application', or 'httpd'. But the URL might be http://wiki.example.com/wiki or https://issues.example.com/ or http://www.example.com:8080/ Distinct applications and content, with completely distinct URLs, locations, and security requirements, hosted on the same machine and under the same HBAC service. The full URL needs to be taken into account. There can be situations like http:///wiki where the hostname is ommitted in the rule but it has to be an explicit decision of the user (admin) editing the rules, not something built into the mechanism. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From jpazdziora at redhat.com Thu Mar 24 09:43:35 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Thu, 24 Mar 2016 10:43:35 +0100 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <56F2B93D.5090202@redhat.com> References: <56F2B93D.5090202@redhat.com> Message-ID: <20160324094335.GT16196@redhat.com> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Luk?? Hellebrandt wrote: > I created a design page for the feature: > > http://www.freeipa.org/page/URI-based-HBAC-design I try to put separate areas of concerns into separate emails to make it easy to keep track. The document says There is a new field in HBAC rule details for adding URI PCRE as plain text. We need an easy way for the user to enter multiple URLs for the same rule. The primary case is obviously the http / https duality http://www.example.com/ https://www.example.com/ but there might be other situations when additional service is being deployed and it is supposed to use exactly the same rule as five existing ones. In that case the user has to be able to just add additional URL to existing HBAC rule, not be forced to create separate new rule which will likely go out of sync from the previous ones when they are edited. In addition, there should be an easy way to see all HBAC rules for a particular URL (and all sub-URLs) -- it should be possible to search for www.example.com and see all the http://www.example.com/ HBAC rule name 1 https://www.example.com/ HBAC rule name 1 http://www.example.com/auth/ HBAC rule name 2 https://www.example.com/auth/ HBAC rule name 2 http://www.example.com/auth/admin/ HBAC rule name 3 https://www.example.com/auth/admin/ HBAC rule name 3 ideally is some consise way if multiple URLs lead to the same rule and changes between rules that differ: http(s)://www.example.com/ HBAC rule name 1 http(s)://www.example.com/auth/ HBAC rule name 2 User group: core-employees http(s)://www.example.com/auth/admin/ HBAC rule name 3 User group: network-admins -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From jpazdziora at redhat.com Thu Mar 24 10:39:54 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Thu, 24 Mar 2016 11:39:54 +0100 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <56F2BC4F.8030908@redhat.com> References: <56F2B93D.5090202@redhat.com> <56F2BC4F.8030908@redhat.com> Message-ID: <20160324103953.GX16196@redhat.com> On Wed, Mar 23, 2016 at 11:54:55AM -0400, Rob Crittenden wrote: > > I think case sensitivity might be pretty important too, though might be best > left as an exercise for the user. For protocol and hostname it likely needs to be case insensitive. for the rest of the URL there probably should be a checkbox for the user to explicitly enable case-insensitivity. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From mkubik at redhat.com Thu Mar 24 10:59:31 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Thu, 24 Mar 2016 11:59:31 +0100 Subject: [Freeipa-devel] [PATCH 0005] Refactor test_nesting, create HostGroupTracker In-Reply-To: <1335569448.42727105.1457707349989.JavaMail.zimbra@redhat.com> References: <2134068455.1326509.1450781775764.JavaMail.zimbra@redhat.com> <1902672460.4566340.1452602887525.JavaMail.zimbra@redhat.com> <1118746236.11920442.1452868635399.JavaMail.zimbra@redhat.com> <569CD698.4020900@redhat.com> <1592657483.12984474.1453123591078.JavaMail.zimbra@redhat.com> <56A7B764.3080202@redhat.com> <212120579.19163053.1453974347696.JavaMail.zimbra@redhat.com> <56DE9B15.40305@redhat.com> <1335569448.42727105.1457707349989.JavaMail.zimbra@redhat.com> Message-ID: <56F3C893.8080107@redhat.com> On 03/11/2016 03:42 PM, Filip Skola wrote: > > ----- Original Message ----- >> On 01/28/2016 10:45 AM, Filip Skola wrote: >>>> The same as with patch 0002: >>>> ************* Module ipatests.test_xmlrpc.tracker.hostgroup_plugin >>>> W:142,26: Calling a dict.iter*() method (dict-iter-method) >>>> >>>> Please use dict.items method. >>>> >>>> -- >>>> Milan Kubik >>>> >>>> >>> Hi, >>> >>> attaching a fixed patch. This patch is dependent on updated group plugin >>> test patch 0002-7. >>> >>> Filip >> Hello, sorry for delay. The patch no longer applies after 0002-8. >> >> -- >> Milan Kubik >> >> > Hi, > > rebased. The next patch should be applicable on top of this one. > > Filip Sorry for long delays. ACK. -- Milan Kubik From mkubik at redhat.com Thu Mar 24 10:59:52 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Thu, 24 Mar 2016 11:59:52 +0100 Subject: [Freeipa-devel] [PATCH 0006] Refactor test_hostgroup_plugin In-Reply-To: <20160307145336.2fa0f064@dhcp-24-122.brq.redhat.com> References: <1693360345.1327020.1450781862487.JavaMail.zimbra@redhat.com> <991418926.1327028.1450781870579.JavaMail.zimbra@redhat.com> <20160307145336.2fa0f064@dhcp-24-122.brq.redhat.com> Message-ID: <56F3C8A8.2050809@redhat.com> On 03/07/2016 02:53 PM, Filip ?kola wrote: > Sorry, forgot to cc you, Milan. > > F. > > On Tue, 22 Dec 2015 05:57:50 -0500 (EST) > Filip Skola wrote: > >> And also sending refactored hostgroup plugin test. >> >> F Sorry for long delay. ACK. -- Milan Kubik From mkosek at redhat.com Thu Mar 24 11:38:37 2016 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 24 Mar 2016 12:38:37 +0100 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <20160324092447.GR16196@redhat.com> References: <56F2B93D.5090202@redhat.com> <20160324092447.GR16196@redhat.com> Message-ID: <56F3D1BD.1050000@redhat.com> On 03/24/2016 10:24 AM, Jan Pazdziora wrote: > On Wed, Mar 23, 2016 at 04:41:49PM +0100, Luk?? Hellebrandt wrote: ... > You present two solutions to the problem -- deny rules, and regular > expressions. For the record, HBAC deny rules is something we will want to avoid. Deny HBAC rules were removed in the past for good reasons: https://www.redhat.com/archives/freeipa-users/2011-June/msg00256.html https://fedorahosted.org/freeipa/ticket/1432 Martin From jpazdziora at redhat.com Thu Mar 24 12:09:24 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Thu, 24 Mar 2016 13:09:24 +0100 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <20160324013917.GH18277@dhcp-40-8.bne.redhat.com> References: <56F2B93D.5090202@redhat.com> <56F2BC4F.8030908@redhat.com> <20160324013917.GH18277@dhcp-40-8.bne.redhat.com> Message-ID: <20160324120924.GY16196@redhat.com> On Thu, Mar 24, 2016 at 11:39:17AM +1000, Fraser Tweedale wrote: > > Further to Rob's points, what about including the method being used > (HTTP GET/POST/PUT/PATCH)? In a RESTful world this seems like an > important aspect to include. > > How deep does this rabbit-hole go? :) The work, while focused primarily on web use-cases, should be usable outside of HTTP protocol. The rabbit hole might include questions about mapping FTP commands into some sensible list of methods that could be easily managed. In his work Luk?? seemed concerned by DENY rules not being supported (were removed from IPA), hence his regexp proposal with negative lookaheads to avoid / all users /admin admins where of course both URLs would match for access to /admin/edit but the longer one should win, thus serving as DENY. For FTP that has the potential of having to list looooong list of commands: long-list-of-all-cmds-except-write-cmds / all users long-list-of-write-commands / admins If we could specify * / all users long-list-of-write-commands / admins and the situation was not considered as introduction of DENY mechanism, it might be more feasible. We might still want to have "metacommands" like 'FTP:read', 'FTP:write' to group the underlying commands for easy maintenance and presentation. My preference would be not to do the methods at this time but have the data structured in such a way that it's easy to extend later. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From jpazdziora at redhat.com Thu Mar 24 12:24:02 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Thu, 24 Mar 2016 13:24:02 +0100 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <56F3D1BD.1050000@redhat.com> References: <56F2B93D.5090202@redhat.com> <20160324092447.GR16196@redhat.com> <56F3D1BD.1050000@redhat.com> Message-ID: <20160324122402.GA16196@redhat.com> On Thu, Mar 24, 2016 at 12:38:37PM +0100, Martin Kosek wrote: > On 03/24/2016 10:24 AM, Jan Pazdziora wrote: > > On Wed, Mar 23, 2016 at 04:41:49PM +0100, Luk?? Hellebrandt wrote: > ... > > You present two solutions to the problem -- deny rules, and regular > > expressions. > > For the record, HBAC deny rules is something we will want to avoid. Deny HBAC Certainly. And for the current HBAC's model of user (groups), host (groups), service (groups), you can tell the admin to structure their environment and groups in such a way that they are not needed. But the question is, if you want for the admin to be able to control access to a website where longer URLs often need to be more restricted than the shorter ones, what mechanism do you propose? It is not possible to positively (for allow purposes) list only exhaustive list of URL prefixes that should have the broader access allowed -- new versions of the web application can introduce additional URLs into the namespace, and the URLs are not identities like users or hosts that FreeIPA would be aware of that that you could easily manage by putting them to groups. The natural way to think about access to web URLs is to say "I only want admins to access /application/users/admin/". Which of course means "I want to deny everyone who has otherwise access to other URLs, except for admins". -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From jpazdziora at redhat.com Thu Mar 24 12:31:50 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Thu, 24 Mar 2016 13:31:50 +0100 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <56F2D4E1.7050001@redhat.com> References: <56F2B93D.5090202@redhat.com> <56F2D4E1.7050001@redhat.com> Message-ID: <20160324123150.GB16196@redhat.com> On Wed, Mar 23, 2016 at 06:39:45PM +0100, Petr Vobornik wrote: > On 03/23/2016 04:41 PM, Luk?? Hellebrandt wrote: > >I created a design page for the feature: > > > >http://www.freeipa.org/page/URI-based-HBAC-design > > 1. The design page doesn't mention if mod_authnz_pam will be extended or > some new 'pam_sss' Apache module will be created. Or is it actually > mod_hbacauthz_pam as said in 'how to test'? If PAM is used and pam_sss is extended to accept the URL in PAM environment for pam_acct_mgmt, I'd expect patch would be proposed against mod_authnz_pam. If that turns out not to be a viable option, using SSSD's D-Bus interface might the way to go, in which case it would likely be new module, something like mod_authz_sssd. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From jpazdziora at redhat.com Thu Mar 24 12:41:51 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Thu, 24 Mar 2016 13:41:51 +0100 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <56F2B93D.5090202@redhat.com> References: <56F2B93D.5090202@redhat.com> Message-ID: <20160324124151.GA16353@redhat.com> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Luk?? Hellebrandt wrote: > I created a design page for the feature: > > http://www.freeipa.org/page/URI-based-HBAC-design Could you please elaborate on unauthenticated accesses? Many web applications have completely public parts, and then authenticated sections, with more restricted access to subsections underneath. How do you envision configuration to look like, and how will the (missing) user identity be handled in that case? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From mbabinsk at redhat.com Thu Mar 24 12:47:46 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 24 Mar 2016 13:47:46 +0100 Subject: [Freeipa-devel] [PATCH 0139] otptoken-add: improve the robustness of QR code printing to tty In-Reply-To: <56F12C4D.70906@redhat.com> References: <56DEEDEF.6020105@redhat.com> <56DEFF59.7020907@redhat.com> <56DF01C0.2010207@redhat.com> <56DFBD6F.8010100@redhat.com> <56E81DE1.4020904@redhat.com> <56E83E5F.8060601@redhat.com> <1458076973.21679.20.camel@redhat.com> <56E8FC42.1000605@redhat.com> <1458131710.2518.0.camel@redhat.com> <56E95CEA.3070509@redhat.com> <56F12C4D.70906@redhat.com> Message-ID: <56F3E1F2.1060807@redhat.com> On 03/22/2016 12:28 PM, Martin Babinsky wrote: > On 03/16/2016 02:17 PM, Martin Babinsky wrote: >> On 03/16/2016 01:35 PM, Nathaniel McCallum wrote: >>> On Wed, 2016-03-16 at 07:25 +0100, Jan Cholasta wrote: >>>> On 15.3.2016 22:22, Nathaniel McCallum wrote: >>>>> >>>>> On Tue, 2016-03-15 at 17:54 +0100, Martin Babinsky wrote: >>>>>> >>>>>> On 03/15/2016 03:36 PM, Martin Babinsky wrote: >>>>>>> >>>>>>> >>>>>>> On 03/09/2016 07:06 AM, Jan Cholasta wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 8.3.2016 17:45, Martin Babinsky wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> On 03/08/2016 05:35 PM, Jan Cholasta wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> On 8.3.2016 16:21, Martin Babinsky wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5700 >>>>>>>>>> 1) Instead of checking for utf-8 in particular, I would >>>>>>>>>> prefer a more >>>>>>>>>> robust approach: >>>>>>>>>> >>>>>>>>>> try: >>>>>>>>>> qr = qrcode.QRCode() >>>>>>>>>> qr.add_data('test') >>>>>>>>>> qr.make() >>>>>>>>>> qr.print_ascii(tty=True) >>>>>>>>>> except UnicodeError: >>>>>>>>>> # it is not printable >>>>>>>>>> else: >>>>>>>>>> # it is printable >>>>>>>>>> >>>>>>>>> Now you mean the check in the _check_qrcode_capability() or >>>>>>>>> the >>>>>>>>> _print_qrcode() method itself? >>>>>>>> _check_qrcode_capability() of course. >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2) There is no os.isatty() check to see if stdout is >>>>>>>>>> actually >>>>>>>>>> a tty. >>>>>>>>>> >>>>>>>>> This check is performed inside both print_ascii() and >>>>>>>>> print_tty() >>>>>>>>> methods of QRCode object, but you probably mean that I >>>>>>>>> should >>>>>>>>> put the >>>>>>>>> check also into _check_qrcode_capability() method, right? >>>>>>>> Yes. If stdout is not a tty, we should at least not tty=True >>>>>>>> in >>>>>>>> print_ascii(). >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Honza >>>>>>>>>> >>>>>>> Attaching updated patch. After the discussion with other >>>>>>> developers >>>>>>> we >>>>>>> decided to just print warnings when non-UTF-8 encoding is used >>>>>>> and >>>>>>> tty >>>>>>> width is smaller that the QR code size. >>>>>>> >>>>>>> >>>>>>> >>>>>> Found some minor errors in the patch, attaching updated version. >>>>> NACK >>>>> >>>>> This patch has the major problem that tokens are added but then >>>>> unusable because they can't be provisioned to the devices. You need >>>>> to >>>>> check if qrcode output is possible before the token is added to >>>>> LDAP. >>>> We discussed this on the IPA devel meeting and the decision was that >>>> since the otpauth URI is always displayed, a warning is sufficient >>>> when >>>> the QR code cannot be printed. >>>> >>>> If you disagree, could you explain why the URI is not sufficient for >>>> provisioning the token? >>> >>> I guess that is okay. >>> >> >> Thank you Nathaniel. >> >> Jan had some offline comments to the patch. Attaching updated version. >> >> >> > Attaching updated patches. > > > I fixed the warning message when the QR code can not be rendered. Attaching updated patches. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-3-mbabinsk-0139.5-otptoken-add-improve-the-robustness-of-QR-code-print.patch Type: text/x-patch Size: 5649 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0139.5-otptoken-add-improve-the-robustness-of-QR-code-print.patch Type: text/x-patch Size: 5615 bytes Desc: not available URL: From jcholast at redhat.com Thu Mar 24 12:55:01 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 24 Mar 2016 13:55:01 +0100 Subject: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer In-Reply-To: <56EC80D3.6010703@ubuntu.com> References: <56EADD09.2060109@redhat.com> <56EC80D3.6010703@ubuntu.com> Message-ID: <56F3E3A5.9000207@redhat.com> On 18.3.2016 23:27, Timo Aaltonen wrote: > On 17.03.2016 18:36, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5681 > > would be nicer if ipa-httpd.conf was a template with the current > hardcoded values replaced with platform paths.. +1, I would also prefer if the file was renamed to init/systemd/httpd.conf rather than install/share/ipa-httpd.conf. > > > not relevant to this patch, but there are others candidates for > templates like: > > daemons/dnssec/ipa-dnskeysyncd.service > daemons/dnssec/ipa-ods-exporter.service > install/conf/ipa.conf -- Jan Cholasta From jcholast at redhat.com Thu Mar 24 13:08:59 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 24 Mar 2016 14:08:59 +0100 Subject: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer In-Reply-To: <56EC0CC5.5040209@redhat.com> References: <56EADD09.2060109@redhat.com> <56EC0CC5.5040209@redhat.com> Message-ID: <56F3E6EB.5040805@redhat.com> On 18.3.2016 15:12, Martin Babinsky wrote: > On 03/17/2016 05:36 PM, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5681 >> >> Patch attached. >> >> > Hi Martin, > > Nitpick attack: > > Please fix the commit message: "File httpd.service was created by RPM, > what causes that httpd service may", should be "..., which causes" > > Otherwise the code looks good and works as expected. > > However, you still cannot start httpd.service after ipa-server > uninstallation because some leftovers in /ipa/httpd/alias cause mod_nss > to fail (see http error_log): > > """ > [Fri Mar 18 12:43:29.320276 2016] [suexec:notice] [pid 2033] AH01232: > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) > [Fri Mar 18 12:43:29.320288 2016] [:warn] [pid 2033] > NSSSessionCacheTimeout is deprecated. Ignoring. > [Fri Mar 18 12:43:29.444287 2016] [:error] [pid 2033] Password for slot > internal is incorrect. > [Fri Mar 18 12:43:29.446090 2016] [:error] [pid 2033] NSS initialization > failed. Certificate database: /etc/httpd/alias. > [Fri Mar 18 12:43:29.446100 2016] [:error] [pid 2033] SSL Library Error: > -8177 The security password entered is incorrect > > """ > > I guess that this is beyond this patch, since I think it is related to > https://fedorahosted.org/freeipa/ticket/4639 but I am not sure. CC'ing > Jan who owns the ticket. It seems so, on uninstall we restore mod_nss config, so httpd uses the default password (whatever that is), but the database still uses the password set by us on install. -- Jan Cholasta From mkosek at redhat.com Thu Mar 24 13:08:22 2016 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 24 Mar 2016 14:08:22 +0100 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <20160324122402.GA16196@redhat.com> References: <56F2B93D.5090202@redhat.com> <20160324092447.GR16196@redhat.com> <56F3D1BD.1050000@redhat.com> <20160324122402.GA16196@redhat.com> Message-ID: <56F3E6C6.10700@redhat.com> On 03/24/2016 01:24 PM, Jan Pazdziora wrote: > On Thu, Mar 24, 2016 at 12:38:37PM +0100, Martin Kosek wrote: >> On 03/24/2016 10:24 AM, Jan Pazdziora wrote: >>> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Luk?? Hellebrandt wrote: >> ... >>> You present two solutions to the problem -- deny rules, and regular >>> expressions. >> >> For the record, HBAC deny rules is something we will want to avoid. Deny HBAC > > Certainly. And for the current HBAC's model of user (groups), host > (groups), service (groups), you can tell the admin to structure their > environment and groups in such a way that they are not needed. Right. > But the question is, if you want for the admin to be able to control > access to a website where longer URLs often need to be more restricted > than the shorter ones, what mechanism do you propose? It is not > possible to positively (for allow purposes) list only exhaustive list > of URL prefixes that should have the broader access allowed -- new > versions of the web application can introduce additional URLs into the > namespace, and the URLs are not identities like users or hosts that > FreeIPA would be aware of that that you could easily manage by putting > them to groups. I agree it is complicated. While Deny HBAC rules is something we do not want, allowing exclusive rules for an HBAC URI rule may be acceptable. This would be the same approach we chose with Exclusive Time rules in Time-Based HBAC: http://www.freeipa.org/page/V4/Time-Based_Account_Policies#Time_Policies_Storage For the URI identifiers, we should also try to reinvent the wheel here. Can adopt an approach used in some of the most common frameworks for URL matching? Take Django for example: https://docs.djangoproject.com/en/1.9/topics/http/urls/ Using the pattern approach you mentioned elsewhere could work, I am just worried how much user friendly it would be for non-developers. But we can also make use these patterns as the raw storage format and build some nice UI/CLI on top of it. > The natural way to think about access to web URLs is to say "I only > want admins to access /application/users/admin/". Which of course > means "I want to deny everyone who has otherwise access to other URLs, > except for admins". Can we do the same as with current default "allow all" rule? I.a. allow "/" for all sites by default and let admin to remove that for sites with access controlled and restricted by FreeIPA HBAC. This would mean admin would typically need to define some general rule the site accessible by all with the exceptions defined in "exclude" access rules and then build the rules specific to these excluded parts of the application URL tree. Martin From mbabinsk at redhat.com Thu Mar 24 13:13:37 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 24 Mar 2016 14:13:37 +0100 Subject: [Freeipa-devel] [PATCH 0139] otptoken-add: improve the robustness of QR code printing to tty In-Reply-To: <56F3E1F2.1060807@redhat.com> References: <56DEEDEF.6020105@redhat.com> <56DEFF59.7020907@redhat.com> <56DF01C0.2010207@redhat.com> <56DFBD6F.8010100@redhat.com> <56E81DE1.4020904@redhat.com> <56E83E5F.8060601@redhat.com> <1458076973.21679.20.camel@redhat.com> <56E8FC42.1000605@redhat.com> <1458131710.2518.0.camel@redhat.com> <56E95CEA.3070509@redhat.com> <56F12C4D.70906@redhat.com> <56F3E1F2.1060807@redhat.com> Message-ID: <56F3E801.1010302@redhat.com> On 03/24/2016 01:47 PM, Martin Babinsky wrote: > On 03/22/2016 12:28 PM, Martin Babinsky wrote: >> On 03/16/2016 02:17 PM, Martin Babinsky wrote: >>> On 03/16/2016 01:35 PM, Nathaniel McCallum wrote: >>>> On Wed, 2016-03-16 at 07:25 +0100, Jan Cholasta wrote: >>>>> On 15.3.2016 22:22, Nathaniel McCallum wrote: >>>>>> >>>>>> On Tue, 2016-03-15 at 17:54 +0100, Martin Babinsky wrote: >>>>>>> >>>>>>> On 03/15/2016 03:36 PM, Martin Babinsky wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 03/09/2016 07:06 AM, Jan Cholasta wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> On 8.3.2016 17:45, Martin Babinsky wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 03/08/2016 05:35 PM, Jan Cholasta wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> On 8.3.2016 16:21, Martin Babinsky wrote: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5700 >>>>>>>>>>> 1) Instead of checking for utf-8 in particular, I would >>>>>>>>>>> prefer a more >>>>>>>>>>> robust approach: >>>>>>>>>>> >>>>>>>>>>> try: >>>>>>>>>>> qr = qrcode.QRCode() >>>>>>>>>>> qr.add_data('test') >>>>>>>>>>> qr.make() >>>>>>>>>>> qr.print_ascii(tty=True) >>>>>>>>>>> except UnicodeError: >>>>>>>>>>> # it is not printable >>>>>>>>>>> else: >>>>>>>>>>> # it is printable >>>>>>>>>>> >>>>>>>>>> Now you mean the check in the _check_qrcode_capability() or >>>>>>>>>> the >>>>>>>>>> _print_qrcode() method itself? >>>>>>>>> _check_qrcode_capability() of course. >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 2) There is no os.isatty() check to see if stdout is >>>>>>>>>>> actually >>>>>>>>>>> a tty. >>>>>>>>>>> >>>>>>>>>> This check is performed inside both print_ascii() and >>>>>>>>>> print_tty() >>>>>>>>>> methods of QRCode object, but you probably mean that I >>>>>>>>>> should >>>>>>>>>> put the >>>>>>>>>> check also into _check_qrcode_capability() method, right? >>>>>>>>> Yes. If stdout is not a tty, we should at least not tty=True >>>>>>>>> in >>>>>>>>> print_ascii(). >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Honza >>>>>>>>>>> >>>>>>>> Attaching updated patch. After the discussion with other >>>>>>>> developers >>>>>>>> we >>>>>>>> decided to just print warnings when non-UTF-8 encoding is used >>>>>>>> and >>>>>>>> tty >>>>>>>> width is smaller that the QR code size. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Found some minor errors in the patch, attaching updated version. >>>>>> NACK >>>>>> >>>>>> This patch has the major problem that tokens are added but then >>>>>> unusable because they can't be provisioned to the devices. You need >>>>>> to >>>>>> check if qrcode output is possible before the token is added to >>>>>> LDAP. >>>>> We discussed this on the IPA devel meeting and the decision was that >>>>> since the otpauth URI is always displayed, a warning is sufficient >>>>> when >>>>> the QR code cannot be printed. >>>>> >>>>> If you disagree, could you explain why the URI is not sufficient for >>>>> provisioning the token? >>>> >>>> I guess that is okay. >>>> >>> >>> Thank you Nathaniel. >>> >>> Jan had some offline comments to the patch. Attaching updated version. >>> >>> >>> >> Attaching updated patches. >> >> >> > I fixed the warning message when the QR code can not be rendered. > > Attaching updated patches. > > > 6th time the charm. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-3-mbabinsk-0139.6-otptoken-add-improve-the-robustness-of-QR-code-print.patch Type: text/x-patch Size: 5443 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0139.6-otptoken-add-improve-the-robustness-of-QR-code-print.patch Type: text/x-patch Size: 5409 bytes Desc: not available URL: From ayoung at redhat.com Thu Mar 24 13:18:43 2016 From: ayoung at redhat.com (Adam Young) Date: Thu, 24 Mar 2016 09:18:43 -0400 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <20160324094335.GT16196@redhat.com> References: <56F2B93D.5090202@redhat.com> <20160324094335.GT16196@redhat.com> Message-ID: <56F3E933.1060603@redhat.com> On 03/24/2016 05:43 AM, Jan Pazdziora wrote: > On Wed, Mar 23, 2016 at 04:41:49PM +0100, Luk?? Hellebrandt wrote: >> I created a design page for the feature: >> >> http://www.freeipa.org/page/URI-based-HBAC-design > I try to put separate areas of concerns into separate emails to make > it easy to keep track. > > The document says > > There is a new field in HBAC rule details for adding URI PCRE > as plain text. > > We need an easy way for the user to enter multiple URLs for the same > rule. The primary case is obviously the http / https duality > > http://www.example.com/ > https://www.example.com/ Yes, let's split up the Hostname and the URI matching into two entities. The URI matching might well be very reusable: most applications like Wordpress, OpenStack Horizon (and all the the web services in OpenStack), and the like have fairly regular rules that should be applicable. From an administrators perspective, they want to say hostname has application at suburl X From there on, they want to say "user has acces to these kinds of resources" This is the Administrative pattern that seems to be working for Keystone. > > but there might be other situations when additional service is being > deployed and it is supposed to use exactly the same rule as five > existing ones. In that case the user has to be able to just add > additional URL to existing HBAC rule, not be forced to create separate > new rule which will likely go out of sync from the previous ones when > they are edited. > > In addition, there should be an easy way to see all HBAC rules for a > particular URL (and all sub-URLs) -- it should be possible to search > for > > www.example.com > > and see all the > > http://www.example.com/ HBAC rule name 1 > https://www.example.com/ HBAC rule name 1 > http://www.example.com/auth/ HBAC rule name 2 > https://www.example.com/auth/ HBAC rule name 2 > http://www.example.com/auth/admin/ HBAC rule name 3 > https://www.example.com/auth/admin/ HBAC rule name 3 > > ideally is some consise way if multiple URLs lead to the same rule > and changes between rules that differ: > > http(s)://www.example.com/ HBAC rule name 1 > http(s)://www.example.com/auth/ HBAC rule name 2 > User group: core-employees > http(s)://www.example.com/auth/admin/ HBAC rule name 3 > User group: network-admins > From pspacek at redhat.com Thu Mar 24 13:21:02 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 24 Mar 2016 14:21:02 +0100 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <20160324103953.GX16196@redhat.com> References: <56F2B93D.5090202@redhat.com> <56F2BC4F.8030908@redhat.com> <20160324103953.GX16196@redhat.com> Message-ID: <56F3E9BE.8010504@redhat.com> On 24.3.2016 11:39, Jan Pazdziora wrote: > On Wed, Mar 23, 2016 at 11:54:55AM -0400, Rob Crittenden wrote: >> >> I think case sensitivity might be pretty important too, though might be best >> left as an exercise for the user. > > For protocol and hostname it likely needs to be case insensitive. > for the rest of the URL there probably should be a checkbox for the > user to explicitly enable case-insensitivity. Schemes are indeed case-insensitive: https://tools.ietf.org/html/rfc3986#section-3.1 Everything else depends on scheme so user-selectable option sounds like a good idea. -- Petr^2 Spacek From mbasti at redhat.com Thu Mar 24 13:27:37 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 24 Mar 2016 14:27:37 +0100 Subject: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer In-Reply-To: <56F3E3A5.9000207@redhat.com> References: <56EADD09.2060109@redhat.com> <56EC80D3.6010703@ubuntu.com> <56F3E3A5.9000207@redhat.com> Message-ID: <56F3EB49.7090701@redhat.com> On 24.03.2016 13:55, Jan Cholasta wrote: > On 18.3.2016 23:27, Timo Aaltonen wrote: >> On 17.03.2016 18:36, Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/5681 >> >> would be nicer if ipa-httpd.conf was a template with the current >> hardcoded values replaced with platform paths.. > > +1, I would also prefer if the file was renamed to > init/systemd/httpd.conf rather than install/share/ipa-httpd.conf. ipa-httpd.conf.template should be in /user/share/ipa, directory init/systemd copied only to rpm and then copied to /etc/systemd/system AFAIK > >> >> >> not relevant to this patch, but there are others candidates for >> templates like: >> >> daemons/dnssec/ipa-dnskeysyncd.service >> daemons/dnssec/ipa-ods-exporter.service >> install/conf/ipa.conf > From pspacek at redhat.com Thu Mar 24 13:30:06 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 24 Mar 2016 14:30:06 +0100 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <56F3E6C6.10700@redhat.com> References: <56F2B93D.5090202@redhat.com> <20160324092447.GR16196@redhat.com> <56F3D1BD.1050000@redhat.com> <20160324122402.GA16196@redhat.com> <56F3E6C6.10700@redhat.com> Message-ID: <56F3EBDE.1090008@redhat.com> On 24.3.2016 14:08, Martin Kosek wrote: > On 03/24/2016 01:24 PM, Jan Pazdziora wrote: >> On Thu, Mar 24, 2016 at 12:38:37PM +0100, Martin Kosek wrote: >>> On 03/24/2016 10:24 AM, Jan Pazdziora wrote: >>>> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Luk?? Hellebrandt wrote: >>> ... >>>> You present two solutions to the problem -- deny rules, and regular >>>> expressions. >>> >>> For the record, HBAC deny rules is something we will want to avoid. Deny HBAC >> >> Certainly. And for the current HBAC's model of user (groups), host >> (groups), service (groups), you can tell the admin to structure their >> environment and groups in such a way that they are not needed. > > Right. > >> But the question is, if you want for the admin to be able to control >> access to a website where longer URLs often need to be more restricted >> than the shorter ones, what mechanism do you propose? It is not >> possible to positively (for allow purposes) list only exhaustive list >> of URL prefixes that should have the broader access allowed -- new >> versions of the web application can introduce additional URLs into the >> namespace, and the URLs are not identities like users or hosts that >> FreeIPA would be aware of that that you could easily manage by putting >> them to groups. > > I agree it is complicated. While Deny HBAC rules is something we do not want, > allowing exclusive rules for an HBAC URI rule may be acceptable. This would be > the same approach we chose with Exclusive Time rules in Time-Based HBAC: > > http://www.freeipa.org/page/V4/Time-Based_Account_Policies#Time_Policies_Storage > > For the URI identifiers, we should also try to reinvent the wheel here. Can > adopt an approach used in some of the most common frameworks for URL matching? > Take Django for example: > > https://docs.djangoproject.com/en/1.9/topics/http/urls/ > > Using the pattern approach you mentioned elsewhere could work, I am just > worried how much user friendly it would be for non-developers. But we can also > make use these patterns as the raw storage format and build some nice UI/CLI on > top of it. > >> The natural way to think about access to web URLs is to say "I only >> want admins to access /application/users/admin/". Which of course >> means "I want to deny everyone who has otherwise access to other URLs, >> except for admins". > > Can we do the same as with current default "allow all" rule? I.a. allow "/" for > all sites by default and let admin to remove that for sites with access > controlled and restricted by FreeIPA HBAC. This would mean admin would > typically need to define some general rule the site accessible by all with the > exceptions defined in "exclude" access rules and then build the rules specific > to these excluded parts of the application URL tree. I really do not like 'excludes'... Was an approach with longest prefix match considered as an option? I do not see it in the design page. E.g. imagine we have rules: / -> allow anyone /users -> allow all authenticated users /users/edit -> allow admins If the matching engine always selects rule with matchine prefix and evaluate only that rule, it would nicely express who is allowed to access what and did not require deny rules (or even rule merging). -- Petr^2 Spacek From jpazdziora at redhat.com Thu Mar 24 13:32:58 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Thu, 24 Mar 2016 14:32:58 +0100 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <56F3E6C6.10700@redhat.com> References: <56F2B93D.5090202@redhat.com> <20160324092447.GR16196@redhat.com> <56F3D1BD.1050000@redhat.com> <20160324122402.GA16196@redhat.com> <56F3E6C6.10700@redhat.com> Message-ID: <20160324133258.GB16854@redhat.com> On Thu, Mar 24, 2016 at 02:08:22PM +0100, Martin Kosek wrote: > > I agree it is complicated. While Deny HBAC rules is something we do not want, > allowing exclusive rules for an HBAC URI rule may be acceptable. This would be > the same approach we chose with Exclusive Time rules in Time-Based HBAC: > > http://www.freeipa.org/page/V4/Time-Based_Account_Policies#Time_Policies_Storage Right. The accessTimeExclude effectively seems to be DENY, in a sense that you need to evaluate it to "override" other accessTime records that might have allowed the access. And if you miss the record with accessTimeExclude, you've allowed access that shouldn't have been allowed. > For the URI identifiers, we should also try to reinvent the wheel here. Can > adopt an approach used in some of the most common frameworks for URL matching? > Take Django for example: > > https://docs.djangoproject.com/en/1.9/topics/http/urls/ Not sure which part of the approach you have in mind. Django uses a list url()s, which gives explicit order in which they are evaluated / matched. To emulate that in IPA, using some mechanism to give the LDAP records stable ordering (unique integer attribute?) might work. But that might be perceived as foreign concept in otherwise "declarative" nature of HBAC rule (and LDAP in general). > Using the pattern approach you mentioned elsewhere could work, I am just > worried how much user friendly it would be for non-developers. But we can also > make use these patterns as the raw storage format and build some nice UI/CLI on > top of it. I actually prefer left prefix to regular expression patterns. > Can we do the same as with current default "allow all" rule? > I.a. allow "/" for I'm not really fond of the allow_all rule because starting with the default setup when it is enabled (and HBAC in effect not playing any role) and wanting to start using HBAC just for one machine means pretty big manual effort: http://www.freeipa.org/page/Howto/HBAC_and_allow_all > all sites by default and let admin to remove that for sites with access > controlled and restricted by FreeIPA HBAC. The question is, how do you know that a site is access controlled? If a rule (with URL part) does not match the requested URL, it doesn't mean there isn't such a rule and that access should be allowed. Maybe the right approach is to make "sites" a first-class citizen, so that you can be explicit about using the URL-based access controll for a particular site or not. > This would mean admin would > typically need to define some general rule the site accessible by all with the > exceptions defined in "exclude" access rules and then build the rules specific > to these excluded parts of the application URL tree. Right, and we also need to give admin a very easy way to define those excludes implicitly, by having the additional (sub-URL) rules automatically populate those excludes for the "parent" URLs. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From jcholast at redhat.com Thu Mar 24 13:36:13 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 24 Mar 2016 14:36:13 +0100 Subject: [Freeipa-devel] [PATCH 0139] otptoken-add: improve the robustness of QR code printing to tty In-Reply-To: <56F3E801.1010302@redhat.com> References: <56DEEDEF.6020105@redhat.com> <56DEFF59.7020907@redhat.com> <56DF01C0.2010207@redhat.com> <56DFBD6F.8010100@redhat.com> <56E81DE1.4020904@redhat.com> <56E83E5F.8060601@redhat.com> <1458076973.21679.20.camel@redhat.com> <56E8FC42.1000605@redhat.com> <1458131710.2518.0.camel@redhat.com> <56E95CEA.3070509@redhat.com> <56F12C4D.70906@redhat.com> <56F3E1F2.1060807@redhat.com> <56F3E801.1010302@redhat.com> Message-ID: <56F3ED4D.10203@redhat.com> On 24.3.2016 14:13, Martin Babinsky wrote: > On 03/24/2016 01:47 PM, Martin Babinsky wrote: >> On 03/22/2016 12:28 PM, Martin Babinsky wrote: >>> On 03/16/2016 02:17 PM, Martin Babinsky wrote: >>>> On 03/16/2016 01:35 PM, Nathaniel McCallum wrote: >>>>> On Wed, 2016-03-16 at 07:25 +0100, Jan Cholasta wrote: >>>>>> On 15.3.2016 22:22, Nathaniel McCallum wrote: >>>>>>> >>>>>>> On Tue, 2016-03-15 at 17:54 +0100, Martin Babinsky wrote: >>>>>>>> >>>>>>>> On 03/15/2016 03:36 PM, Martin Babinsky wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> On 03/09/2016 07:06 AM, Jan Cholasta wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 8.3.2016 17:45, Martin Babinsky wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 03/08/2016 05:35 PM, Jan Cholasta wrote: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> On 8.3.2016 16:21, Martin Babinsky wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5700 >>>>>>>>>>>> 1) Instead of checking for utf-8 in particular, I would >>>>>>>>>>>> prefer a more >>>>>>>>>>>> robust approach: >>>>>>>>>>>> >>>>>>>>>>>> try: >>>>>>>>>>>> qr = qrcode.QRCode() >>>>>>>>>>>> qr.add_data('test') >>>>>>>>>>>> qr.make() >>>>>>>>>>>> qr.print_ascii(tty=True) >>>>>>>>>>>> except UnicodeError: >>>>>>>>>>>> # it is not printable >>>>>>>>>>>> else: >>>>>>>>>>>> # it is printable >>>>>>>>>>>> >>>>>>>>>>> Now you mean the check in the _check_qrcode_capability() or >>>>>>>>>>> the >>>>>>>>>>> _print_qrcode() method itself? >>>>>>>>>> _check_qrcode_capability() of course. >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 2) There is no os.isatty() check to see if stdout is >>>>>>>>>>>> actually >>>>>>>>>>>> a tty. >>>>>>>>>>>> >>>>>>>>>>> This check is performed inside both print_ascii() and >>>>>>>>>>> print_tty() >>>>>>>>>>> methods of QRCode object, but you probably mean that I >>>>>>>>>>> should >>>>>>>>>>> put the >>>>>>>>>>> check also into _check_qrcode_capability() method, right? >>>>>>>>>> Yes. If stdout is not a tty, we should at least not tty=True >>>>>>>>>> in >>>>>>>>>> print_ascii(). >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Honza >>>>>>>>>>>> >>>>>>>>> Attaching updated patch. After the discussion with other >>>>>>>>> developers >>>>>>>>> we >>>>>>>>> decided to just print warnings when non-UTF-8 encoding is used >>>>>>>>> and >>>>>>>>> tty >>>>>>>>> width is smaller that the QR code size. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> Found some minor errors in the patch, attaching updated version. >>>>>>> NACK >>>>>>> >>>>>>> This patch has the major problem that tokens are added but then >>>>>>> unusable because they can't be provisioned to the devices. You need >>>>>>> to >>>>>>> check if qrcode output is possible before the token is added to >>>>>>> LDAP. >>>>>> We discussed this on the IPA devel meeting and the decision was that >>>>>> since the otpauth URI is always displayed, a warning is sufficient >>>>>> when >>>>>> the QR code cannot be printed. >>>>>> >>>>>> If you disagree, could you explain why the URI is not sufficient for >>>>>> provisioning the token? >>>>> >>>>> I guess that is okay. >>>>> >>>> >>>> Thank you Nathaniel. >>>> >>>> Jan had some offline comments to the patch. Attaching updated version. >>>> >>>> >>>> >>> Attaching updated patches. >>> >>> >>> >> I fixed the warning message when the QR code can not be rendered. >> >> Attaching updated patches. >> >> >> > 6th time the charm. Thanks, ACK. Pushed to: master: 7febe569cede47b50a0ee1b19968627716ddbc0d ipa-4-3: 77e9d31c75f7514f076662ac4e3ffcf66915880f -- Jan Cholasta From mbasti at redhat.com Thu Mar 24 13:37:29 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 24 Mar 2016 14:37:29 +0100 Subject: [Freeipa-devel] [PATCH 0005] Refactor test_nesting, create HostGroupTracker In-Reply-To: <56F3C893.8080107@redhat.com> References: <2134068455.1326509.1450781775764.JavaMail.zimbra@redhat.com> <1902672460.4566340.1452602887525.JavaMail.zimbra@redhat.com> <1118746236.11920442.1452868635399.JavaMail.zimbra@redhat.com> <569CD698.4020900@redhat.com> <1592657483.12984474.1453123591078.JavaMail.zimbra@redhat.com> <56A7B764.3080202@redhat.com> <212120579.19163053.1453974347696.JavaMail.zimbra@redhat.com> <56DE9B15.40305@redhat.com> <1335569448.42727105.1457707349989.JavaMail.zimbra@redhat.com> <56F3C893.8080107@redhat.com> Message-ID: <56F3ED99.2040705@redhat.com> On 24.03.2016 11:59, Milan Kub?k wrote: > On 03/11/2016 03:42 PM, Filip Skola wrote: >> >> ----- Original Message ----- >>> On 01/28/2016 10:45 AM, Filip Skola wrote: >>>>> The same as with patch 0002: >>>>> ************* Module ipatests.test_xmlrpc.tracker.hostgroup_plugin >>>>> W:142,26: Calling a dict.iter*() method (dict-iter-method) >>>>> >>>>> Please use dict.items method. >>>>> >>>>> -- >>>>> Milan Kubik >>>>> >>>>> >>>> Hi, >>>> >>>> attaching a fixed patch. This patch is dependent on updated group >>>> plugin >>>> test patch 0002-7. >>>> >>>> Filip >>> Hello, sorry for delay. The patch no longer applies after 0002-8. >>> >>> -- >>> Milan Kubik >>> >>> >> Hi, >> >> rebased. The next patch should be applicable on top of this one. >> >> Filip > Sorry for long delays. ACK. > Pushed to master: ab3f652dc105a4a88911c786e77221441977b30d From mbasti at redhat.com Thu Mar 24 13:38:53 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 24 Mar 2016 14:38:53 +0100 Subject: [Freeipa-devel] [PATCH 0006] Refactor test_hostgroup_plugin In-Reply-To: <56F3C8A8.2050809@redhat.com> References: <1693360345.1327020.1450781862487.JavaMail.zimbra@redhat.com> <991418926.1327028.1450781870579.JavaMail.zimbra@redhat.com> <20160307145336.2fa0f064@dhcp-24-122.brq.redhat.com> <56F3C8A8.2050809@redhat.com> Message-ID: <56F3EDED.1040109@redhat.com> On 24.03.2016 11:59, Milan Kub?k wrote: > On 03/07/2016 02:53 PM, Filip ?kola wrote: >> Sorry, forgot to cc you, Milan. >> >> F. >> >> On Tue, 22 Dec 2015 05:57:50 -0500 (EST) >> Filip Skola wrote: >> >>> And also sending refactored hostgroup plugin test. >>> >>> F > Sorry for long delay. ACK. > Pushed to master: 49c015b2ed6063157bb5e07882ae2ad7e9508971 From rcritten at redhat.com Thu Mar 24 13:39:11 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 24 Mar 2016 09:39:11 -0400 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <56F3E933.1060603@redhat.com> References: <56F2B93D.5090202@redhat.com> <20160324094335.GT16196@redhat.com> <56F3E933.1060603@redhat.com> Message-ID: <56F3EDFF.6080308@redhat.com> Adam Young wrote: > On 03/24/2016 05:43 AM, Jan Pazdziora wrote: >> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Luk?? Hellebrandt wrote: >>> I created a design page for the feature: >>> >>> http://www.freeipa.org/page/URI-based-HBAC-design >> I try to put separate areas of concerns into separate emails to make >> it easy to keep track. >> >> The document says >> >> There is a new field in HBAC rule details for adding URI PCRE >> as plain text. >> >> We need an easy way for the user to enter multiple URLs for the same >> rule. The primary case is obviously the http / https duality >> >> http://www.example.com/ >> https://www.example.com/ > > Yes, let's split up the Hostname and the URI matching into two entities. I wasn't entirely clear when I brought this up. The design is a little fuzzy whether the previous HBAC elements are all required but potentially we _already_ have the hostname that this applies to. I think dealing with just the path would be much more straightforward. Of course that doesn't take into account virtual hosts/SNI, so maybe host is relevant after all. > The URI matching might well be very reusable: most applications like > Wordpress, OpenStack Horizon (and all the the web services in > OpenStack), and the like have fairly regular rules that should be > applicable. > > > From an administrators perspective, they want to say hostname has > application at suburl X > From there on, they want to say "user has acces to these kinds of > resources" > This is the Administrative pattern that seems to be working for Keystone. > > >> >> but there might be other situations when additional service is being >> deployed and it is supposed to use exactly the same rule as five >> existing ones. In that case the user has to be able to just add >> additional URL to existing HBAC rule, not be forced to create separate >> new rule which will likely go out of sync from the previous ones when >> they are edited. >> >> In addition, there should be an easy way to see all HBAC rules for a >> particular URL (and all sub-URLs) -- it should be possible to search >> for >> >> www.example.com >> >> and see all the >> >> http://www.example.com/ HBAC rule name 1 >> https://www.example.com/ HBAC rule name 1 >> http://www.example.com/auth/ HBAC rule name 2 >> https://www.example.com/auth/ HBAC rule name 2 >> http://www.example.com/auth/admin/ HBAC rule name 3 >> https://www.example.com/auth/admin/ HBAC rule name 3 >> >> ideally is some consise way if multiple URLs lead to the same rule >> and changes between rules that differ: >> >> http(s)://www.example.com/ HBAC rule name 1 >> http(s)://www.example.com/auth/ HBAC rule name 2 >> User group: core-employees >> http(s)://www.example.com/auth/admin/ HBAC rule name 3 >> User group: network-admins You better illustrated my point about protocol. This could easily explode, though I guess it could be mitigated via regex http[s]?://www.example.com[/]? ... But when a pattern emerges then perhaps the design should just take care of that for the user. rob From jpazdziora at redhat.com Thu Mar 24 13:49:39 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Thu, 24 Mar 2016 14:49:39 +0100 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <56F3EBDE.1090008@redhat.com> References: <56F2B93D.5090202@redhat.com> <20160324092447.GR16196@redhat.com> <56F3D1BD.1050000@redhat.com> <20160324122402.GA16196@redhat.com> <56F3E6C6.10700@redhat.com> <56F3EBDE.1090008@redhat.com> Message-ID: <20160324134939.GF16196@redhat.com> On Thu, Mar 24, 2016 at 02:30:06PM +0100, Petr Spacek wrote: > > I really do not like 'excludes'... Was an approach with longest prefix match > considered as an option? I do not see it in the design page. > > E.g. imagine we have rules: > / -> allow anyone > /users -> allow all authenticated users > /users/edit -> allow admins > > If the matching engine always selects rule with matchine prefix and evaluate > only that rule, it would nicely express who is allowed to access what and did > not require deny rules (or even rule merging). The "Prefix" Evaluation item talks about it. The perceived issue is, if for some reason you miss the longest record when evaluating, you will use the previous shorter one and allow more access than intended. So from certain POV it's similar to DENY rules -- if you miss the DENY rule for some reason, you will go with the allow rule. If the excludes are kept up-to-date automatically for each URI record, matching the next longer prefix, whatever record you find will include in some attribute information about limits of its validity. That might address the concern of security implication of exclude / deny / longest record not found. I don't like manual excludes either. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From rcritten at redhat.com Thu Mar 24 13:55:25 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 24 Mar 2016 09:55:25 -0400 Subject: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer In-Reply-To: <56F3E6EB.5040805@redhat.com> References: <56EADD09.2060109@redhat.com> <56EC0CC5.5040209@redhat.com> <56F3E6EB.5040805@redhat.com> Message-ID: <56F3F1CD.1070204@redhat.com> Jan Cholasta wrote: > On 18.3.2016 15:12, Martin Babinsky wrote: >> On 03/17/2016 05:36 PM, Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/5681 >>> >>> Patch attached. >>> >>> >> Hi Martin, >> >> Nitpick attack: >> >> Please fix the commit message: "File httpd.service was created by RPM, >> what causes that httpd service may", should be "..., which causes" >> >> Otherwise the code looks good and works as expected. >> >> However, you still cannot start httpd.service after ipa-server >> uninstallation because some leftovers in /ipa/httpd/alias cause mod_nss >> to fail (see http error_log): >> >> """ >> [Fri Mar 18 12:43:29.320276 2016] [suexec:notice] [pid 2033] AH01232: >> suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) >> [Fri Mar 18 12:43:29.320288 2016] [:warn] [pid 2033] >> NSSSessionCacheTimeout is deprecated. Ignoring. >> [Fri Mar 18 12:43:29.444287 2016] [:error] [pid 2033] Password for slot >> internal is incorrect. >> [Fri Mar 18 12:43:29.446090 2016] [:error] [pid 2033] NSS initialization >> failed. Certificate database: /etc/httpd/alias. >> [Fri Mar 18 12:43:29.446100 2016] [:error] [pid 2033] SSL Library Error: >> -8177 The security password entered is incorrect >> >> """ >> >> I guess that this is beyond this patch, since I think it is related to >> https://fedorahosted.org/freeipa/ticket/4639 but I am not sure. CC'ing >> Jan who owns the ticket. > > It seems so, on uninstall we restore mod_nss config, so httpd uses the > default password (whatever that is), but the database still uses the > password set by us on install. > The default password is blank, so no auth is required. IIRC the reason we didn't move NSS databases around between installs is the case where there is already a private key that needs to be maintained. rob From pvoborni at redhat.com Thu Mar 24 14:27:53 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 24 Mar 2016 15:27:53 +0100 Subject: [Freeipa-devel] [PATCH] 956 replicainstall: log ACI and LDAP errors in promotion check Message-ID: <56F3F969.3050506@redhat.com> to enable debugging of such errors. E.g.: https://fedorahosted.org/freeipa/ticket/5741 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0956-replicainstall-log-ACI-and-LDAP-errors-in-promotion-.patch Type: text/x-patch Size: 1269 bytes Desc: not available URL: From mbabinsk at redhat.com Thu Mar 24 15:14:44 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 24 Mar 2016 16:14:44 +0100 Subject: [Freeipa-devel] [PATCH 0143-0144] different errors/warnings for different LDAP limit type exceeded In-Reply-To: <56F16481.9070304@redhat.com> References: <56EBCA37.6020306@redhat.com> <56EBF959.3060807@redhat.com> <56EFBC2C.8030300@redhat.com> <56EFDA20.9090005@redhat.com> <56F1608A.4060805@redhat.com> <56F16481.9070304@redhat.com> Message-ID: <56F40464.7000804@redhat.com> On 03/22/2016 04:28 PM, Rob Crittenden wrote: > Martin Babinsky wrote: >> On 03/21/2016 12:25 PM, Jan Cholasta wrote: >>> On 21.3.2016 10:17, Petr Spacek wrote: >>>> On 18.3.2016 13:49, Rob Crittenden wrote: >>>>> Martin Babinsky wrote: >>>>>> These patches implement behavior agreed upon during discussion of >>>>>> https://fedorahosted.org/freeipa/ticket/5677 >>>>>> >>>>>> However I'm not sure if we want to push them into 4-3 branch (the >>>>>> ticket >>>>>> is triaged into 4.3.2 milestone) since they modify the framework >>>>>> behavior quite a bit. >>>>>> >>>>>> If there is no need to have it there (CC'ing Milan since he is the >>>>>> reporter), I would retriage it into 4.4 milestone. >>>>> >>>>> >>>>> + desc="while getting entries (search base: '{}'," >>>>> + "filter: {})".format(base_dn, filter)) >>>>> >>>>> This is going to expose parts of the DIT in an error message to >>>>> users. We have >>>>> tried in the past to hide the implementation. I'd propose logging the >>>>> error >>>>> and making the exception less verbose. >>> >>> I agree with Rob here, we shouldn't expose internal stuff in error >>> messages for users. >>> >>> In this particular case, even if we included internal stuff in the error >>> message, it should be the error message returned by the server rather >>> than this ad-hoc message. >>> >>>> >>>> IMHO it actually helps to print the DN. At very least the user can see >>>> if the >>>> error is happening always with the same DN or if it keeps changing. >>>> >>>> In other words, for user it is not that important to understand >>>> meaning of the >>>> DN but it might be important to see if it is the same or not. >>> >>> I can't imagine a situation where it would actually be useful for the >>> user (as opposed to the admin, who has access to logs) to know the base >>> DN of some arbitrary LDAP search operation. Could you give an example? >>> >> Right, attaching updated patches. > > I may have suggested debug logging the detailed error. I was wrong. This > should log at the error level so it always appears in the logs. This may > be a spurious error and having the user turn on debug logging to capture > the reasons would be asking a lot. > > rob That's right, the user would then have to enable debug mode and re-run the command. I have changed the log level to error as you suggested. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0143.2-differentiate-between-limit-types-when-LDAP-search-e.patch Type: text/x-patch Size: 12808 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0144.2-specify-type-of-exceeded-limit-when-warning-about-tr.patch Type: text/x-patch Size: 4901 bytes Desc: not available URL: From mbabinsk at redhat.com Thu Mar 24 17:08:19 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 24 Mar 2016 18:08:19 +0100 Subject: [Freeipa-devel] [TEST][Patch-0030]Next part of replica promotion tests In-Reply-To: <56EFEE3E.5010202@redhat.com> References: <56EFEE3E.5010202@redhat.com> Message-ID: <56F41F03.9020609@redhat.com> On 03/21/2016 01:51 PM, Oleg Fayans wrote: > > > Hi Oleg, I have a few comments: 1.) please make the commit message more clear, briefly describe what kind of test cases were added to the suite and maybe add a link to the test plan. 2.) I see negative test scenarios for attempting to issue 'ipa-csreplica-manage connect' and 'disconnect' under domain level 1. However, for full coverage there should be also a negative test case for 'ipa-csreplica-manage del' which should also issue error in domain level 1, see https://git.fedorahosted.org/cgit/freeipa.git/commit/install/tools/ipa-csreplica-manage?h=ipa-4-3&id=6119dbb9a915283434f718b38a70017e3ad00840 Could you please add this case to the patch and also to the Test plan so that we have full coverage of this? 3.) test_one_command_installation exploded during client enrollment part on "Joining realm failed: incorrect password". This is probably caused by missing '-P', 'admin' option here: """ + self.replicas[0].run_command(['ipa-replica-install', '-p', + self.master.config.admin_password, + '-n', self.master.domain.name, + '-r', self.master.domain.realm]) + """ 4.) I am not very happy about the organization of 'TestUnprivilegedUserPermissions' class. For starters, I would add this whole block: """ + password = self.master.config.dirman_password + new_password = '$ome0therPaaS' + replica = self.replicas[0] + adduser_stdin_text = "%s\n%s\n" % (self.master.config.admin_password, + self.master.config.admin_password) + user_kinit_stdin_text = "%s\n%s\n%s\n" % (password, new_password, + new_password) + tasks.kinit_admin(self.master) + self.master.run_command(['ipa', 'user-add', 'testuser', '--password', + '--first', 'John', '--last', 'Donn'], + stdin_text=adduser_stdin_text) + # Now we need to change the password for the user + self.master.run_command(['kinit', 'testuser'], + stdin_text=user_kinit_stdin_text) + # And again kinit admin + tasks.kinit_admin(self.master) """ into 'install()' method, since it indeed sets-up the test harness. You can add the user name and password to class members so that you can then use them from the test cases. Which brings me to the second point: I know that the test plan mentions this as a single test case, but I would like this: """ + result1 = replica.run_command(['ipa-client-install', '-p', 'testuser', + '-w', new_password, + '--domain', replica.domain.name, + '--realm', replica.domain.realm, '-U'], + raiseonerr=False) + assert_error(result1, "No permission to join this host", 1) + tasks.install_client(self.master, replica) + result2 = replica.run_command(['ipa-replica-install', '-P', 'testuser', + '-p', new_password, + '-n', self.master.domain.name, + '-r', self.master.domain.realm], + raiseonerr=False) + assert_error(result2, + "Insufficient privileges to promote the server", 1) + self.master.run_command(['ipa', 'group-add-member', 'admins', + '--users=testuser']) + + replica.run_command(['ipa-replica-install', '-P', 'testuser', + '-p', new_password, + '-n', self.master.domain.name, + '-r', self.master.domain.realm]) """ to be split into three separate test methods for the sake of clarity, e.g.: "test_client_enrollment_by_unprivileged_user" "test_replica_install_by_unprovileged_user" "test_replica_install_after_adding_to_admin_group" 5.) """ + result = self.replicas[0].run_command(['ipa-server-install', + '--uninstall', '-U'], + raiseonerr=False) + assert("Uninstallation leads to disconnected topology" + in result.stderr_text) + self.replicas[0].run_command(['ipa-server-install', '--uninstall', + '-U', '--ignore-topology-disconnect']) """ here you should assert against command stdout, since the error message is emitted only by plain print(). Yes it is weird but that's the way it is. It will probably be changed when I implement https://fedorahosted.org/freeipa/ticket/5588 so we can fix it when the ticket is finished. -- Martin^3 Babinsky From slaznick at redhat.com Thu Mar 24 18:10:27 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Thu, 24 Mar 2016 19:10:27 +0100 Subject: [Freeipa-devel] [PATCH 0024] ipa-replica-manage: added --suffix option for certain commands In-Reply-To: <1183297765.33667649.1458760420403.JavaMail.zimbra@redhat.com> References: <56E29266.8000501@redhat.com> <56E6E43B.4050805@redhat.com> <56E7AADC.3060407@redhat.com> <56E7F642.8010109@redhat.com> <56E90C5C.2020703@redhat.com> <56E925D0.2080305@redhat.com> <56E9637B.5080307@redhat.com> <56F2B380.9030504@redhat.com> <1183297765.33667649.1458760420403.JavaMail.zimbra@redhat.com> Message-ID: <56F42D93.5050505@redhat.com> On 03/23/2016 08:13 PM, Martin Basti wrote: > [...] > Can you please update design > http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 (mainly > the --suffix option)? Also there are missing clean-ruv and list-ruv > commands in design, and fix usage at the bottom. > > 1) > I don't understand this expression > + if dirman_passwd is None or ( > + not dirman_passwd and args[0] in cs_enabled_commands): > > You already tested if subcommand belongs to cs_enabled_commands few > lines above, IMO the 'dirman_password is None' expression is enough. If I understand it well, when empty password is entered, the program continues and uses Kerberos credentials for some operations. E.g. for list-ruv, if empty password is entered, the command would only display RUVs for domain tree but not for the CA tree no matter if CA is set up or not (in the current state of the patch, after get_ruv refactoring). This here is one possible way around this, although the check for non-empty password might probably just as well be in get_ruv_both_suffixes. > 2) > +# tuple of commands that work with ca tree and need Directory Manager > password > +cs_enabled_commands = ("list-ruv", "clean-ruv", "abort-clean-ruv") > > this variable is used only toi detect if dirman passwd is needed, I > suggest to rename it to commands_req_dirman_passwd, or something better. > > 3) > Q: Do we need is_cs_set() function? > A: Yes! > > I wanted to give you ultimate NACK, but then I checked how get_ruv code > works and I changed my mind. > > Please write a comment where is_cs_set function is used, why we need > extra function instead of catching an exception, possibly you can open a > refactoring ticket. After the refactoring changes, is_cs_set should not be needed anymore, removed it. > > Shame: > 1) > + if not test_connection(realm, host, options.nolookup) or\ > Please use parentheses instead of backslash > > 2) > + args[0] in cs_enabled_commands: > > + not dirman_passwd and args[0] in cs_enabled_commands): > > Indentation is not multiplication of 4 Shame on me indeed, fixed it. > > Nitpicks (I don't insist on fixing these): > 1) > + if servers.get('ca', None): > > None is default > > 2) > + for (netloc, rid) in servers['ca']: > parentheses are not needed > > 3) > + print("\t%s: %s" % (netloc, rid)) > Would be nice to use .format() instead of % > > Martin^2 > > > > I changed my mind, ultimate NACK. > Please fix get_ruv function, is_cs_set will not help. In case there are no RUVs but CA is installed, sys.exit there prevents us from removing RUVs (or any else operation) on domain suffix, and vice versa. > I propose to move ticket to 4.4 milestone because I would like to avoid breaking something in 4.3, as this will hit many places in ipa-replica-manage. > > Please provide the refactoring of get_ruv as separate patch a put these patches on top of it. > > Martin2 Did the refactoring. There also seemed to be duplicit code in abort_clean_ruv for some reason, removed it (I hope it does not break anything, but it seemed rather useless). Also had to change the numbers of the patches so that they would apply. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0026-ipa-replica-manage-refactoring.patch Type: text/x-patch Size: 5261 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0027-abort-clean-list-clean-ruv-now-work-for-both-suffixe.patch Type: text/x-patch Size: 10960 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0028-Moved-password-check-from-clean_dangling_ruv.patch Type: text/x-patch Size: 2505 bytes Desc: not available URL: From pvoborni at redhat.com Thu Mar 24 21:23:17 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 24 Mar 2016 22:23:17 +0100 Subject: [Freeipa-devel] Announcing FreeIPA 4.3.1 Message-ID: <56F45AC5.3050807@redhat.com> The FreeIPA team would like to announce FreeIPA v4.3.1 bug fixing release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 24 and rawhide. Builds for Fedora 23 are available in the official COPR repository. Experimental builds for CentOS 7 will be available in the official FreeIPA CentOS7 COPR repository shortly after Easter Holidays. This announcement with links to Trac tickets is available on http://www.freeipa.org/page/Releases/4.3.1 . Fedora 24 update: https://bodhi.fedoraproject.org/updates/freeipa-4.3.1-1.fc24 == Highlights in 4.3.1 == === Enhancements === * FreeIPA Apache instance has an update mod_nss cipher suite to only allow secure ciphers #5589 * [[Directory Server]] is configured with "default" cipher suite instead of "+all" #5684 * topology graph user experience was improved. Graph is enlarged to fill all available space. It can be moved and zoomed so that it handles bigger topologies better. #5502, #5649, #5647 * MS-PAC extension was made optional for users #2579, currently without UI #5752 * added option to disable preauth for service principal names. Configurable via ipaconfigstring value "KDC:Disable Default Preauth for SPNs" in server config. #3860 * improved behavior of DNA plugin in complex FreeIPA environments where replicas are not all interconnected so that directory server is able to lookup ranges on other servers once a range is exhausted #4026 * 3des and rc4 enctypes are no longer used on new installations of FreeIPA server #4740 * `ipa-replica-manage clean-dangling-ruv` subcommand was added to help with cases with dandling RUVs, especially the ones related to CA suffix #5411 * deprecated keytab_set extended operation was removed from ipasam module #5495 * an option was added to Web UI to allow to specify GID number in user adder dialog * improved warning message on uninstallation of replica notifying that admin might be removing the last CA, KRA or DNSSec master #5544 * FreeIPA python packages were made independent on architecture(noarch) #5596 * AD users are now shown as members of IPA groups when external group is added to IPA group #4403 === Bug fixes === * fixed bug where `ipa-cacert-manage install` failed on intermediate CA certs #5612 * fixed bug where ipa-server-install didn't stop on error and subsequently reported incorrect root cause #2539 * fixed bug where ipa-ca-install hang on creating a temporary CA admin during replica promotion #5412 * fixed issue with vault-archive command sometimes not working #5538 * fixed regression in Web UI where required indicator '*' was missing on Global Password Policy page, priority field #5553 * fixed regression in reverse zone creation/handling on domain level 0 in ipa-replica-prepare by adding --auto-reverse and --allow-zone-overlap options #5563 * fixed bug where DNS zone overlap check caused failure of ipa-dns-install #5564 * fixed upgrade bug which prevents installation of replicas from masters updated to 4.3.0 #5575 * fixed rare bug in connection handling which can cause a crash of KDC #5577 * fixed regression in updating DNS entries in `ipa-csreplica-manage del` #5583 * fixed not displaying suffixes in IPA servers table in Web UI #5609 * fixed deadlock in directory server between slapi-nis/memberof when a topology segment was added/removed #5637 * fixed issue where ipa-adtrust-install sometimes created incorrect SRV records #5663 == Upgrading == Upgrade instructions are available on upgrade page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Detailed Changelog since 4.3.0 == === Abhijeet Kasurde (1) === * Fixed login error message box in LoginScreen page === Alexander Bokovoy (1) === * slapi-nis: update configuration to allow external members of IPA groups === Christian Heimes (3) === * Require Dogtag 10.2.6-13 to fix KRA uninstall * Modernize mod_nss's cipher suites * Move user/group constants for PKI and DS into ipaplatform === David Kupka (19) === * installer: Propagate option values from components instead of copying them. * installer: Fix logic of reading option values from cache. * ipa-dns-install: Do not check for zone overlap when DNS installed. * ipa-replica-prepare: Add '--auto-reverse' and '--allow-zone-overlap' options * installer: Change reverse zones question to better reflect reality. * Fix: Use unattended parameter instead of options.unattended * CI: Add '2-connected' topology generator. * CI: Add simple replication test in 2-connected topology. * CI: Add test for 2-connected topology generator. * CI: Fix pep8 errors in 2-connected topology generator * CI: add empty topology test for 2-connected topology generator * CI: Add double circle topology. * CI: Add replication test utilizing double-circle topology. * CI: Add test for double-circle topology generator. * CI: Make double circle topology python3 compatible * upgrade: Match whole pre/post command not just basename. * dsinstance: add start_tracking_certificates method * httpinstance: add start_tracking_certificates method * Look up HTTPD_USER's UID and GID during installation. === Filip Skola (3) === * Refactor test_user_plugin, use UserTracker for tests * Refactor test_replace * Refactor test_attr === Fraser Tweedale (1) === * Do not decode HTTP reason phrase from Dogtag === Jan Cholasta (13) === * ipalib: assume version 2.0 when skip_version_check is enabled * ipapython: remove default_encoding_utf8 * ipapython: port p11helper C code to Python * ipapython: use python-cryptography instead of libcrypto in p11helper * spec file: package python-ipalib as noarch * cert renewal: import all external CA certs on IPA CA cert renewal * replica install: validate DS and HTTP server certificates * replica promotion: fix AVC denials in remote connection check * test_ipagetkeytab: fix missing import * cacert install: fix trust chain validation * client: stop using /etc/pki/nssdb * certdb: never use the -r option of certutil * daemons: remove unused erroneous _ipap11helper import === Ludwig Krispenz (1) === * prevent moving of topology entries out of managed scope by modrdn operations === Luk?? Slebodn?k (1) === * IPA-SAM: Fix build with samba 4.4 === Martin Babinsky (21) === * raise more descriptive Backend connection-related exceptions * prevent crash of CA-less server upgrade due to absent certmonger * use FFI call to rpmvercmp function for version comparison * tests for package version comparison * fix Py3 incompatible exception instantiation in replica install code * ipa-csreplica-manage: remove extraneous ldap2 connection * IPA upgrade: move replication ACIs to the mapping tree entry * uninstallation: more robust check for master removal from topology * correctly set LDAP bind related attributes when setting up replication * disable RA plugins when promoting a replica from CA-less master * fix standalone installation of externally signed CA on IPA master * reset ldap.conf to point to newly installer replica after promotion * always start certmonger during IPA server configuration upgrade * upgrade: unconditional import of certificate profiles into LDAP * CI tests: use old schema when testing hostmask-based sudo rules * use LDAPS during standalone CA/KRA subsystem deployment * test_cert_plugin: use only first part of the hostname to construct short name * only search for Kerberos SRV records when autodiscovery was requested * spec: add conflict with bind-chroot to freeipa-server-dns * spec: require python-cryptography newer than 0.9 * otptoken-add: improve the robustness of QR code printing === Martin Ba?ti (36) === * Fix DNS tests: dns-resolve returns warning * Fix version comparison * Fix: replace mkdir with chmod * Allow to used mixed case for sysrestore * Upgrade: Fix upgrade of NIS Server configuration * DNSSEC test: fix adding zones with --skip-overlap-check * DNSSEC CI: add missing ldns-utils dependency * CI test: fix regression in task.install_kra * Warn about potential loss of CA, KRA, DNSSEC during uninstall * Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter * Exclude o=ipaca subtree from Retro Changelog (syncrepl) * Fix DNSSEC test: add glue record * DNSSEC CI: fix zone delegations * make lint: use config file and plugin for pylint * Disable new pylint checks * Py3: do not use dict.iteritems() * upgrade: fix config of sidgen and extdom plugins * trusts: use ipaNTTrustPartner attribute to detect trust entries * Warn user if trust is broken * fix upgrade: wait for proper DS socket after DS restart * Revert "test: Temporarily increase timeout in vault test." * Pylint: add missing attributes of errors to definitions * fix permission: Read Replication Agreements * Make PTR records check optional for IPA installation * Fix connections to DS during installation * pylint: supress false positive no-member errors * CI: allow customized DS install test to work with domain levels * fix suspicious except statements * Configure 389ds with "default" cipher suite * krb5conf: use 'true' instead of 'yes' for forwardable option * stageuser-activate: Normalize manager value * Remove redundant parameters from CS.cfg in dogtaginstance * Fix broken trust warnings * spec: Add missing dependencies to python*-ipalib package * SPEC: do not run upgrade when ipa server is not installed * Fix stageuser-activate - managers test === Michael Simacek (1) === * Fix bytes/string handling in rpc === Milan Kub?k (6) === * ipatests: Roll back the forwarder config after a test case * ipatests: Fix configuration problems in dns tests * ipatests: Make the A record for hosts in topology conditional * ipatests: fix the install of external ca * ipatests: Add missing certificate profile fixture * ipatests: extend permission plugin test with new expected output === Oleg Fayans (17) === * CI tests: Enabled automatic creation of reverse zone during master installation * CI tests: Added domain realm as a parameter to master installation in integration tests * Fixed install_ca and install_kra under domain level 0 * fixed an issue with master installation not creating reverse zone * Enabled recreation of test directory in apply_common_fixes function * Updated connect/disconnect replica to work with both domainlevels * Removed --ip-address option from replica installation * Removed messing around with resolv.conf * Integration tests for replica promotion feature * Enabled setting domain level explicitly in test class * Removed a constantly failing call to prepare_host * Made apply_common_fixes call at replica installation independent on domain_level * Workaround for ticket 5627 * Added copyright info to replica promotion tests * rewrite a misprocessed teardown_method method as a custom decorator * Reverted changes in mh fixture causing some tests to fail * Fixed a bug with prepare_host failing upon existing ipatests folder === Pavel Vomacka (4) === * Add pan and zoom functionality to the topology graph * Nodes stay fixed after initial animation. * Add field for group id in user add dialog * Resize topology graph canvas according to window size === Petr Viktorin (23) === * Use explicit truncating division * Don't index exceptions directly * Use print_function future definition wherever print() is used * Alias "unicode" to "str" under Python 3 * Avoid builtins that were removed in Python 3 * dnsutil: Rename __nonzero__ to __bool__ * Remove deprecated contrib/RHEL4 * make-lint: Allow running pylint --py3k to detect Python3 issues * Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts) * test_parameters: Ignore specific error message * ipaldap, ldapupdate: Encoding fixes for Python 3 * ipautil.run, kernel_keyring: Encoding fixes for Python 3 * tests: Use absolute imports * ipautil: Use mode 'w+' in write_tmp_file * test_util: str/bytes check fixes for Python 3 * p11helper: Port to Python 3 * cli: Don't encode/decode for stdin/stdout on Python 3 * Package python3-ipaclient * migration.py: Remove stray get_ipa_basedn import * Move get_ipa_basedn from ipautil to ipadiscovery * ipadiscovery: Decode to unicode in ipacheckldap(), get_ipa_basedn() * ipapython.sysrestore: Use str methods instead of functions from the string module * ipalib.x809: Accept bytes for make_pem === Petr Voborn?k (11) === * webui: add examples to network address validator error message * webui: pwpolicy cospriority field was marked as required * spec: do not require arch specific ipalib package from noarch packages * webui: dislay server suffixes in server search page * stop installer when setup-ds.pl fail * webui: remove moot error from webui build * webui: use API call ca_is_enabled instead of enable_ra env variable. * advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins * cookie parser: do not fail on cookie with empty value * fix incorrect name of ipa-winsync-migrate command in help * Become IPA 4.3.1 === Petr ?pa?ek (15) === * DNSSEC: Improve error reporting from ipa-ods-exporter * DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP * DNSSEC: Make sure that current key state in LDAP matches key state in BIND * DNSSEC: remove obsolete TODO note * DNSSEC: add debug mode to ldapkeydb.py * DNSSEC: logging improvements in ipa-ods-exporter * DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP * DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP * DNSSEC: ipa-ods-exporter: add ldap-cleanup command * DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal * DNSSEC: Log debug messages at log level DEBUG * Fix --auto-reverse option in --unattended mode. * Fix dns_is_enabled() API command to throw exceptions as appropriate * Fix DNS zone overlap check to allow ipa-replica-install to work * Fix ipa-adtrust-install to always generate SRV records with FQDNs === Simo Sorce (6) === * Use only AES enctypes by default * Always verify we have a valid ldap context. * Improve keytab code to select the right principal. * Convert ipa-sam to use the new getkeytab control * Allow admins to disable preauth for SPNs. * Allow to specify Kerberos authz data type per user === Stanislav Laznicka (4) === * Listing and cleaning RUV extended for CA suffix * Automatically detect and remove dangling RUVs * Cosmetic changes to the code * Fixes minor issues === Sumit Bose (1) === * ipa-kdb: map_groups() consider all results === Thierry Bordaz (2) === * configure DNA plugin shared config entries to allow connection with GSSAPI * DS deadlock when memberof scopes topology plugin updates === Timo Aaltonen (6) === * Use HTTPD_USER in dogtaginstance.py * Move freeipa certmonger helpers to libexecdir. * ipa_restore: Import only FQDN from ipalib.constants * ipaplatform: Move remaining user/group constants to ipaplatform.constants. * Use ODS_USER/ODS_GROUP in opendnssec_conf.template * Fix kdc.conf.template to use ipaplatform.paths. === Tom?? Babej (4) === * py3: Remove py3 incompatible exception handling * ipa-adtrust-install: Allow dash in the NETBIOS name * spec: Bump required sssd version to 1.13.3-5 * adtrustinstance: Make sure smb.conf exists -- Petr Vobornik From ftweedal at redhat.com Fri Mar 25 02:03:04 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 25 Mar 2016 12:03:04 +1000 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <20160324120924.GY16196@redhat.com> References: <56F2B93D.5090202@redhat.com> <56F2BC4F.8030908@redhat.com> <20160324013917.GH18277@dhcp-40-8.bne.redhat.com> <20160324120924.GY16196@redhat.com> Message-ID: <20160325020304.GN18277@dhcp-40-8.bne.redhat.com> On Thu, Mar 24, 2016 at 01:09:24PM +0100, Jan Pazdziora wrote: > On Thu, Mar 24, 2016 at 11:39:17AM +1000, Fraser Tweedale wrote: > > > > Further to Rob's points, what about including the method being used > > (HTTP GET/POST/PUT/PATCH)? In a RESTful world this seems like an > > important aspect to include. > > > > How deep does this rabbit-hole go? :) > > The work, while focused primarily on web use-cases, should be usable > outside of HTTP protocol. The rabbit hole might include questions > about mapping FTP commands into some sensible list of methods that > could be easily managed. In his work Luk?? seemed concerned by DENY > rules not being supported (were removed from IPA), hence his regexp > proposal with negative lookaheads to avoid > > / all users > /admin admins > > where of course both URLs would match for access to /admin/edit but > the longer one should win, thus serving as DENY. > > For FTP that has the potential of having to list looooong list of > commands: > > long-list-of-all-cmds-except-write-cmds / all users > long-list-of-write-commands / admins > > If we could specify > > * / all users > long-list-of-write-commands / admins > > and the situation was not considered as introduction of DENY > mechanism, it might be more feasible. We might still want to have > "metacommands" like 'FTP:read', 'FTP:write' to group the underlying > commands for easy maintenance and presentation. > > My preference would be not to do the methods at this time but have > the data structured in such a way that it's easy to extend later. > This story: `` As an administrator, I want to allow any user to "GET /posts" and "GET /posts/\w+" but only users who are members of group "authors" to "POST /posts" or "(PUT|DELETE) /posts/\w+" '' will be the very first story if we release without method support. IMO it is too obvious and important a thing to omit from the initial implementation. Cheers, Fraser From ofayans at redhat.com Tue Mar 29 08:16:13 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 29 Mar 2016 10:16:13 +0200 Subject: [Freeipa-devel] Instructions to build ipa under RHEL Message-ID: <56FA39CD.6010906@redhat.com> Hi team, Is there any kind of $subj available? Like, which repos to enable, etc. I'm raising the topic because I was unable to install a number of build-time dependencies to build the official 4.3.1 packages under RHEL-7.2 (I need freeipa-4.3.1 srpms to build ipa-tests package): awk '/BuildRequires/ {print $2}' freeipa.spec.in | xargs yum install -y | grep "No package" No package 389-ds-base-devel available. No package svrcore-devel available. No package samba-devel available. No package libwbclient-devel available. No package libtalloc-devel available. No package libtevent-devel available. No package xmlrpc-c-devel available. No package python-gssapi available. No package pylint available. No package python-polib available. No package libsss_idmap-devel available. No package libsss_nss_idmap-devel available. No package libunistring-devel available. No package python-lesscpy available. No package python-pytest-multihost available. No package python-pytest-sourceorder available. No package python-jwcrypto available. No package custodia available. No package libini_config-devel available. No package libcmocka-devel available. No package nss_wrapper available. No package python3-devel available. This leads to quite expected failure to build srpms. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From ofayans at redhat.com Tue Mar 29 08:33:40 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 29 Mar 2016 10:33:40 +0200 Subject: [Freeipa-devel] Instructions to build ipa under RHEL In-Reply-To: <56FA39CD.6010906@redhat.com> References: <56FA39CD.6010906@redhat.com> Message-ID: <56FA3DE4.5070408@redhat.com> OK, I enabled the following repo: http://cosmos.lab.eng.pnq.redhat.com/idmqe-extras/rhel/7Server/x86_64/ and that gave me: pylint python-polib python-pytest-multihost python-pytest-sourceorder But the rest is still unavailable On 03/29/2016 10:16 AM, Oleg Fayans wrote: > Hi team, > > Is there any kind of $subj available? Like, which repos to enable, etc. > I'm raising the topic because I was unable to install a number of > build-time dependencies to build the official 4.3.1 packages under > RHEL-7.2 (I need freeipa-4.3.1 srpms to build ipa-tests package): > > awk '/BuildRequires/ {print $2}' freeipa.spec.in | xargs yum install -y > | grep "No package" > No package 389-ds-base-devel available. > No package svrcore-devel available. > No package samba-devel available. > No package libwbclient-devel available. > No package libtalloc-devel available. > No package libtevent-devel available. > No package xmlrpc-c-devel available. > No package python-gssapi available. > No package pylint available. > No package python-polib available. > No package libsss_idmap-devel available. > No package libsss_nss_idmap-devel available. > No package libunistring-devel available. > No package python-lesscpy available. > No package python-pytest-multihost available. > No package python-pytest-sourceorder available. > No package python-jwcrypto available. > No package custodia available. > No package libini_config-devel available. > No package libcmocka-devel available. > No package nss_wrapper available. > No package python3-devel available. > > This leads to quite expected failure to build srpms. > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From pvoborni at redhat.com Tue Mar 29 08:37:42 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 29 Mar 2016 10:37:42 +0200 Subject: [Freeipa-devel] Instructions to build ipa under RHEL In-Reply-To: <56FA39CD.6010906@redhat.com> References: <56FA39CD.6010906@redhat.com> Message-ID: <56FA3ED6.5020208@redhat.com> On 03/29/2016 10:16 AM, Oleg Fayans wrote: > Hi team, > > Is there any kind of $subj available? Like, which repos to enable, etc. > I'm raising the topic because I was unable to install a number of > build-time dependencies to build the official 4.3.1 packages under > RHEL-7.2 (I need freeipa-4.3.1 srpms to build ipa-tests package): > > awk '/BuildRequires/ {print $2}' freeipa.spec.in | xargs yum install -y > | grep "No package" > No package 389-ds-base-devel available. > No package svrcore-devel available. > No package samba-devel available. > No package libwbclient-devel available. > No package libtalloc-devel available. > No package libtevent-devel available. > No package xmlrpc-c-devel available. > No package python-gssapi available. > No package pylint available. > No package python-polib available. > No package libsss_idmap-devel available. > No package libsss_nss_idmap-devel available. > No package libunistring-devel available. > No package python-lesscpy available. > No package python-pytest-multihost available. > No package python-pytest-sourceorder available. > No package python-jwcrypto available. > No package custodia available. > No package libini_config-devel available. > No package libcmocka-devel available. > No package nss_wrapper available. > No package python3-devel available. > > This leads to quite expected failure to build srpms. > Some of the packages are not in RHEL 7.2. It's the usual case with FreeIPA major version newer than the one in latest RHEL. Usually if some version of FreeIPA is rebased in RHEL then the dependencies are also included. This gap could be solved, e.g., by COPR repositoris - the official one for 4.3 is: @freeipa/freeipa-4-3-centos7 Martin Babinsky is working on including 4.3.1 also with the test package there - progress can be viewed at: https://copr.fedorainfracloud.org/coprs/mbabinsk/freeipa-4-3-centos-7/builds/ -- Petr Vobornik From mbabinsk at redhat.com Tue Mar 29 08:38:48 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 29 Mar 2016 10:38:48 +0200 Subject: [Freeipa-devel] Instructions to build ipa under RHEL In-Reply-To: <56FA3DE4.5070408@redhat.com> References: <56FA39CD.6010906@redhat.com> <56FA3DE4.5070408@redhat.com> Message-ID: <56FA3F18.8060800@redhat.com> On 03/29/2016 10:33 AM, Oleg Fayans wrote: > OK, I enabled the following repo: > http://cosmos.lab.eng.pnq.redhat.com/idmqe-extras/rhel/7Server/x86_64/ > and that gave me: > pylint > python-polib > python-pytest-multihost > python-pytest-sourceorder > > But the rest is still unavailable > > On 03/29/2016 10:16 AM, Oleg Fayans wrote: >> Hi team, >> >> Is there any kind of $subj available? Like, which repos to enable, etc. >> I'm raising the topic because I was unable to install a number of >> build-time dependencies to build the official 4.3.1 packages under >> RHEL-7.2 (I need freeipa-4.3.1 srpms to build ipa-tests package): >> >> awk '/BuildRequires/ {print $2}' freeipa.spec.in | xargs yum install -y >> | grep "No package" >> No package 389-ds-base-devel available. >> No package svrcore-devel available. >> No package samba-devel available. >> No package libwbclient-devel available. >> No package libtalloc-devel available. >> No package libtevent-devel available. >> No package xmlrpc-c-devel available. >> No package python-gssapi available. >> No package pylint available. >> No package python-polib available. >> No package libsss_idmap-devel available. >> No package libsss_nss_idmap-devel available. >> No package libunistring-devel available. >> No package python-lesscpy available. >> No package python-pytest-multihost available. >> No package python-pytest-sourceorder available. >> No package python-jwcrypto available. >> No package custodia available. >> No package libini_config-devel available. >> No package libcmocka-devel available. >> No package nss_wrapper available. >> No package python3-devel available. >> >> This leads to quite expected failure to build srpms. >> > Hi Oleg, If you can wait for a day or two I will push 4.3.1 to our Centos copr repo, you should be able to install 4.3.1 on RHEL from there. -- Martin^3 Babinsky From ofayans at redhat.com Tue Mar 29 08:40:09 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 29 Mar 2016 10:40:09 +0200 Subject: [Freeipa-devel] Instructions to build ipa under RHEL In-Reply-To: <56FA3ED6.5020208@redhat.com> References: <56FA39CD.6010906@redhat.com> <56FA3ED6.5020208@redhat.com> Message-ID: <56FA3F69.9060201@redhat.com> Petr, Martin, thanks guys! On 03/29/2016 10:37 AM, Petr Vobornik wrote: > On 03/29/2016 10:16 AM, Oleg Fayans wrote: >> Hi team, >> >> Is there any kind of $subj available? Like, which repos to enable, etc. >> I'm raising the topic because I was unable to install a number of >> build-time dependencies to build the official 4.3.1 packages under >> RHEL-7.2 (I need freeipa-4.3.1 srpms to build ipa-tests package): >> >> awk '/BuildRequires/ {print $2}' freeipa.spec.in | xargs yum install -y >> | grep "No package" >> No package 389-ds-base-devel available. >> No package svrcore-devel available. >> No package samba-devel available. >> No package libwbclient-devel available. >> No package libtalloc-devel available. >> No package libtevent-devel available. >> No package xmlrpc-c-devel available. >> No package python-gssapi available. >> No package pylint available. >> No package python-polib available. >> No package libsss_idmap-devel available. >> No package libsss_nss_idmap-devel available. >> No package libunistring-devel available. >> No package python-lesscpy available. >> No package python-pytest-multihost available. >> No package python-pytest-sourceorder available. >> No package python-jwcrypto available. >> No package custodia available. >> No package libini_config-devel available. >> No package libcmocka-devel available. >> No package nss_wrapper available. >> No package python3-devel available. >> >> This leads to quite expected failure to build srpms. >> > > Some of the packages are not in RHEL 7.2. It's the usual case with > FreeIPA major version newer than the one in latest RHEL. > > Usually if some version of FreeIPA is rebased in RHEL then the > dependencies are also included. > > This gap could be solved, e.g., by COPR repositoris - the official one > for 4.3 is: @freeipa/freeipa-4-3-centos7 > > Martin Babinsky is working on including 4.3.1 also with the test package > there - progress can be viewed at: > https://copr.fedorainfracloud.org/coprs/mbabinsk/freeipa-4-3-centos-7/builds/ > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From lhellebr at redhat.com Tue Mar 29 08:50:08 2016 From: lhellebr at redhat.com (=?UTF-8?Q?Luk=c3=a1=c5=a1_Hellebrandt?=) Date: Tue, 29 Mar 2016 10:50:08 +0200 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <20160324092447.GR16196@redhat.com> References: <56F2B93D.5090202@redhat.com> <20160324092447.GR16196@redhat.com> Message-ID: <56FA41C0.9040705@redhat.com> On 03/24/2016 10:24 AM, Jan Pazdziora wrote: > On Wed, Mar 23, 2016 at 04:41:49PM +0100, Luk?? Hellebrandt wrote: >> I created a design page for the feature: >> >> http://www.freeipa.org/page/URI-based-HBAC-design > > The way most web applications (that I see as the first use for this > feature) are structured, they have more openly accessible areas at > "top" URLs like > > /application/ > > which might have unrestricted access, with authenticated or otherwise > narrowed access underneath, like > > /application/users/ > > with yet more restricted areas in sub-URLs, for example > > /application/users/admin/ > > Since obviously allow rule for /application/users/ would match access > to /application/users/admin/ as well and we don't want that, there > needs to be a way to "override" the /application/users/ rule with > a more specific one. > > You present two solutions to the problem -- deny rules, and regular > expressions. > > Having to use > > ^/application/users/(?!admin/).* > > rule to make sure it does not match /application/users/admin/ means > that when you add > > /application/users/helpdesk/ > > you will not only have to edit that rule, but also amend the > > ^/application/users/(?!admin/).* > > rule and add helpdesk there. That will be extremely volatile and > error-prone if you have dozens of sub-locations that require > separate, more restrictive access. Users cannot be expected to keep > these separate rules in sync. > > My preferred solution would be to treat the URL as left prefix, and > maintain for each URL/rule list of/links to sub-URLs/sub-rules for > which the URL/rule no longer applies. > > So when you have rule for > > /application/users/ > > and add rule for > > /application/users/admin/ > > the first one gets automatically amended to be > > /application/users/ [ admin/ ] > > And when you add > > /application/ > > it will automatically get > > /application/ [ users/ ] > > because there is already a rule that limits the scope. > > The benefit of this approach is that if you need to evaluate access > to say > > /application/data/ > > and you already have rule for > > /application/ [ users/ ] > > cached either in SSSD or in the application (Apache module), you know > you don't have to refetch additional rules because if they existed, > their existence would be noted in the sub-URL "exclusion" list. > > You will achieve similar functionality to what you propose with the > regular expression approach, except the computers will do the work > of keeping things in sync, not users. > This solution would, effectively, mean DENY rules. Without them, adding "/application/users/admin/" wouldn't change anything as the first rule would allow "/application/users/.*" and the added rule would explicitly allow "/application/users/admin/.*", changing nothing. Furthermore, in some cases you might, for example, allow access to any user except users starting with "admin_", which is a problem if there is unknown or infinite or large number of those users. Regular expressions seem to be more powerful. -- Lukas Hellebrandt Associate Quality Engineer lhellebr at redhat.com From lhellebr at redhat.com Tue Mar 29 08:52:49 2016 From: lhellebr at redhat.com (=?UTF-8?Q?Luk=c3=a1=c5=a1_Hellebrandt?=) Date: Tue, 29 Mar 2016 10:52:49 +0200 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <20160324093147.GS16196@redhat.com> References: <56F2B93D.5090202@redhat.com> <20160324093147.GS16196@redhat.com> Message-ID: <56FA4261.1030207@redhat.com> On 03/24/2016 10:31 AM, Jan Pazdziora wrote: > On Wed, Mar 23, 2016 at 04:41:49PM +0100, Luk?? Hellebrandt wrote: >> I created a design page for the feature: >> >> http://www.freeipa.org/page/URI-based-HBAC-design > > In the document, you say > > In all of them [ approaches ], I use only the part of URI > after hostname as hostname and service are already matched > as part of selecting HBAC rules to evaluate in terms of > matching URI. > > This is not correct. > > The hostname of the machine may be > > cloud-123-567.example.com > > The service (principal) might be HTTP/cloud-123-567.example.com. > > The HBAC service (== PAM service) might be 'application', or 'httpd'. > > But the URL might be > > http://wiki.example.com/wiki > > or > > https://issues.example.com/ > > or > > http://www.example.com:8080/ > > Distinct applications and content, with completely distinct URLs, > locations, and security requirements, hosted on the same machine and > under the same HBAC service. > > The full URL needs to be taken into account. There can be situations > like > > http:///wiki > > where the hostname is ommitted in the rule but it has to be an > explicit decision of the user (admin) editing the rules, not something > built into the mechanism. > Actually, admin can specify whatever he wants in URI attribute. The only question here is what the application should send. So this is merely a matter of the Apache module in my case. -- Lukas Hellebrandt Associate Quality Engineer lhellebr at redhat.com From lhellebr at redhat.com Tue Mar 29 08:57:51 2016 From: lhellebr at redhat.com (=?UTF-8?Q?Luk=c3=a1=c5=a1_Hellebrandt?=) Date: Tue, 29 Mar 2016 10:57:51 +0200 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <20160324123150.GB16196@redhat.com> References: <56F2B93D.5090202@redhat.com> <56F2D4E1.7050001@redhat.com> <20160324123150.GB16196@redhat.com> Message-ID: <56FA438F.8070008@redhat.com> On 03/24/2016 01:31 PM, Jan Pazdziora wrote: > On Wed, Mar 23, 2016 at 06:39:45PM +0100, Petr Vobornik wrote: >> On 03/23/2016 04:41 PM, Luk?? Hellebrandt wrote: >>> I created a design page for the feature: >>> >>> http://www.freeipa.org/page/URI-based-HBAC-design >> >> 1. The design page doesn't mention if mod_authnz_pam will be extended or >> some new 'pam_sss' Apache module will be created. Or is it actually >> mod_hbacauthz_pam as said in 'how to test'? > > If PAM is used and pam_sss is extended to accept the URL in PAM > environment for pam_acct_mgmt, I'd expect patch would be proposed > against mod_authnz_pam. > > If that turns out not to be a viable option, using SSSD's D-Bus > interface might the way to go, in which case it would likely be new > module, something like mod_authz_sssd. > I have created my own Apache module serving just for this purpose (mod_hbacauthz_pam), but extending mod_authnz_pam is a matter of minutes and I will likely do that, too. -- Lukas Hellebrandt Associate Quality Engineer lhellebr at redhat.com From lhellebr at redhat.com Tue Mar 29 08:59:13 2016 From: lhellebr at redhat.com (=?UTF-8?Q?Luk=c3=a1=c5=a1_Hellebrandt?=) Date: Tue, 29 Mar 2016 10:59:13 +0200 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <20160324124151.GA16353@redhat.com> References: <56F2B93D.5090202@redhat.com> <20160324124151.GA16353@redhat.com> Message-ID: <56FA43E1.1000506@redhat.com> On 03/24/2016 01:41 PM, Jan Pazdziora wrote: > On Wed, Mar 23, 2016 at 04:41:49PM +0100, Luk?? Hellebrandt wrote: >> I created a design page for the feature: >> >> http://www.freeipa.org/page/URI-based-HBAC-design > > Could you please elaborate on unauthenticated accesses? > > Many web applications have completely public parts, and then > authenticated sections, with more restricted access to subsections > underneath. How do you envision configuration to look like, and how > will the (missing) user identity be handled in that case? > No change compared to how it works now: if the public part doesn't require any authorization at all, the application won't even ask for authorization. -- Lukas Hellebrandt Associate Quality Engineer lhellebr at redhat.com From jpazdziora at redhat.com Tue Mar 29 09:20:24 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Tue, 29 Mar 2016 11:20:24 +0200 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <56FA41C0.9040705@redhat.com> References: <56F2B93D.5090202@redhat.com> <20160324092447.GR16196@redhat.com> <56FA41C0.9040705@redhat.com> Message-ID: <20160329092024.GT16196@redhat.com> On Tue, Mar 29, 2016 at 10:50:08AM +0200, Luk?? Hellebrandt wrote: > > > > The benefit of this approach is that if you need to evaluate access > > to say > > > > /application/data/ > > > > and you already have rule for > > > > /application/ [ users/ ] > > > > cached either in SSSD or in the application (Apache module), you know > > you don't have to refetch additional rules because if they existed, > > their existence would be noted in the sub-URL "exclusion" list. > > > > You will achieve similar functionality to what you propose with the > > regular expression approach, except the computers will do the work > > of keeping things in sync, not users. > > This solution would, effectively, mean DENY rules. Without them, adding Well, yes, but addressing the inherent problem of DENY rules, which is "if you miss the record for the DENY rule", you will go with the ALLOW rule. Because every ALLOW rule would have the automatically-maintained list of "excludes" or "scope limits", if you see the ALLOW rule, you will know that it does not apply to what it shouldn't apply to. > "/application/users/admin/" wouldn't change anything as the first rule > would allow "/application/users/.*" and the added rule would explicitly > allow "/application/users/admin/.*", changing nothing. My proposal is for IPA to do automatically the housekeeping, maintaining the information about /application/users/admin/ existence in the "parent" rule (/application/users/). > Furthermore, in some cases you might, for example, allow access to any > user except users starting with "admin_", which is a problem if there is How do you proposed to do that? You'd have to have a user group. > unknown or infinite or large number of those users. Regular expressions > seem to be more powerful. More powerful: certainly. But your proposal also makes them much more complex and dangerous to use, if you want to be able to address typical Web applications and their layout. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From lhellebr at redhat.com Tue Mar 29 09:21:05 2016 From: lhellebr at redhat.com (=?UTF-8?Q?Luk=c3=a1=c5=a1_Hellebrandt?=) Date: Tue, 29 Mar 2016 11:21:05 +0200 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <56F3EDFF.6080308@redhat.com> References: <56F2B93D.5090202@redhat.com> <20160324094335.GT16196@redhat.com> <56F3E933.1060603@redhat.com> <56F3EDFF.6080308@redhat.com> Message-ID: <56FA4901.1030901@redhat.com> On 03/24/2016 02:39 PM, Rob Crittenden wrote: > Adam Young wrote: >> On 03/24/2016 05:43 AM, Jan Pazdziora wrote: >>> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Luk?? Hellebrandt wrote: >>>> I created a design page for the feature: >>>> >>>> http://www.freeipa.org/page/URI-based-HBAC-design >>> I try to put separate areas of concerns into separate emails to make >>> it easy to keep track. >>> >>> The document says >>> >>> There is a new field in HBAC rule details for adding URI PCRE >>> as plain text. >>> >>> We need an easy way for the user to enter multiple URLs for the same >>> rule. The primary case is obviously the http / https duality >>> >>> http://www.example.com/ >>> https://www.example.com/ >> >> Yes, let's split up the Hostname and the URI matching into two entities. > > I wasn't entirely clear when I brought this up. The design is a little > fuzzy whether the previous HBAC elements are all required but > potentially we _already_ have the hostname that this applies to. I think > dealing with just the path would be much more straightforward. Of course > that doesn't take into account virtual hosts/SNI, so maybe host is > relevant after all. > Right, we only have to deal with path as the protocol is already in HBAC rules. -- Lukas Hellebrandt Associate Quality Engineer lhellebr at redhat.com From jpazdziora at redhat.com Tue Mar 29 09:22:06 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Tue, 29 Mar 2016 11:22:06 +0200 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <56FA43E1.1000506@redhat.com> References: <56F2B93D.5090202@redhat.com> <20160324124151.GA16353@redhat.com> <56FA43E1.1000506@redhat.com> Message-ID: <20160329092206.GU16196@redhat.com> On Tue, Mar 29, 2016 at 10:59:13AM +0200, Luk?? Hellebrandt wrote: > > No change compared to how it works now: if the public part doesn't > require any authorization at all, the application won't even ask for > authorization. In other words, it won't be possible to enable unauthenticated access centrally (in IPA)? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From jpazdziora at redhat.com Tue Mar 29 09:30:29 2016 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Tue, 29 Mar 2016 11:30:29 +0200 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <56FA4901.1030901@redhat.com> References: <56F2B93D.5090202@redhat.com> <20160324094335.GT16196@redhat.com> <56F3E933.1060603@redhat.com> <56F3EDFF.6080308@redhat.com> <56FA4901.1030901@redhat.com> Message-ID: <20160329093029.GV16196@redhat.com> On Tue, Mar 29, 2016 at 11:21:05AM +0200, Luk?? Hellebrandt wrote: > > Right, we only have to deal with path as the protocol is already in HBAC > rules. I don't see protocol in HBAC rules -- there are HBAC (~ PAM) service name and canonical hostname of the machine. But there isn't protocol (scheme) there, there isn't service host name there, and there isn't port there. Can you please show (here or in the design page) how you envision the situation https://www.redhat.com/archives/freeipa-devel/2016-March/msg00462.html would be modeled? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From pvomacka at redhat.com Tue Mar 29 09:42:57 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Tue, 29 Mar 2016 11:42:57 +0200 Subject: [Freeipa-devel] [PATCH] 0009 webui: Show certificates in useful format In-Reply-To: <56E99E3A.3040200@redhat.com> References: <56E7FEA8.3010404@redhat.com> <56E99E3A.3040200@redhat.com> Message-ID: <56FA4E21.3040504@redhat.com> On 03/16/2016 06:56 PM, Petr Vobornik wrote: > On 03/15/2016 01:23 PM, Pavel Vomacka wrote: >> Hello, >> >> patch for https://fedorahosted.org/freeipa/ticket/5311 is attached. >> >> -- >> Pavel^3 Vomacka >> > > Not tested, but can we avoid using
s with "white-space: pre" and > therefore use only IPA.cert.pem_cert_format(text). > > Also, it should be displayed in monospaced, so probably add: > > .certificate-widget .certificate { > font-family: monospace; > overflow-x: auto; > white-space: pre; > } Fixed. > > > Probably as a separate patch or ticket: we can add "download" button > which would offer the certificate in form of data uri[1] with > 'download' attribute of 'a' element [2]. So user will get pem encoded > file without any hassle. > > [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/data_URIs > [2] https://developer.mozilla.org/en/docs/Web/HTML/Element/a The download button is really good idea. There is attached another patch which adds this button. If we need new ticket let me know and I will file it. -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0009-2-Show-certificate-in-useful-format.patch Type: text/x-patch Size: 1731 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0010-Add-download-button-for-certificates.patch Type: text/x-patch Size: 3937 bytes Desc: not available URL: From lslebodn at redhat.com Tue Mar 29 13:37:07 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 29 Mar 2016 15:37:07 +0200 Subject: [Freeipa-devel] Instructions to build ipa under RHEL In-Reply-To: <56FA39CD.6010906@redhat.com> References: <56FA39CD.6010906@redhat.com> Message-ID: <20160329133706.GB3573@mail.corp.redhat.com> On (29/03/16 10:16), Oleg Fayans wrote: >Hi team, > >Is there any kind of $subj available? Like, which repos to enable, etc. >I'm raising the topic because I was unable to install a number of >build-time dependencies to build the official 4.3.1 packages under >RHEL-7.2 (I need freeipa-4.3.1 srpms to build ipa-tests package): > >awk '/BuildRequires/ {print $2}' freeipa.spec.in | xargs yum install -y >| grep "No package" It's naive approach for installation of build dependencies which ignore rpm conditions "%if (0%{?rhel} >= 7)" Please you right tools in future yum-builddep. >No package 389-ds-base-devel available. >No package svrcore-devel available. >No package samba-devel available. >No package libwbclient-devel available. >No package libtalloc-devel available. >No package libtevent-devel available. >No package xmlrpc-c-devel available. >No package python-gssapi available. >No package pylint available. >No package python-polib available. >No package libsss_idmap-devel available. >No package libsss_nss_idmap-devel available. >No package libunistring-devel available. >No package python-lesscpy available. >No package python-pytest-multihost available. >No package python-pytest-sourceorder available. >No package python-jwcrypto available. >No package custodia available. >No package libini_config-devel available. Most of devel packages are in optional repositories. >No package python3-devel available. python3 is not available in rhel7 and never will be. >No package libcmocka-devel available. >No package nss_wrapper available. > These dependencies are optional and required only on fedora. LS From rcritten at redhat.com Tue Mar 29 13:47:27 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 29 Mar 2016 09:47:27 -0400 Subject: [Freeipa-devel] Instructions to build ipa under RHEL In-Reply-To: <20160329133706.GB3573@mail.corp.redhat.com> References: <56FA39CD.6010906@redhat.com> <20160329133706.GB3573@mail.corp.redhat.com> Message-ID: <56FA876F.5030304@redhat.com> Lukas Slebodnik wrote: > On (29/03/16 10:16), Oleg Fayans wrote: >> Hi team, >> >> Is there any kind of $subj available? Like, which repos to enable, etc. >> I'm raising the topic because I was unable to install a number of >> build-time dependencies to build the official 4.3.1 packages under >> RHEL-7.2 (I need freeipa-4.3.1 srpms to build ipa-tests package): >> >> awk '/BuildRequires/ {print $2}' freeipa.spec.in | xargs yum install -y >> | grep "No package" > It's naive approach for installation of build dependencies > which ignore rpm conditions "%if (0%{?rhel} >= 7)" > > Please you right tools in future yum-builddep. This may have been based on the top-level BUILD file in the freeipa source. Perhaps that should be updated. >> No package 389-ds-base-devel available. >> No package svrcore-devel available. >> No package samba-devel available. >> No package libwbclient-devel available. >> No package libtalloc-devel available. >> No package libtevent-devel available. >> No package xmlrpc-c-devel available. >> No package python-gssapi available. >> No package pylint available. >> No package python-polib available. >> No package libsss_idmap-devel available. >> No package libsss_nss_idmap-devel available. >> No package libunistring-devel available. >> No package python-lesscpy available. >> No package python-pytest-multihost available. >> No package python-pytest-sourceorder available. >> No package python-jwcrypto available. >> No package custodia available. >> No package libini_config-devel available. > Most of devel packages are in optional repositories. > >> No package python3-devel available. > python3 is not available in rhel7 and never will be. > >> No package libcmocka-devel available. >> No package nss_wrapper available. >> > These dependencies are optional and required only > on fedora. They are required by the spec he is using. rob From slaznick at redhat.com Wed Mar 30 07:37:03 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Wed, 30 Mar 2016 09:37:03 +0200 Subject: [Freeipa-devel] [PATCH 0024] ipa-replica-manage: added --suffix option for certain commands In-Reply-To: <56F42D93.5050505@redhat.com> References: <56E29266.8000501@redhat.com> <56E6E43B.4050805@redhat.com> <56E7AADC.3060407@redhat.com> <56E7F642.8010109@redhat.com> <56E90C5C.2020703@redhat.com> <56E925D0.2080305@redhat.com> <56E9637B.5080307@redhat.com> <56F2B380.9030504@redhat.com> <1183297765.33667649.1458760420403.JavaMail.zimbra@redhat.com> <56F42D93.5050505@redhat.com> Message-ID: <56FB821F.6030106@redhat.com> On 03/24/2016 07:10 PM, Stanislav Laznicka wrote: > On 03/23/2016 08:13 PM, Martin Basti wrote: >> [...] >> Can you please update design >> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 (mainly >> the --suffix option)? Also there are missing clean-ruv and list-ruv >> commands in design, and fix usage at the bottom. >> >> 1) >> I don't understand this expression >> + if dirman_passwd is None or ( >> + not dirman_passwd and args[0] in cs_enabled_commands): >> >> You already tested if subcommand belongs to cs_enabled_commands few >> lines above, IMO the 'dirman_password is None' expression is enough. > If I understand it well, when empty password is entered, the program > continues and uses Kerberos credentials for some operations. E.g. for > list-ruv, if empty password is entered, the command would only display > RUVs for domain tree but not for the CA tree no matter if CA is set up > or not (in the current state of the patch, after get_ruv refactoring). > This here is one possible way around this, although the check for > non-empty password might probably just as well be in > get_ruv_both_suffixes. >> 2) >> +# tuple of commands that work with ca tree and need Directory Manager >> password >> +cs_enabled_commands = ("list-ruv", "clean-ruv", "abort-clean-ruv") >> >> this variable is used only toi detect if dirman passwd is needed, I >> suggest to rename it to commands_req_dirman_passwd, or something better. >> >> 3) >> Q: Do we need is_cs_set() function? >> A: Yes! >> >> I wanted to give you ultimate NACK, but then I checked how get_ruv code >> works and I changed my mind. >> >> Please write a comment where is_cs_set function is used, why we need >> extra function instead of catching an exception, possibly you can open a >> refactoring ticket. > After the refactoring changes, is_cs_set should not be needed anymore, > removed it. >> >> Shame: >> 1) >> + if not test_connection(realm, host, options.nolookup) or\ >> Please use parentheses instead of backslash >> >> 2) >> + args[0] in cs_enabled_commands: >> >> + not dirman_passwd and args[0] in cs_enabled_commands): >> >> Indentation is not multiplication of 4 > Shame on me indeed, fixed it. >> >> Nitpicks (I don't insist on fixing these): >> 1) >> + if servers.get('ca', None): >> >> None is default >> >> 2) >> + for (netloc, rid) in servers['ca']: >> parentheses are not needed >> >> 3) >> + print("\t%s: %s" % (netloc, rid)) >> Would be nice to use .format() instead of % >> >> Martin^2 >> >> >> >> I changed my mind, ultimate NACK. >> Please fix get_ruv function, is_cs_set will not help. In case there >> are no RUVs but CA is installed, sys.exit there prevents us from >> removing RUVs (or any else operation) on domain suffix, and vice versa. >> I propose to move ticket to 4.4 milestone because I would like to >> avoid breaking something in 4.3, as this will hit many places in >> ipa-replica-manage. >> >> Please provide the refactoring of get_ruv as separate patch a put >> these patches on top of it. >> >> Martin2 > Did the refactoring. There also seemed to be duplicit code in > abort_clean_ruv for some reason, removed it (I hope it does not break > anything, but it seemed rather useless). Also had to change the > numbers of the patches so that they would apply. > > Self NACK. As I was updating the design today, I found out I omitted the information that abort-clean-ruv should now be called with --force by default. Updated the arguments of the abort call + man page in the patchset. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0026-1-ipa-replica-manage-refactoring.patch Type: text/x-patch Size: 5261 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0027-1-abort-clean-list-clean-ruv-now-work-for-both-suffixe.patch Type: text/x-patch Size: 11496 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-stlaz-0028-1-Moved-password-check-from-clean_dangling_ruv.patch Type: text/x-patch Size: 2505 bytes Desc: not available URL: From pvoborni at redhat.com Wed Mar 30 07:54:36 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 30 Mar 2016 09:54:36 +0200 Subject: [Freeipa-devel] [PATCH 0024] ipa-replica-manage: added --suffix option for certain commands In-Reply-To: <56FB821F.6030106@redhat.com> References: <56E29266.8000501@redhat.com> <56E6E43B.4050805@redhat.com> <56E7AADC.3060407@redhat.com> <56E7F642.8010109@redhat.com> <56E90C5C.2020703@redhat.com> <56E925D0.2080305@redhat.com> <56E9637B.5080307@redhat.com> <56F2B380.9030504@redhat.com> <1183297765.33667649.1458760420403.JavaMail.zimbra@redhat.com> <56F42D93.5050505@redhat.com> <56FB821F.6030106@redhat.com> Message-ID: <56FB863C.40701@redhat.com> On 03/30/2016 09:37 AM, Stanislav Laznicka wrote: > On 03/24/2016 07:10 PM, Stanislav Laznicka wrote: >> On 03/23/2016 08:13 PM, Martin Basti wrote: >>> [...] >>> Can you please update design >>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 (mainly >>> the --suffix option)? Also there are missing clean-ruv and list-ruv >>> commands in design, and fix usage at the bottom. >>> >>> 1) >>> I don't understand this expression >>> + if dirman_passwd is None or ( >>> + not dirman_passwd and args[0] in cs_enabled_commands): >>> >>> You already tested if subcommand belongs to cs_enabled_commands few >>> lines above, IMO the 'dirman_password is None' expression is enough. >> If I understand it well, when empty password is entered, the program continues >> and uses Kerberos credentials for some operations. E.g. for list-ruv, if empty >> password is entered, the command would only display RUVs for domain tree but >> not for the CA tree no matter if CA is set up or not (in the current state of >> the patch, after get_ruv refactoring). This here is one possible way around >> this, although the check for non-empty password might probably just as well be >> in get_ruv_both_suffixes. >>> 2) >>> +# tuple of commands that work with ca tree and need Directory Manager >>> password >>> +cs_enabled_commands = ("list-ruv", "clean-ruv", "abort-clean-ruv") >>> >>> this variable is used only toi detect if dirman passwd is needed, I >>> suggest to rename it to commands_req_dirman_passwd, or something better. >>> >>> 3) >>> Q: Do we need is_cs_set() function? >>> A: Yes! >>> >>> I wanted to give you ultimate NACK, but then I checked how get_ruv code >>> works and I changed my mind. >>> >>> Please write a comment where is_cs_set function is used, why we need >>> extra function instead of catching an exception, possibly you can open a >>> refactoring ticket. >> After the refactoring changes, is_cs_set should not be needed anymore, removed >> it. >>> >>> Shame: >>> 1) >>> + if not test_connection(realm, host, options.nolookup) or\ >>> Please use parentheses instead of backslash >>> >>> 2) >>> + args[0] in cs_enabled_commands: >>> >>> + not dirman_passwd and args[0] in cs_enabled_commands): >>> >>> Indentation is not multiplication of 4 >> Shame on me indeed, fixed it. >>> >>> Nitpicks (I don't insist on fixing these): >>> 1) >>> + if servers.get('ca', None): >>> >>> None is default >>> >>> 2) >>> + for (netloc, rid) in servers['ca']: >>> parentheses are not needed >>> >>> 3) >>> + print("\t%s: %s" % (netloc, rid)) >>> Would be nice to use .format() instead of % >>> >>> Martin^2 >>> >>> >>> >>> I changed my mind, ultimate NACK. >>> Please fix get_ruv function, is_cs_set will not help. In case there are no >>> RUVs but CA is installed, sys.exit there prevents us from removing RUVs (or >>> any else operation) on domain suffix, and vice versa. >>> I propose to move ticket to 4.4 milestone because I would like to avoid >>> breaking something in 4.3, as this will hit many places in ipa-replica-manage. >>> >>> Please provide the refactoring of get_ruv as separate patch a put these >>> patches on top of it. >>> >>> Martin2 >> Did the refactoring. There also seemed to be duplicit code in abort_clean_ruv >> for some reason, removed it (I hope it does not break anything, but it seemed >> rather useless). Also had to change the numbers of the patches so that they >> would apply. >> >> > Self NACK. As I was updating the design today, I found out I omitted the > information that abort-clean-ruv should now be called with --force by default. > Updated the arguments of the abort call + man page in the patchset. > I made a mistake in the design page. By --force I actually meant to use `replica-force-cleaning: yes"` as written in https://fedorahosted.org/freeipa/ticket/5396 (which means the relevant ticket in design is wrong). But #5396 is especially important for clean-dangling ruvs sub command. -- Petr Vobornik From mbasti at redhat.com Wed Mar 30 08:06:54 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 30 Mar 2016 10:06:54 +0200 Subject: [Freeipa-devel] [PATCH] 956 replicainstall: log ACI and LDAP errors in promotion check In-Reply-To: <56F3F969.3050506@redhat.com> References: <56F3F969.3050506@redhat.com> Message-ID: <56FB891E.5080405@redhat.com> On 24.03.2016 15:27, Petr Vobornik wrote: > to enable debugging of such errors. > > E.g.: https://fedorahosted.org/freeipa/ticket/5741 > > Can we log the whole traceback to get exact place where error happened? Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From slaznick at redhat.com Wed Mar 30 08:20:59 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Wed, 30 Mar 2016 10:20:59 +0200 Subject: [Freeipa-devel] [PATCH 0024] ipa-replica-manage: added --suffix option for certain commands In-Reply-To: <56FB863C.40701@redhat.com> References: <56E29266.8000501@redhat.com> <56E6E43B.4050805@redhat.com> <56E7AADC.3060407@redhat.com> <56E7F642.8010109@redhat.com> <56E90C5C.2020703@redhat.com> <56E925D0.2080305@redhat.com> <56E9637B.5080307@redhat.com> <56F2B380.9030504@redhat.com> <1183297765.33667649.1458760420403.JavaMail.zimbra@redhat.com> <56F42D93.5050505@redhat.com> <56FB821F.6030106@redhat.com> <56FB863C.40701@redhat.com> Message-ID: <56FB8C6B.8030407@redhat.com> On 03/30/2016 09:54 AM, Petr Vobornik wrote: > On 03/30/2016 09:37 AM, Stanislav Laznicka wrote: >> On 03/24/2016 07:10 PM, Stanislav Laznicka wrote: >>> On 03/23/2016 08:13 PM, Martin Basti wrote: >>>> [...] >>>> Can you please update design >>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 (mainly >>>> the --suffix option)? Also there are missing clean-ruv and list-ruv >>>> commands in design, and fix usage at the bottom. >>>> >>>> 1) >>>> I don't understand this expression >>>> + if dirman_passwd is None or ( >>>> + not dirman_passwd and args[0] in cs_enabled_commands): >>>> >>>> You already tested if subcommand belongs to cs_enabled_commands few >>>> lines above, IMO the 'dirman_password is None' expression is enough. >>> If I understand it well, when empty password is entered, the program >>> continues >>> and uses Kerberos credentials for some operations. E.g. for >>> list-ruv, if empty >>> password is entered, the command would only display RUVs for domain >>> tree but >>> not for the CA tree no matter if CA is set up or not (in the current >>> state of >>> the patch, after get_ruv refactoring). This here is one possible way >>> around >>> this, although the check for non-empty password might probably just >>> as well be >>> in get_ruv_both_suffixes. >>>> 2) >>>> +# tuple of commands that work with ca tree and need Directory Manager >>>> password >>>> +cs_enabled_commands = ("list-ruv", "clean-ruv", "abort-clean-ruv") >>>> >>>> this variable is used only toi detect if dirman passwd is needed, I >>>> suggest to rename it to commands_req_dirman_passwd, or something >>>> better. >>>> >>>> 3) >>>> Q: Do we need is_cs_set() function? >>>> A: Yes! >>>> >>>> I wanted to give you ultimate NACK, but then I checked how get_ruv >>>> code >>>> works and I changed my mind. >>>> >>>> Please write a comment where is_cs_set function is used, why we need >>>> extra function instead of catching an exception, possibly you can >>>> open a >>>> refactoring ticket. >>> After the refactoring changes, is_cs_set should not be needed >>> anymore, removed >>> it. >>>> >>>> Shame: >>>> 1) >>>> + if not test_connection(realm, host, options.nolookup) or\ >>>> Please use parentheses instead of backslash >>>> >>>> 2) >>>> + args[0] in cs_enabled_commands: >>>> >>>> + not dirman_passwd and args[0] in cs_enabled_commands): >>>> >>>> Indentation is not multiplication of 4 >>> Shame on me indeed, fixed it. >>>> >>>> Nitpicks (I don't insist on fixing these): >>>> 1) >>>> + if servers.get('ca', None): >>>> >>>> None is default >>>> >>>> 2) >>>> + for (netloc, rid) in servers['ca']: >>>> parentheses are not needed >>>> >>>> 3) >>>> + print("\t%s: %s" % (netloc, rid)) >>>> Would be nice to use .format() instead of % >>>> >>>> Martin^2 >>>> >>>> >>>> >>>> I changed my mind, ultimate NACK. >>>> Please fix get_ruv function, is_cs_set will not help. In case there >>>> are no >>>> RUVs but CA is installed, sys.exit there prevents us from removing >>>> RUVs (or >>>> any else operation) on domain suffix, and vice versa. >>>> I propose to move ticket to 4.4 milestone because I would like to >>>> avoid >>>> breaking something in 4.3, as this will hit many places in >>>> ipa-replica-manage. >>>> >>>> Please provide the refactoring of get_ruv as separate patch a put >>>> these >>>> patches on top of it. >>>> >>>> Martin2 >>> Did the refactoring. There also seemed to be duplicit code in >>> abort_clean_ruv >>> for some reason, removed it (I hope it does not break anything, but >>> it seemed >>> rather useless). Also had to change the numbers of the patches so >>> that they >>> would apply. >>> >>> >> Self NACK. As I was updating the design today, I found out I omitted the >> information that abort-clean-ruv should now be called with --force by >> default. >> Updated the arguments of the abort call + man page in the patchset. >> > > I made a mistake in the design page. By --force I actually meant to > use `replica-force-cleaning: yes"` as written in > https://fedorahosted.org/freeipa/ticket/5396 (which means the relevant > ticket in design is wrong). > > But #5396 is especially important for clean-dangling ruvs sub command. > > I updated the design accordingly, then. The 'almost' original patchset can therefore be used. Note: clean-dangling-ruv now uses the --force option on clean-ruv by default. It may or may not need to be updated later according to how #5396 is implemented. From ofayans at redhat.com Wed Mar 30 10:38:55 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 30 Mar 2016 12:38:55 +0200 Subject: [Freeipa-devel] [TEST][patch-0032] Added a kdestroy call to clean ccache Message-ID: <56FBACBF.8050906@redhat.com> -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0032-Added-a-kdestroy-call-to-clean-ccache.patch Type: text/x-patch Size: 954 bytes Desc: not available URL: From slaznick at redhat.com Wed Mar 30 10:45:34 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Wed, 30 Mar 2016 12:45:34 +0200 Subject: [Freeipa-devel] [WIP][PATCH] Time-Based HBAC Policies In-Reply-To: <56E04E38.8080804@redhat.com> References: <56D9935D.9050507@redhat.com> <56E04E38.8080804@redhat.com> Message-ID: <56FBAE4E.6020600@redhat.com> On 03/09/2016 05:24 PM, Martin Basti wrote: > > On 04.03.2016 14:53, Stanislav Laznicka wrote: >> Hello, >> >> So in the previous month and a bit I was reworking the time-based >> policies according to the changes we agreed on >> (http://pad.engineering.redhat.com/ipa-time-based-HBAC-design, line >> 83). Let me briefly walk you through what was done (no TLDR, sorry, >> but split the text in chapters): >> >> *Time rule templates* >> In the attachment is the proposal how this could be done using >> costemplates. Currently, the time rule templates have their own >> directory in the realm tree. The idea is that it could be used for >> both HBAC and Sudo rules so it needs to be in a location both should >> be able to reach. Should we not want them used in Sudo rules, the >> template directory could be moved to HBAC directory. There are also >> some new permissions for accessing these time rule templates which >> may need to be revised if the templates should be used both for sudo >> and HBAC rules. >> >> *iCalendar format validation >> *So there is an iCalendar string validation now. During its creation, >> I came across several issues with python-icalendar which is basically >> why it took me so long to write the validation. I made several fixes >> to the python-icalendar library, most of them are already merged in >> the repository master (https://github.com/collective/icalendar), one >> should be pushed in the next library major release. >> >> My pull requests: >> https://github.com/collective/icalendar/pull/175 >> https://github.com/collective/icalendar/pull/179 >> https://github.com/collective/icalendar/pull/180 >> https://github.com/collective/icalendar/pull/183 >> https://github.com/collective/icalendar/pull/189 >> >> I still have one fix in the making, that one should force the strong >> types in iCalendar as these are also missing in python-icalendar but >> required by the RFC. >> >> Also, obviously, if you want to try the patches, you will need the >> current python-icalendar implementation from Github. I haven't put >> python-icalendar dependency into the .spec file yet for this reason. >> * >> **Summary >> *We are now able to import iCalendar strings from files and more or >> less be sure that the parts we need will be consistent with the RFC >> 5545 (basically, we are only checking that VEVENT components are >> correct, to bring strict checking to python-icalendar would take some >> time and I believe I spent way too much time with it already (there >> is an issue on their github page, though, it's 4 years old)). >> >> *TODO now >> *0)**Update the design* >> *1a) The hbacrule-*-accesstime should probably be split into 2 >> commands, one that reads iCalendar strings from files, and one that >> creates those strings from "some kind of user input" (similarly for >> timeruletemplates). >> 1b) Create the format of user input we could expect for the second >> kind of command from 1a). We need to be able to convert it to >> iCalendar string and back so that we are able to present the data >> stored on the server in human readable form. >> http://jkbrzt.github.io/rrule/ NL part might be of help although it >> aims mostly on RRULE property of VEVENT components, whereas we may >> want to use DTEND, EXDATE, RDATE and DURATION as well to be able to >> specify events more properly. >> 2) Represent the HBAC time rules on SSSD side. I already have a >> skeleton of this based on libical >> (https://github.com/libical/libical), which hopefully seems to be >> more viable than python-icalendar. I do not mean to do the validation >> of received iCalendar string on the SSSD side anymore (at least not >> in an excessive way), just get the required properties from VEVENT >> components and evaluate them accordingly. >> >> *Discuss >> *I would really appreciate your input on these topics:* >> *1)**How to represent the iCalendar strings on the client side in CLI >> (while thinking about WebUI as well)? >> 2a) Do we want to use the time rules for Sudo rules as well? >> 2b) If 2a), is the proposed location of time rule templates along >> with the privileges ok? >> >> Standa >> >> > Hello, > thank you for the patchset, I have a few comments :)* > **** > ***1) > +attributeTypes: (2.16.840.1.113730.3.8.11.72 NAME 'timeruleClass' > DESC 'CNs of the timerule classes' > > OID above is registered as: > 2.16.840.1.113730.3.8.11.72 accessTimeExclude > Access time - exclude these values I would like to stick with a known OID before we decide that the patch is in final version but it's of course a right point until then. > * > ***2)* > ***please add requires and buildrequires to specfile (python-icalendar) Done. > > 3) > Pylint is running, please wait ... > ************* Module ipalib.plugins.hbacrule > ipalib/plugins/hbacrule.py:166: [E1101(no-member), validate_icalfile] > Instance of 'list' has no 'name' member) > ipalib/plugins/hbacrule.py:175: [E1101(no-member), validate_icalfile] > Instance of 'list' has no 'subcomponents' member) > ipalib/plugins/hbacrule.py:177: [E1601(print-statement), > validate_icalfile] print statement used) > ipalib/plugins/hbacrule.py:190: [E1601(print-statement), > validate_icalfile] print statement used) > > first two errors must be disabled by # pylint: disable=no-member > because it is too complicated for pylint > > I'm pretty sure that print should not be in plugin implementation Done, replaced the prints with root_logger. > > 4) > PEP8 > > ./ipalib/plugins/hbacrule.py:255:80: E501 line too long (216 > 79 > characters) > ./ipalib/plugins/hbacrule.py:262:80: E501 line too long (225 > 79 > characters) > ./ipalib/plugins/hbacrule.py:270:80: E501 line too long (251 > 79 > characters)* > ***./ipalib/plugins/hbacrule.py:456:17: E127 continuation line > over-indented for visual indent* > ***./ipalib/plugins/hbacrule.py:646:80: E501 line too long (80 > 79 > characters)* > ***./ipalib/plugins/hbacrule.py:657:1: E302 expected 2 blank lines, > found 1 > ./ipalib/plugins/hbacrule.py:663:1: E302 expected 2 blank lines, found 1* > **** > ***./ipalib/plugins/hbacrule.py:177:80: E501 line too long (80 > 79 > characters)* > ***./ipalib/plugins/hbacrule.py:215:80: E501 line too long (80 > 79 > characters)* > * Do you want me to fix this last 1 letter overflow as well? It would probably look worse if I did. > ****./ipalib/plugins/hbacrule.py:542:80: E501 line too long (127 > 79 > characters) > ./ipalib/plugins/hbacrule.py:544:80: E501 line too long (127 > 79 > characters) These two were not really caused by me but I can fix these PEP8 errors along with some others in a separate patch if you want to. > ****./ipalib/plugins/hbacrule.py:551:1: E303 too many blank lines (3) > > 5) > Following imports in hbac rule should be before ipalib imports > > +import icalendar > +from datetime import date > + > Done. > 6) > + ical_errors = ('{comp}: {err}' > + .format(comp=x, err=y) for x, y in comp.errors) > > it is not clear for me what is x, and y. A component of the component? > can you named it better than x,y. We are not limited by length of > identifiers in python too much :) Good eye, it was actually a property of a component. Modified it a bit. Components may appear in components too, though. > > /7)// > //ugettext string is wrong (all places)// > //+ error=_('There were errors parsing the iCalendar > string:\n{errs}'// > //+ .format(errs='\n'.join(ical_errors)))// > //it should be// > //// > //error=_('There were errors parsing the iCalendar > string:\n{errs}').format(errs='\n'.join(ical_errors))// > / //Had to go with the "%" syntax in the end because "Instance of 'Gettext' has no 'format' member". However, this brought kind of inconsistency of how strings are handled in my code. Would it be better to use the "%" syntax everywhere, then? > > 8) > + # TODO: comp.required might be removed when > + # https://github.com/collective/icalendar/pull/183 is merged > > I'm not fan of TODO's in code, you provides copr repo anyway, so > please build package with this merge and remove TODO, we should create > workaround when upstream refuse your patches. Let me just leave that there as long as we're in WIP phase so that I might eventually remove that part of code when the mentioned patch is merged or just remove the comments if not. > / > ///9) > + if api.env.context == 'cli': > + if ics and os.path.exists(ics): > + return > > The param is File class, so this check should eb done automatically Done. I just followed the code from cert.py. > > 10) > + icalstr = ics > > this statement is useless, please use ics directly > Done, of course. > 11) > +def validate_icalfile(ugettext, ics): > > This and other similar restriction are required by IPA or it is > invalid icalfile? (sorry for question but I'm not familiar with > icalendar enough yet) It is an invalid icalfile. > + error=_('A VEVENT component can\'t contain ' > + 'subcomponent "{}".'.format(sub.name)) > + ) > > In second case (icalfile is invalid) shouldn't be this validation done > in python-icalendar module instead of IPA validators? I believe all (or most of) the checks should be done in python-icalendar, actually. As I started working with libical again, I am getting the impression that the iCalendar parsers are there only to get the information from what seems to be an iCalendar string by any means possible no matter how wrong the input is. I believe that theory tells us that parser should be able to distinguish invalid input from valid one, yet this is not true at all for python-icalendar and for libical. While such behavior might be desirable in some cases, these parsers should at least have means to check the validity of the input if it's not performed by default. Yet they don't and I can say it literally drives me insane. > > 12) > + if 'DTEND' in comp.keys() and 'DURATION' in comp.keys(): > + raise errors.ValidationError( > + name=name, > + error=_('Both DURATION and DTEND set in a VEVENT.') > + ) > + > + elif 'DTEND' in comp.keys(): > + if type(comp['DTSTART'].dt) != type(comp['DTEND'].dt): > + raise errors.ValidationError( > + name=name, > + error=_('Different types of DTSTART and DTEND ' > + 'component in VEVENT.') > + ) > > IMO following way is better for readability > if 'DTEND' in comp.keys(): > if 'DURATION' in comp.keys(): > something1 > elif type(comp['DTSTART'].dt) != type(comp['DTEND'].dt): > something2 You're right, modified it. > > 13) > PATCH: Templating of access time rules for HBAC > There is missing upgrade path for: > +dn: cn=timeruleTemplates,$SUFFIX > +dn: cn=cosTimerulesDef,cn=hbac,$SUFFIX Should be ok now. > ***** > ***14) > + container_dn = DN(('cn', 'timeruletemplates')) > Please define this in constants.py* > * Done. > * > *15) > Your managed ACI are completely new, so there should not be 'replaces' > definition (several times) > + 'replaces': [ > + '(target = > "ldap:///cn=*,cn=timeruletemplates,$SUFFIX")(version 3.0;acl > "permission:Delete Time Rule Template";allow (delete) groupdn = > "ldap:///cn=Delete Time Rule Template,cn=permissions,cn=pbac,$SUFFIX";)', > + ], > * > * Oh ok. > **16) > + 'System: Read Time Rule Template' should have also > 'objectclass' as allowed attribute Seems like it's already there. > ** > /17)// > //// > ///+ File('accesstime', validate_icalfile, > + cli_name='time', > + label=_('Access time'), > + ), > I prefer to have file option named like icalfile, instead of > accesstime, as you mentioned we may need to add more options to be UX > friendly > > Should we have option, which will take ical string directly from CLI, > IMO yes. > (this applies for both, hbacrule, and timerule template) While I might be wrong here, it seems that the api commands won't accept newline as a part of a single input, separating the input as multivalued by newlines. Typical iCalendar string is a lot of newlines. I currently left the 'accesstime' option there. Probably, in the end, there will have to be a separate method to load the content from an iCalendar file and store it to the database. So the current accesstime methods are mere placeholders. > > 18) > IMO timeruletemplate should be in separate module, we may reuse this > later, and I don't see why it should be in HBAC module* > * There's the validation part that's the same for both adding accesstime from ical file to hbacrule and for adding it to timerule template. A possible solution for splitting the modules would be to add a certain class to parameters.py just for validation. Then timerule_templates could have their own module as well as the validation would be usable in multiple other places. There's probably another way around this, though. Ideas are welcome :) > ***** > ***19) > + Str('timeruleclass*', > + cli_name='class'), > > why option --class? it does not look descriptive enough for me. How > about --timerule-template. Also timeruletemplate instead of > timeruleclass looks better to me. > * > * That seems right, modified it to timeruletemplate. > ****20) > + result = ldap.get_entry(DN(('cn', > options['timeruleclass'][0]), > + ('cn', 'timeruletemplates'), > + api.env.basedn)) > Please use constants for container timeruletemplates > result is unused var, remove it please. Done. > ***** > *** > I have to look closer to icalendar and DS templates :) > So review is not finished, but feel free to fix issues I listed. For iCalendar, there's of course the RFC: http://tools.ietf.org/html/rfc5545 and the Class of Service is thoroughly described at https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Advanced_Entry_Management-Assigning_Class_of_Service.html. > > Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-HBAC-Access-Time-Rules-icalendar-format-validation.patch Type: text/x-patch Size: 15665 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Templating-of-access-time-rules-for-HBAC.patch Type: text/x-patch Size: 24104 bytes Desc: not available URL: From pvomacka at redhat.com Wed Mar 30 10:46:02 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Wed, 30 Mar 2016 12:46:02 +0200 Subject: [Freeipa-devel] [PATCH] 0009 webui: Show certificates in useful format In-Reply-To: <56FA4E21.3040504@redhat.com> References: <56E7FEA8.3010404@redhat.com> <56E99E3A.3040200@redhat.com> <56FA4E21.3040504@redhat.com> Message-ID: <56FBAE6A.6040008@redhat.com> On 03/29/2016 11:42 AM, Pavel Vomacka wrote: > > > On 03/16/2016 06:56 PM, Petr Vobornik wrote: >> On 03/15/2016 01:23 PM, Pavel Vomacka wrote: >>> Hello, >>> >>> patch for https://fedorahosted.org/freeipa/ticket/5311 is attached. >>> >>> -- >>> Pavel^3 Vomacka >>> >> >> Not tested, but can we avoid using
s with "white-space: pre" and >> therefore use only IPA.cert.pem_cert_format(text). >> >> Also, it should be displayed in monospaced, so probably add: >> >> .certificate-widget .certificate { >> font-family: monospace; >> overflow-x: auto; >> white-space: pre; >> } > Fixed. >> >> >> Probably as a separate patch or ticket: we can add "download" button >> which would offer the certificate in form of data uri[1] with >> 'download' attribute of 'a' element [2]. So user will get pem encoded >> file without any hassle. >> >> [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/data_URIs >> [2] https://developer.mozilla.org/en/docs/Web/HTML/Element/a > The download button is really good idea. There is attached another > patch which adds this button. If we need new ticket let me know and I > will file it. > > -- > Pavel^3 Vomacka > > Self NACK, css parts should be moved to less files. Attaching new patches. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0009-3-Show-certificate-in-useful-format.patch Type: text/x-patch Size: 1762 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0010-2-Add-download-button-for-certificates.patch Type: text/x-patch Size: 3981 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Mar 30 12:04:36 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 30 Mar 2016 14:04:36 +0200 Subject: [Freeipa-devel] server_del (re)implementation in domain level 1 topology management In-Reply-To: <56EACA2F.6060509@redhat.com> References: <56EAB37A.5070606@redhat.com> <56EAB764.5060200@redhat.com> <56EABC90.2080205@redhat.com> <56EAC116.3000504@redhat.com> <56EAC8D2.5020008@redhat.com> <56EACA2F.6060509@redhat.com> Message-ID: <56FBC0D4.2040902@redhat.com> On 03/17/2016 04:15 PM, Petr Vobornik wrote: > On 03/17/2016 04:10 PM, Martin Babinsky wrote: >> On 03/17/2016 03:37 PM, Petr Vobornik wrote: >>> On 03/17/2016 03:17 PM, Martin Babinsky wrote: >>>> On 03/17/2016 02:55 PM, Petr Vobornik wrote: >>>>> On 03/17/2016 02:39 PM, Martin Babinsky wrote: >>>>>> Hi list, >>>>>> >>>>>> I would like to discuss the merge of `del_master_managed()` function >>>>>> from `ipa-replica-manage` command into the server_del API call that >>>>>> is a >>>>>> part of the managed replication topology design update[1] (see also >>>>>> the >>>>>> corresponding upstream ticket [2]). >>>>>> >>>>>> Before I head down into coding I want to be sure that everyone is one >>>>>> the same page regarding the expected use-cases which govern the API >>>>>> design. >>>>>> >>>>>> IIUC, there are two main uses of the new functionality according to >>>>>> design document: >>>>>> >>>>>> 1.) run 'server_del' when 'ipa-replica-manage del' is run in >>>>>> domain-level 1 >>>>> >>>>> Right, this is for backwards compatibility(BC). >>>>> >>>>>> >>>>>> 2.) during 'ipa-server-install --uninstall', 'server_del' should be >>>>>> called on one of remote masters to remove the uninstalled server from >>>>>> the managed topology >>>>>> >>>>>> What I didn't get from the design document is whether the method >>>>>> should >>>>>> have some kind of 'force' option which should bypass all topology >>>>>> connectivity checks. Currently both `ipa-replica-manage del` and >>>>>> server >>>>>> uninstaller have options which will force the removal even if it >>>>>> disconnects the topology ('--force' in the former, >>>>>> '--ignore-disconnected-topology' in the latter). >>>>> >>>>> I would say that uninstaller should do checks in validate method >>>>> therefore the subsequent `server-del` doesn't need to do it again >>>>> but it >>>>> shouldn't harm. I.e. it should follow what the user specified. If user >>>>> wants to skip (--ignore-d..-t..) then skip. If not then it will >>>>> fail in >>>>> validate method. >>>>> >>>>> Only issue might be error state where servers have different >>>>> picture of >>>>> the topology. >>>>> >>>> If the view of the topology is not self-consistent then you have plenty >>>> of other issues to take care of and that may include some forced >>>> removal >>>> and recreation of nodes. >>>> >>>>>> >>>>>> I guess the 'server_del' method should inherit this flag so that we >>>>>> retain the original functionality (for better or worse). I propose to >>>>>> name this option 'ignore_topology_disconnect' because it is more >>>>>> descriptive than plain 'force'. >>>>> >>>>> +1 >>>>> >>>>> And in BC case, `ipa-replica-manage --force` would call `server-del >>>>> --ig..-d..-t...` >>>>> >>>> Yes. >>>>>> >>>>>> I would also like to ask whether 'server_del' (which is currently >>>>>> NO_CLI) should be usable also from command line. >>>>> >>>>> IMO yes, it should mostly as a couterpart of `ipa-replica-manage >>>>> --force >>>>> --clean` >>>>> >>>>> Which bring us to --clean option and what it should do... >>>>> >>>> According to the design, '--clean' should be used as a cleanup of >>>> leftovers after deleted servers. How I image it from the implementation >>>> point of view is that when '--clean' is specified and the server was >>>> already deleted, the NotFound error raised from the framework should be >>>> ignored and the code should continue in clean up. (I assume that >>>> segment/service/dns cleanup will be done in post_callback portion and >>>> the topology connectivity/sanity checks in the pre_callback). >>> >>> When thinking about it, clean could be a separate command which would be >>> called internally in post callback of server-del. It would reduce the >>> number of ifs in server-del and simplify it in general. It would work >>> only if server entry doesn't exists. >>> >> That was my original idea. I also thought that 'check_last_link_managed' >> could be a separate command, but it is probably not a very good idea to >> add the overhead of calling two separate commands to a single API call. >> OTOH it would improve the code organization IMHO. > > Not sure if check_last_link_managed should be an API command. It is > already a separate function. What would be the use case for it as a > command? > > Maybe the function should be moved from ipaserver/install/replication to > a more suitable place given that it's used from API - it's up to you. > >> >>>> That means that '--clean' has no additional effect when the server >>>> exists. >>> >>> Right >>> >>>>>> >>>>>> >>>>>> [1] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 >>>>>> [2] https://fedorahosted.org/freeipa/ticket/5588 >>>>>> >> >> There are two more things I would like to clarify before I can finish the patch: 1.) We have discussed offline that the ensure_last_services function[1] shall be reimplemented in the API command using server roles (I will open a ticket for this when time comes). Currently the code works interactively, prompting the user about removing last DNS/CA/etc server. The behavior is overriden by --force option. I guess we do not want to have interactive prompting in the API command, so we will have to handle this somehow. A proposal would be to by default abort removal of last DNS/CA server and add a '--force' option which will override this check and also override the disconnected topology check (IMHO it is not of much use to keep both options in this case). What do you think? 2.) Removal of DNS entries is handled by directly calling bindinstance/dnskeysyncinstance code[2]. Obviously this is not very desirable in the context of API code since we would then need to conditionally import these modules on server side (one option but not very nice IMHO). Should I reimplement this code using API commands or move the relevant bits into ipapython/ipalib? [1] https://git.fedorahosted.org/cgit/freeipa.git/tree/install/tools/ipa-replica-manage?h=ipa-4-3#n753 [2] https://git.fedorahosted.org/cgit/freeipa.git/tree/install/tools/ipa-replica-manage?h=ipa-4-3#n810 -- Martin^3 Babinsky From pvoborni at redhat.com Wed Mar 30 12:32:54 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 30 Mar 2016 14:32:54 +0200 Subject: [Freeipa-devel] server_del (re)implementation in domain level 1 topology management In-Reply-To: <56FBC0D4.2040902@redhat.com> References: <56EAB37A.5070606@redhat.com> <56EAB764.5060200@redhat.com> <56EABC90.2080205@redhat.com> <56EAC116.3000504@redhat.com> <56EAC8D2.5020008@redhat.com> <56EACA2F.6060509@redhat.com> <56FBC0D4.2040902@redhat.com> Message-ID: <56FBC776.8020509@redhat.com> On 03/30/2016 02:04 PM, Martin Babinsky wrote: > On 03/17/2016 04:15 PM, Petr Vobornik wrote: >> On 03/17/2016 04:10 PM, Martin Babinsky wrote: >>> On 03/17/2016 03:37 PM, Petr Vobornik wrote: >>>> On 03/17/2016 03:17 PM, Martin Babinsky wrote: >>>>> On 03/17/2016 02:55 PM, Petr Vobornik wrote: >>>>>> On 03/17/2016 02:39 PM, Martin Babinsky wrote: >>>>>>> Hi list, >>>>>>> >>>>>>> I would like to discuss the merge of `del_master_managed()` function >>>>>>> from `ipa-replica-manage` command into the server_del API call that >>>>>>> is a >>>>>>> part of the managed replication topology design update[1] (see also >>>>>>> the >>>>>>> corresponding upstream ticket [2]). >>>>>>> >>>>>>> Before I head down into coding I want to be sure that everyone is >>>>>>> one >>>>>>> the same page regarding the expected use-cases which govern the API >>>>>>> design. >>>>>>> >>>>>>> IIUC, there are two main uses of the new functionality according to >>>>>>> design document: >>>>>>> >>>>>>> 1.) run 'server_del' when 'ipa-replica-manage del' is run in >>>>>>> domain-level 1 >>>>>> >>>>>> Right, this is for backwards compatibility(BC). >>>>>> >>>>>>> >>>>>>> 2.) during 'ipa-server-install --uninstall', 'server_del' should be >>>>>>> called on one of remote masters to remove the uninstalled server >>>>>>> from >>>>>>> the managed topology >>>>>>> >>>>>>> What I didn't get from the design document is whether the method >>>>>>> should >>>>>>> have some kind of 'force' option which should bypass all topology >>>>>>> connectivity checks. Currently both `ipa-replica-manage del` and >>>>>>> server >>>>>>> uninstaller have options which will force the removal even if it >>>>>>> disconnects the topology ('--force' in the former, >>>>>>> '--ignore-disconnected-topology' in the latter). >>>>>> >>>>>> I would say that uninstaller should do checks in validate method >>>>>> therefore the subsequent `server-del` doesn't need to do it again >>>>>> but it >>>>>> shouldn't harm. I.e. it should follow what the user specified. If >>>>>> user >>>>>> wants to skip (--ignore-d..-t..) then skip. If not then it will >>>>>> fail in >>>>>> validate method. >>>>>> >>>>>> Only issue might be error state where servers have different >>>>>> picture of >>>>>> the topology. >>>>>> >>>>> If the view of the topology is not self-consistent then you have >>>>> plenty >>>>> of other issues to take care of and that may include some forced >>>>> removal >>>>> and recreation of nodes. >>>>> >>>>>>> >>>>>>> I guess the 'server_del' method should inherit this flag so that we >>>>>>> retain the original functionality (for better or worse). I >>>>>>> propose to >>>>>>> name this option 'ignore_topology_disconnect' because it is more >>>>>>> descriptive than plain 'force'. >>>>>> >>>>>> +1 >>>>>> >>>>>> And in BC case, `ipa-replica-manage --force` would call `server-del >>>>>> --ig..-d..-t...` >>>>>> >>>>> Yes. >>>>>>> >>>>>>> I would also like to ask whether 'server_del' (which is currently >>>>>>> NO_CLI) should be usable also from command line. >>>>>> >>>>>> IMO yes, it should mostly as a couterpart of `ipa-replica-manage >>>>>> --force >>>>>> --clean` >>>>>> >>>>>> Which bring us to --clean option and what it should do... >>>>>> >>>>> According to the design, '--clean' should be used as a cleanup of >>>>> leftovers after deleted servers. How I image it from the >>>>> implementation >>>>> point of view is that when '--clean' is specified and the server was >>>>> already deleted, the NotFound error raised from the framework >>>>> should be >>>>> ignored and the code should continue in clean up. (I assume that >>>>> segment/service/dns cleanup will be done in post_callback portion and >>>>> the topology connectivity/sanity checks in the pre_callback). >>>> >>>> When thinking about it, clean could be a separate command which >>>> would be >>>> called internally in post callback of server-del. It would reduce the >>>> number of ifs in server-del and simplify it in general. It would work >>>> only if server entry doesn't exists. >>>> >>> That was my original idea. I also thought that 'check_last_link_managed' >>> could be a separate command, but it is probably not a very good idea to >>> add the overhead of calling two separate commands to a single API call. >>> OTOH it would improve the code organization IMHO. >> >> Not sure if check_last_link_managed should be an API command. It is >> already a separate function. What would be the use case for it as a >> command? >> >> Maybe the function should be moved from ipaserver/install/replication to >> a more suitable place given that it's used from API - it's up to you. >> >>> >>>>> That means that '--clean' has no additional effect when the server >>>>> exists. >>>> >>>> Right >>>> >>>>>>> >>>>>>> >>>>>>> [1] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 >>>>>>> [2] https://fedorahosted.org/freeipa/ticket/5588 >>>>>>> >>> >>> > > There are two more things I would like to clarify before I can finish > the patch: > > 1.) We have discussed offline that the ensure_last_services function[1] > shall be reimplemented in the API command using server roles (I will > open a ticket for this when time comes). Currently the code works > interactively, prompting the user about removing last DNS/CA/etc server. > The behavior is overriden by --force option. > > I guess we do not want to have interactive prompting in the API command, > so we will have to handle this somehow. A proposal would be to by > default abort removal of last DNS/CA server and add a '--force' option > which will override this check and also override the disconnected > topology check (IMHO it is not of much use to keep both options in this > case). What do you think? In general +1. * move services automatically but fail if it is the last * have override param to force it. It can be mapped to `ipa server-del --force`. Or maybe other name than --force (too easy to use, very general). > > 2.) Removal of DNS entries is handled by directly calling > bindinstance/dnskeysyncinstance code[2]. Obviously this is not very > desirable in the context of API code since we would then need to > conditionally import these modules on server side (one option but not > very nice IMHO). Should I reimplement this code using API commands or > move the relevant bits into ipapython/ipalib? Both methods (ensure_last_services, removal of DNS records) should be moved. There is no need for separate API calls. But we might want to consider other option if simple move is not so simple. > > > [1] > https://git.fedorahosted.org/cgit/freeipa.git/tree/install/tools/ipa-replica-manage?h=ipa-4-3#n753 > > > [2] > https://git.fedorahosted.org/cgit/freeipa.git/tree/install/tools/ipa-replica-manage?h=ipa-4-3#n810 > > -- Petr Vobornik From jhrozek at redhat.com Wed Mar 30 12:51:01 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 30 Mar 2016 14:51:01 +0200 Subject: [Freeipa-devel] URI in HBAC - design page In-Reply-To: <20160324134939.GF16196@redhat.com> References: <56F2B93D.5090202@redhat.com> <20160324092447.GR16196@redhat.com> <56F3D1BD.1050000@redhat.com> <20160324122402.GA16196@redhat.com> <56F3E6C6.10700@redhat.com> <56F3EBDE.1090008@redhat.com> <20160324134939.GF16196@redhat.com> Message-ID: <20160330125101.GN3067@hendrix> (Sorry to come late into this thread..) On Thu, Mar 24, 2016 at 02:49:39PM +0100, Jan Pazdziora wrote: > On Thu, Mar 24, 2016 at 02:30:06PM +0100, Petr Spacek wrote: > > > > I really do not like 'excludes'... Was an approach with longest prefix match > > considered as an option? I do not see it in the design page. > > > > E.g. imagine we have rules: > > / -> allow anyone > > /users -> allow all authenticated users > > /users/edit -> allow admins > > > > If the matching engine always selects rule with matchine prefix and evaluate > > only that rule, it would nicely express who is allowed to access what and did > > not require deny rules (or even rule merging). This is more or less what was proposed in another discussion: https://lists.fedorahosted.org/archives/list/sssd-devel at lists.fedorahosted.org/thread/GRWONQ3FGGJDVHHD2D2GOO6PJEJQM3Z6/ So I tend to agree with Petr. > > The "Prefix" Evaluation item talks about it. > > The perceived issue is, if for some reason you miss the longest ~~~~~~~~~~ What would be the reasons? During an IRC conversation Jan mentioned operational reasons (like size limit exceeded, timeout during the search etc..) which is something that Jan's automatic-excludes would solve. I don't agree with what the design page says about the inability to make stricter matches work: """ The problem is, in web applications, the longer URI usually means stricter access rules: it would be hard to make rules such that "/users" is accessible by all users and "/users/admin" is only accessible by admin (we can't exclude a subset of some matching set). """ I think the longest-match-wins would solve this, what am I missing? > record when evaluating, you will use the previous shorter one and > allow more access than intended. So from certain POV it's similar to > DENY rules -- if you miss the DENY rule for some reason, you will go > with the allow rule. > > If the excludes are kept up-to-date automatically for each URI > record, matching the next longer prefix, whatever record you find will > include in some attribute information about limits of its validity. > That might address the concern of security implication of exclude / > deny / longest record not found. > > I don't like manual excludes either. My preference would be either the longest match or alternatively the automatic exludes. My only complaint about the automatic excludes is that it adds additional complexity, so the question is whether the additional complexity is worth spending time on. If we could make the excludes work in a reliable and simple way, then sure. But to be honest, I don't like regular expressions either, they are too fragile and a nightmare to set up and maintain IMO. From mbabinsk at redhat.com Wed Mar 30 13:13:54 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 30 Mar 2016 15:13:54 +0200 Subject: [Freeipa-devel] server_del (re)implementation in domain level 1 topology management In-Reply-To: <56FBC776.8020509@redhat.com> References: <56EAB37A.5070606@redhat.com> <56EAB764.5060200@redhat.com> <56EABC90.2080205@redhat.com> <56EAC116.3000504@redhat.com> <56EAC8D2.5020008@redhat.com> <56EACA2F.6060509@redhat.com> <56FBC0D4.2040902@redhat.com> <56FBC776.8020509@redhat.com> Message-ID: <56FBD112.9090900@redhat.com> On 03/30/2016 02:32 PM, Petr Vobornik wrote: > On 03/30/2016 02:04 PM, Martin Babinsky wrote: >> On 03/17/2016 04:15 PM, Petr Vobornik wrote: >>> On 03/17/2016 04:10 PM, Martin Babinsky wrote: >>>> On 03/17/2016 03:37 PM, Petr Vobornik wrote: >>>>> On 03/17/2016 03:17 PM, Martin Babinsky wrote: >>>>>> On 03/17/2016 02:55 PM, Petr Vobornik wrote: >>>>>>> On 03/17/2016 02:39 PM, Martin Babinsky wrote: >>>>>>>> Hi list, >>>>>>>> >>>>>>>> I would like to discuss the merge of `del_master_managed()` >>>>>>>> function >>>>>>>> from `ipa-replica-manage` command into the server_del API call that >>>>>>>> is a >>>>>>>> part of the managed replication topology design update[1] (see also >>>>>>>> the >>>>>>>> corresponding upstream ticket [2]). >>>>>>>> >>>>>>>> Before I head down into coding I want to be sure that everyone is >>>>>>>> one >>>>>>>> the same page regarding the expected use-cases which govern the API >>>>>>>> design. >>>>>>>> >>>>>>>> IIUC, there are two main uses of the new functionality according to >>>>>>>> design document: >>>>>>>> >>>>>>>> 1.) run 'server_del' when 'ipa-replica-manage del' is run in >>>>>>>> domain-level 1 >>>>>>> >>>>>>> Right, this is for backwards compatibility(BC). >>>>>>> >>>>>>>> >>>>>>>> 2.) during 'ipa-server-install --uninstall', 'server_del' should be >>>>>>>> called on one of remote masters to remove the uninstalled server >>>>>>>> from >>>>>>>> the managed topology >>>>>>>> >>>>>>>> What I didn't get from the design document is whether the method >>>>>>>> should >>>>>>>> have some kind of 'force' option which should bypass all topology >>>>>>>> connectivity checks. Currently both `ipa-replica-manage del` and >>>>>>>> server >>>>>>>> uninstaller have options which will force the removal even if it >>>>>>>> disconnects the topology ('--force' in the former, >>>>>>>> '--ignore-disconnected-topology' in the latter). >>>>>>> >>>>>>> I would say that uninstaller should do checks in validate method >>>>>>> therefore the subsequent `server-del` doesn't need to do it again >>>>>>> but it >>>>>>> shouldn't harm. I.e. it should follow what the user specified. If >>>>>>> user >>>>>>> wants to skip (--ignore-d..-t..) then skip. If not then it will >>>>>>> fail in >>>>>>> validate method. >>>>>>> >>>>>>> Only issue might be error state where servers have different >>>>>>> picture of >>>>>>> the topology. >>>>>>> >>>>>> If the view of the topology is not self-consistent then you have >>>>>> plenty >>>>>> of other issues to take care of and that may include some forced >>>>>> removal >>>>>> and recreation of nodes. >>>>>> >>>>>>>> >>>>>>>> I guess the 'server_del' method should inherit this flag so that we >>>>>>>> retain the original functionality (for better or worse). I >>>>>>>> propose to >>>>>>>> name this option 'ignore_topology_disconnect' because it is more >>>>>>>> descriptive than plain 'force'. >>>>>>> >>>>>>> +1 >>>>>>> >>>>>>> And in BC case, `ipa-replica-manage --force` would call `server-del >>>>>>> --ig..-d..-t...` >>>>>>> >>>>>> Yes. >>>>>>>> >>>>>>>> I would also like to ask whether 'server_del' (which is currently >>>>>>>> NO_CLI) should be usable also from command line. >>>>>>> >>>>>>> IMO yes, it should mostly as a couterpart of `ipa-replica-manage >>>>>>> --force >>>>>>> --clean` >>>>>>> >>>>>>> Which bring us to --clean option and what it should do... >>>>>>> >>>>>> According to the design, '--clean' should be used as a cleanup of >>>>>> leftovers after deleted servers. How I image it from the >>>>>> implementation >>>>>> point of view is that when '--clean' is specified and the server was >>>>>> already deleted, the NotFound error raised from the framework >>>>>> should be >>>>>> ignored and the code should continue in clean up. (I assume that >>>>>> segment/service/dns cleanup will be done in post_callback portion and >>>>>> the topology connectivity/sanity checks in the pre_callback). >>>>> >>>>> When thinking about it, clean could be a separate command which >>>>> would be >>>>> called internally in post callback of server-del. It would reduce the >>>>> number of ifs in server-del and simplify it in general. It would work >>>>> only if server entry doesn't exists. >>>>> >>>> That was my original idea. I also thought that >>>> 'check_last_link_managed' >>>> could be a separate command, but it is probably not a very good idea to >>>> add the overhead of calling two separate commands to a single API call. >>>> OTOH it would improve the code organization IMHO. >>> >>> Not sure if check_last_link_managed should be an API command. It is >>> already a separate function. What would be the use case for it as a >>> command? >>> >>> Maybe the function should be moved from ipaserver/install/replication to >>> a more suitable place given that it's used from API - it's up to you. >>> >>>> >>>>>> That means that '--clean' has no additional effect when the server >>>>>> exists. >>>>> >>>>> Right >>>>> >>>>>>>> >>>>>>>> >>>>>>>> [1] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 >>>>>>>> [2] https://fedorahosted.org/freeipa/ticket/5588 >>>>>>>> >>>> >>>> >> >> There are two more things I would like to clarify before I can finish >> the patch: >> >> 1.) We have discussed offline that the ensure_last_services function[1] >> shall be reimplemented in the API command using server roles (I will >> open a ticket for this when time comes). Currently the code works >> interactively, prompting the user about removing last DNS/CA/etc server. >> The behavior is overriden by --force option. >> >> I guess we do not want to have interactive prompting in the API command, >> so we will have to handle this somehow. A proposal would be to by >> default abort removal of last DNS/CA server and add a '--force' option >> which will override this check and also override the disconnected >> topology check (IMHO it is not of much use to keep both options in this >> case). What do you think? > > In general +1. > > * move services automatically but fail if it is the last > * have override param to force it. It can be mapped to `ipa server-del > --force`. Or maybe other name than --force (too easy to use, very general). > >> >> 2.) Removal of DNS entries is handled by directly calling >> bindinstance/dnskeysyncinstance code[2]. Obviously this is not very >> desirable in the context of API code since we would then need to >> conditionally import these modules on server side (one option but not >> very nice IMHO). Should I reimplement this code using API commands or >> move the relevant bits into ipapython/ipalib? > > Both methods (ensure_last_services, removal of DNS records) should be > moved. There is no need for separate API calls. > > But we might want to consider other option if simple move is not so simple. > well in both ways the move requires a conditional import of server-side modules like this so that it does not break clients: """ if api.env.in_server: from ipaserver.install import bindinstance, dnskeysyncinstance # do magic """ which will make people like Jan Cholasta cringe mightily. I will try to move the code around so that we can avoid these hacks. >> >> >> [1] >> https://git.fedorahosted.org/cgit/freeipa.git/tree/install/tools/ipa-replica-manage?h=ipa-4-3#n753 >> >> >> >> [2] >> https://git.fedorahosted.org/cgit/freeipa.git/tree/install/tools/ipa-replica-manage?h=ipa-4-3#n810 >> >> >> > > -- Martin^3 Babinsky From rcritten at redhat.com Wed Mar 30 14:43:43 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 30 Mar 2016 10:43:43 -0400 Subject: [Freeipa-devel] [TEST][patch-0032] Added a kdestroy call to clean ccache In-Reply-To: <56FBACBF.8050906@redhat.com> References: <56FBACBF.8050906@redhat.com> Message-ID: <56FBE61F.4000202@redhat.com> Would it be more robust to call kdestroy -A or is that just overkill in this case? rob From mbasti at redhat.com Wed Mar 30 14:52:08 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 30 Mar 2016 16:52:08 +0200 Subject: [Freeipa-devel] [PATCH 0024] ipa-replica-manage: added --suffix option for certain commands In-Reply-To: <56F42D93.5050505@redhat.com> References: <56E29266.8000501@redhat.com> <56E6E43B.4050805@redhat.com> <56E7AADC.3060407@redhat.com> <56E7F642.8010109@redhat.com> <56E90C5C.2020703@redhat.com> <56E925D0.2080305@redhat.com> <56E9637B.5080307@redhat.com> <56F2B380.9030504@redhat.com> <1183297765.33667649.1458760420403.JavaMail.zimbra@redhat.com> <56F42D93.5050505@redhat.com> Message-ID: <56FBE818.80805@redhat.com> On 24.03.2016 19:10, Stanislav Laznicka wrote: > On 03/23/2016 08:13 PM, Martin Basti wrote: >> [...] >> Can you please update design >> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 (mainly >> the --suffix option)? Also there are missing clean-ruv and list-ruv >> commands in design, and fix usage at the bottom. >> >> 1) >> I don't understand this expression >> + if dirman_passwd is None or ( >> + not dirman_passwd and args[0] in cs_enabled_commands): >> >> You already tested if subcommand belongs to cs_enabled_commands few >> lines above, IMO the 'dirman_password is None' expression is enough. > If I understand it well, when empty password is entered, the program > continues and uses Kerberos credentials for some operations. E.g. for > list-ruv, if empty password is entered, the command would only display > RUVs for domain tree but not for the CA tree no matter if CA is set up > or not (in the current state of the patch, after get_ruv refactoring). > This here is one possible way around this, although the check for > non-empty password might probably just as well be in > get_ruv_both_suffixes. ok >> 2) >> +# tuple of commands that work with ca tree and need Directory Manager >> password >> +cs_enabled_commands = ("list-ruv", "clean-ruv", "abort-clean-ruv") >> >> this variable is used only toi detect if dirman passwd is needed, I >> suggest to rename it to commands_req_dirman_passwd, or something better. >> >> 3) >> Q: Do we need is_cs_set() function? >> A: Yes! >> >> I wanted to give you ultimate NACK, but then I checked how get_ruv code >> works and I changed my mind. >> >> Please write a comment where is_cs_set function is used, why we need >> extra function instead of catching an exception, possibly you can open a >> refactoring ticket. > After the refactoring changes, is_cs_set should not be needed anymore, > removed it. >> >> Shame: >> 1) >> + if not test_connection(realm, host, options.nolookup) or\ >> Please use parentheses instead of backslash >> >> 2) >> + args[0] in cs_enabled_commands: >> >> + not dirman_passwd and args[0] in cs_enabled_commands): >> >> Indentation is not multiplication of 4 > Shame on me indeed, fixed it. >> >> Nitpicks (I don't insist on fixing these): >> 1) >> + if servers.get('ca', None): >> >> None is default >> >> 2) >> + for (netloc, rid) in servers['ca']: >> parentheses are not needed >> >> 3) >> + print("\t%s: %s" % (netloc, rid)) >> Would be nice to use .format() instead of % >> >> Martin^2 >> >> >> >> I changed my mind, ultimate NACK. >> Please fix get_ruv function, is_cs_set will not help. In case there >> are no RUVs but CA is installed, sys.exit there prevents us from >> removing RUVs (or any else operation) on domain suffix, and vice versa. >> I propose to move ticket to 4.4 milestone because I would like to >> avoid breaking something in 4.3, as this will hit many places in >> ipa-replica-manage. >> >> Please provide the refactoring of get_ruv as separate patch a put >> these patches on top of it. >> >> Martin2 > Did the refactoring. There also seemed to be duplicit code in > abort_clean_ruv for some reason, removed it (I hope it does not break > anything, but it seemed rather useless). Also had to change the > numbers of the patches so that they would apply. NACK * ipa-replica-manage refactoring * 1) Instead of: - print("Failed to connect to server %s: %s" % (host, e)) - sys.exit(1) + root_logger.debug("Failed to connect to server {host}: {err}" + .format(host=host, err=e)) + raise RuntimeError(e) I expected - print("Failed to connect to server %s: %s" % (host, e)) - sys.exit(1) + root_logger.debug(traceback.format_exc()) + raise RuntimeError("Failed to connect to server {host}: {err}" + .format(host=host, err=e))) 2) - print("No RUV records found.") - sys.exit(0) Here is exit state 0, so we should not raise error. I think that we should create new nonfatal exception. 3) - print("unable to decode: %s" % ruv) + root_logger.debug("unable to decode: %s" % ruv) This may break tests, because the logger logs to stderr, leave it as print for now 4) - servers = get_ruv(realm, host, dirman_passwd, nolookup) + try: + servers = get_ruv(realm, host, dirman_passwd, nolookup) + except RuntimeError as e: + print(e) + sys.exit(1) again we have to print it to stdout for now. * abort-clean/list/clean-ruv now work for both suffixes * - if dirman_passwd is None: + if dirman_passwd is None or ( + not dirman_passwd and args[0] in dirman_passwd_req_commands): sys.exit("Directory Manager password required") Please fix other patch accordingly. Martin^2 From rharwood at redhat.com Wed Mar 30 18:50:52 2016 From: rharwood at redhat.com (Robbie Harwood) Date: Wed, 30 Mar 2016 14:50:52 -0400 Subject: [Freeipa-devel] [TEST][patch-0032] Added a kdestroy call to clean ccache In-Reply-To: <56FBE61F.4000202@redhat.com> References: <56FBACBF.8050906@redhat.com> <56FBE61F.4000202@redhat.com> Message-ID: Rob Crittenden writes: > Would it be more robust to call kdestroy -A or is that just overkill in > this case? I believe it would be superior to call `kdestroy -A`, yes. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: From pspacek at redhat.com Thu Mar 31 06:08:47 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 31 Mar 2016 08:08:47 +0200 Subject: [Freeipa-devel] server_del (re)implementation in domain level 1 topology management In-Reply-To: <56FBD112.9090900@redhat.com> References: <56EAB37A.5070606@redhat.com> <56EAB764.5060200@redhat.com> <56EABC90.2080205@redhat.com> <56EAC116.3000504@redhat.com> <56EAC8D2.5020008@redhat.com> <56EACA2F.6060509@redhat.com> <56FBC0D4.2040902@redhat.com> <56FBC776.8020509@redhat.com> <56FBD112.9090900@redhat.com> Message-ID: <56FCBEEF.7050408@redhat.com> On 30.3.2016 15:13, Martin Babinsky wrote: > On 03/30/2016 02:32 PM, Petr Vobornik wrote: >> On 03/30/2016 02:04 PM, Martin Babinsky wrote: >>> On 03/17/2016 04:15 PM, Petr Vobornik wrote: >>>> On 03/17/2016 04:10 PM, Martin Babinsky wrote: >>>>> On 03/17/2016 03:37 PM, Petr Vobornik wrote: >>>>>> On 03/17/2016 03:17 PM, Martin Babinsky wrote: >>>>>>> On 03/17/2016 02:55 PM, Petr Vobornik wrote: >>>>>>>> On 03/17/2016 02:39 PM, Martin Babinsky wrote: >>>>>>>>> Hi list, >>>>>>>>> >>>>>>>>> I would like to discuss the merge of `del_master_managed()` >>>>>>>>> function >>>>>>>>> from `ipa-replica-manage` command into the server_del API call that >>>>>>>>> is a >>>>>>>>> part of the managed replication topology design update[1] (see also >>>>>>>>> the >>>>>>>>> corresponding upstream ticket [2]). >>>>>>>>> >>>>>>>>> Before I head down into coding I want to be sure that everyone is >>>>>>>>> one >>>>>>>>> the same page regarding the expected use-cases which govern the API >>>>>>>>> design. >>>>>>>>> >>>>>>>>> IIUC, there are two main uses of the new functionality according to >>>>>>>>> design document: >>>>>>>>> >>>>>>>>> 1.) run 'server_del' when 'ipa-replica-manage del' is run in >>>>>>>>> domain-level 1 >>>>>>>> >>>>>>>> Right, this is for backwards compatibility(BC). >>>>>>>> >>>>>>>>> >>>>>>>>> 2.) during 'ipa-server-install --uninstall', 'server_del' should be >>>>>>>>> called on one of remote masters to remove the uninstalled server >>>>>>>>> from >>>>>>>>> the managed topology >>>>>>>>> >>>>>>>>> What I didn't get from the design document is whether the method >>>>>>>>> should >>>>>>>>> have some kind of 'force' option which should bypass all topology >>>>>>>>> connectivity checks. Currently both `ipa-replica-manage del` and >>>>>>>>> server >>>>>>>>> uninstaller have options which will force the removal even if it >>>>>>>>> disconnects the topology ('--force' in the former, >>>>>>>>> '--ignore-disconnected-topology' in the latter). >>>>>>>> >>>>>>>> I would say that uninstaller should do checks in validate method >>>>>>>> therefore the subsequent `server-del` doesn't need to do it again >>>>>>>> but it >>>>>>>> shouldn't harm. I.e. it should follow what the user specified. If >>>>>>>> user >>>>>>>> wants to skip (--ignore-d..-t..) then skip. If not then it will >>>>>>>> fail in >>>>>>>> validate method. >>>>>>>> >>>>>>>> Only issue might be error state where servers have different >>>>>>>> picture of >>>>>>>> the topology. >>>>>>>> >>>>>>> If the view of the topology is not self-consistent then you have >>>>>>> plenty >>>>>>> of other issues to take care of and that may include some forced >>>>>>> removal >>>>>>> and recreation of nodes. >>>>>>> >>>>>>>>> >>>>>>>>> I guess the 'server_del' method should inherit this flag so that we >>>>>>>>> retain the original functionality (for better or worse). I >>>>>>>>> propose to >>>>>>>>> name this option 'ignore_topology_disconnect' because it is more >>>>>>>>> descriptive than plain 'force'. >>>>>>>> >>>>>>>> +1 >>>>>>>> >>>>>>>> And in BC case, `ipa-replica-manage --force` would call `server-del >>>>>>>> --ig..-d..-t...` >>>>>>>> >>>>>>> Yes. >>>>>>>>> >>>>>>>>> I would also like to ask whether 'server_del' (which is currently >>>>>>>>> NO_CLI) should be usable also from command line. >>>>>>>> >>>>>>>> IMO yes, it should mostly as a couterpart of `ipa-replica-manage >>>>>>>> --force >>>>>>>> --clean` >>>>>>>> >>>>>>>> Which bring us to --clean option and what it should do... >>>>>>>> >>>>>>> According to the design, '--clean' should be used as a cleanup of >>>>>>> leftovers after deleted servers. How I image it from the >>>>>>> implementation >>>>>>> point of view is that when '--clean' is specified and the server was >>>>>>> already deleted, the NotFound error raised from the framework >>>>>>> should be >>>>>>> ignored and the code should continue in clean up. (I assume that >>>>>>> segment/service/dns cleanup will be done in post_callback portion and >>>>>>> the topology connectivity/sanity checks in the pre_callback). >>>>>> >>>>>> When thinking about it, clean could be a separate command which >>>>>> would be >>>>>> called internally in post callback of server-del. It would reduce the >>>>>> number of ifs in server-del and simplify it in general. It would work >>>>>> only if server entry doesn't exists. >>>>>> >>>>> That was my original idea. I also thought that >>>>> 'check_last_link_managed' >>>>> could be a separate command, but it is probably not a very good idea to >>>>> add the overhead of calling two separate commands to a single API call. >>>>> OTOH it would improve the code organization IMHO. >>>> >>>> Not sure if check_last_link_managed should be an API command. It is >>>> already a separate function. What would be the use case for it as a >>>> command? >>>> >>>> Maybe the function should be moved from ipaserver/install/replication to >>>> a more suitable place given that it's used from API - it's up to you. >>>> >>>>> >>>>>>> That means that '--clean' has no additional effect when the server >>>>>>> exists. >>>>>> >>>>>> Right >>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> [1] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 >>>>>>>>> [2] https://fedorahosted.org/freeipa/ticket/5588 >>>>>>>>> >>>>> >>>>> >>> >>> There are two more things I would like to clarify before I can finish >>> the patch: >>> >>> 1.) We have discussed offline that the ensure_last_services function[1] >>> shall be reimplemented in the API command using server roles (I will >>> open a ticket for this when time comes). Currently the code works >>> interactively, prompting the user about removing last DNS/CA/etc server. >>> The behavior is overriden by --force option. >>> >>> I guess we do not want to have interactive prompting in the API command, >>> so we will have to handle this somehow. A proposal would be to by >>> default abort removal of last DNS/CA server and add a '--force' option >>> which will override this check and also override the disconnected >>> topology check (IMHO it is not of much use to keep both options in this >>> case). What do you think? >> >> In general +1. >> >> * move services automatically but fail if it is the last >> * have override param to force it. It can be mapped to `ipa server-del >> --force`. Or maybe other name than --force (too easy to use, very general). >> >>> >>> 2.) Removal of DNS entries is handled by directly calling >>> bindinstance/dnskeysyncinstance code[2]. Obviously this is not very >>> desirable in the context of API code since we would then need to >>> conditionally import these modules on server side (one option but not >>> very nice IMHO). Should I reimplement this code using API commands or >>> move the relevant bits into ipapython/ipalib? >> >> Both methods (ensure_last_services, removal of DNS records) should be >> moved. There is no need for separate API calls. >> >> But we might want to consider other option if simple move is not so simple. >> > well in both ways the move requires a conditional import of server-side > modules like this so that it does not break clients: > """ > if api.env.in_server: > from ipaserver.install import bindinstance, dnskeysyncinstance > # do magic > """ > > which will make people like Jan Cholasta cringe mightily. > > I will try to move the code around so that we can avoid these hacks. BTW I will have to rewrite most of the DNS record management for DNS locations anyway so you might want to let it be as it for now and I will do it at once together with rest of the codebase. Petr^2 Spacek >>> [1] >>> https://git.fedorahosted.org/cgit/freeipa.git/tree/install/tools/ipa-replica-manage?h=ipa-4-3#n753 >>> >>> >>> >>> >>> [2] >>> https://git.fedorahosted.org/cgit/freeipa.git/tree/install/tools/ipa-replica-manage?h=ipa-4-3#n810 From ofayans at redhat.com Thu Mar 31 06:50:30 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 31 Mar 2016 08:50:30 +0200 Subject: [Freeipa-devel] [TEST][patch-0032] Added a kdestroy call to clean ccache In-Reply-To: References: <56FBACBF.8050906@redhat.com> <56FBE61F.4000202@redhat.com> Message-ID: <56FCC8B6.8080605@redhat.com> Hi, The updated patch is included On 03/30/2016 08:50 PM, Robbie Harwood wrote: > Rob Crittenden writes: > >> Would it be more robust to call kdestroy -A or is that just overkill in >> this case? > > I believe it would be superior to call `kdestroy -A`, yes. > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0032.1-Added-a-kdestroy-call-to-clean-ccache.patch Type: text/x-patch Size: 960 bytes Desc: not available URL: From mbasti at redhat.com Thu Mar 31 07:49:28 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 31 Mar 2016 09:49:28 +0200 Subject: [Freeipa-devel] [PATCH 0452] Add missing pre_common_callback to stageuser-add Message-ID: <56FCD688.80204@redhat.com> https://fedorahosted.org/freeipa/ticket/5759 Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0452-Add-missing-pre_common_callback-to-stageuser_add.patch Type: text/x-patch Size: 1121 bytes Desc: not available URL: From pspacek at redhat.com Thu Mar 31 07:58:28 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 31 Mar 2016 09:58:28 +0200 Subject: [Freeipa-devel] Locations design v2: LDAP schema & user interface In-Reply-To: <56D06321.3080109@redhat.com> References: <56B23BE0.4000207@redhat.com> <56B388A9.5090206@redhat.com> <56C6CB31.7080005@redhat.com> <1455895907.6599.104.camel@redhat.com> <56CC2DC7.7050006@redhat.com> <56CC45D5.6010705@redhat.com> <1456237158.6599.193.camel@redhat.com> <56CC9138.8010409@redhat.com> <1456247697.6599.244.camel@redhat.com> <56CC9DFB.3050106@redhat.com> <56CD7117.8000202@redhat.com> <1456323946.6599.254.camel@redhat.com> <56CF058E.4020709@redhat.com> <1456410481.6599.279.camel@redhat.com> <56CF15BC.4030003@redhat.com> <1456415190.6599.302.camel@redhat.com> <56D06321.3080109@redhat.com> Message-ID: <56FCD8A4.70107@redhat.com> On 26.2.2016 15:37, Petr Spacek wrote: > On 25.2.2016 16:46, Simo Sorce wrote: >> On Thu, 2016-02-25 at 15:54 +0100, Petr Spacek wrote: >>> On 25.2.2016 15:28, Simo Sorce wrote: >>>> On Thu, 2016-02-25 at 14:45 +0100, Petr Spacek wrote: >>>>> Variant C >>>>> --------- >>>>> An alternative is to be lazy and dumb. Maybe it would be enough for >>>>> the first >>>>> round ... >>>>> >>>>> We would retain >>>>> [first step - no change from variant A] >>>>> * create locations >>>>> * assign 'main' (aka 'primary' aka 'home') servers to locations >>>>> ++ specify weights for the 'main' servers in given location, i.e. >>>>> manually >>>>> input (server, weight) tuples >>>>> >>>>> Then, backups would be auto-generated set of all remaining servers >>>>> from all >>>>> other locations. >>>>> >>>>> Additional storage complexity: 0 >>>>> >>>>> This covers the scenario "always prefer local servers and use remote >>>>> only as >>>>> fallback" easily. It does not cover any other scenario. >>>>> >>>>> This might be sufficient for the first run and would allow us to >>>>> gather some >>>>> feedback from the field. >>>>> >>>>> Now I'm inclined to this variant :-) >>>> >>>> To be honest, this is all I always had in mind, for the first step. >>>> >>>> To recap: >>>> - define a location with the list of servers (perhaps location is a >>>> property of server objects so you can have only one location per server, >>>> and if you remove the server it is automatically removed from the >>>> location w/o additional work or referential integrity necessary), if >>>> weight is not defined (default) then they all have the same weight. >>> >>> Agreed. >>> >>> >>>> - Allow to specify backup locations in the location object, priorities >>>> are calculated automatically and all backup locations have same weight. >>> >>> Hmm, weights have to be inherited form the original location in all cases. Did >>> you mean that all backup locations have the same *priority*? >> >> Yes, sorry. >> >>> Anyway, explicit configuration of backup locations is introducing API and >>> schema for variant A and that is what I'm questioning above. It is hard to >>> make it extensible so we do not have headache in future when somebody decides >>> that more flexibility is needed OR that link-based approach is better. >> >> I think no matter we do we'll need to allow admins to override backup >> locations, in future if we can calculate them automatically admins will >> simply not set any backup location explicitly (or set some special value >> like "autogenerate" and the system will do it for them. >> >> Forcing admins to mentally calculate weights to force the system to >> autogenerate the configuration they want would be a bad experience, I >> personally would find it very annoying. >> >>> In other words, for doing what you propose above we would have to design >>> complete schema and API for variant A anyway to make sure we do not lock >>> ourselves, so we are not getting any saving by doing so. >> >> A seemed much more complicated to me, as you wanted to define a ful >> matrix for weights of servers when they are served as backups and all >> that. >> >>>> - Define a *default* location, which is the backup for any other >>>> location but always with lower priority to any other explicitly defined >>>> backup locations. >>> >>> I would rather *always* use the default location as backup for all other >>> locations. It does not require any API or schema (as it equals to "all >>> servers" except "servers in this location" which can be easily calculated on fly). >> >> We can start with this, but it works well only in a stellar topology >> where you have a central location all other location connect to. >> As soon as you have a super-stellar topology where you have hub location >> to which regional locations connect to, then this is wasteful. >> >>> This can be later on extended in whatever direction we want without any >>> upgrade/migration problem. >>> >>> More importantly, all the schema and API will be common for all other variants >>> anyway so we can start doing so and see how much time is left when it is done. >> >> I am ok with this for the first step. >> After all location is mostly about the "normal" case where clients want >> to reach the local servers, the backup part is only an additional >> feature we can keep simple for now. It's a degraded mode of operation >> anyway so it is probably ok to have just one default backup location as >> a starting point. > > Okay, now we are in agreement. I will think about minimal schema and API over > the weekend. Well, it took longer than one weekend. There was couple of changes in the design document: * ?Feature Management: CLI proposal * ?Feature Management: web UI - idea with topology graph replaced original complicated table * Feature Management: described necessary configuration outside of IPA DNS * Version 1 parts which were moved into separate document: V4/DNS_Location_Mechanism_with_per_client_override * ?Assumptions: removed misleading reference to DHCP, clarified role of DNS views * Assumptions: removed misleading mention of 'different networks' and added summary explaining how Location is defined * Implementation: high-level outline added Current version: http://www.freeipa.org/page/V4/DNS_Location_Mechanism Full diff: http://www.freeipa.org/index.php?title=V4%2FDNS_Location_Mechanism&diff=12603&oldid=12514 Practical usage is described in section How to test: http://www.freeipa.org/page/V4/DNS_Location_Mechanism#How_to_Test I will think about LDAP schema after we agree on CLI. Petr^2 Spacek > Petr^2 Spacek > > >>>> - Weights for backup location servers are the same as the weight defined >>>> within the backup location itself, so no additional weights are defined >>>> for backups. >>> >>> Yes, that was somehow implied in the variant A. Sorry for not mentioning it. >>> Weight is always relative number for servers inside one location. >> >> Ok it looked a lot more complex from your description. >> >> Simo. -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek From ofayans at redhat.com Thu Mar 31 10:05:16 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 31 Mar 2016 12:05:16 +0200 Subject: [Freeipa-devel] [TEST][patch-0033] Added assertion errors to topology tests, track N 5772 Message-ID: <56FCF65C.8000709@redhat.com> -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0033-Added-assertion-error-messages-in-topology-tests.patch Type: text/x-patch Size: 9380 bytes Desc: not available URL: From ofayans at redhat.com Thu Mar 31 10:07:47 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 31 Mar 2016 12:07:47 +0200 Subject: [Freeipa-devel] [TEST][patch-0033] Added assertion errors to topology tests, track N 5772 In-Reply-To: <56FCF65C.8000709@redhat.com> References: <56FCF65C.8000709@redhat.com> Message-ID: <56FCF6F3.9040007@redhat.com> Please, disregard it for a while, it does not pass lint. On 03/31/2016 12:05 PM, Oleg Fayans wrote: > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From pvomacka at redhat.com Thu Mar 31 10:42:59 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 31 Mar 2016 12:42:59 +0200 Subject: [Freeipa-devel] [TESTS][PATCH 0011] WebUI: Creating user without private group In-Reply-To: <56EBD74C.40709@redhat.com> References: <56CF0AD6.4060505@redhat.com> <56DD9E73.1020609@redhat.com> <56DEBE89.70808@redhat.com> <56DEC2DF.3000801@redhat.com> <56E1B5CC.7070208@redhat.com> <56EBD74C.40709@redhat.com> Message-ID: <56FCFF33.7060801@redhat.com> On 03/18/2016 11:24 AM, Lenka Doudova wrote: > > > On 03/10/2016 06:58 PM, Petr Vobornik wrote: >> On 03/08/2016 01:17 PM, Lenka Doudova wrote: >>> >>> >>> On 03/08/2016 12:59 PM, Petr Vobornik wrote: >>>> On 03/07/2016 04:29 PM, Pavel Vomacka wrote: >>>>> >>>>> >>>>> On 02/25/2016 03:08 PM, Lenka Doudova wrote: >>>>>> Hi, >>>>>> >>>>>> here's a patch for webUI tests that provides test for creating user >>>>>> without private group. >>>>>> Related to ticket https://fedorahosted.org/freeipa/ticket/4986 >>>>>> >>>>>> Since the option to specify GID when creating a user is not >>>>>> available >>>>>> https://fedorahosted.org/freeipa/ticket/5505 the test creates a new >>>>>> posix group, makes it a default user group instead of 'ipausers' and >>>>>> then attemps to create the user without private group. Returning >>>>>> default user group value to 'ipausers' is provided even for cases >>>>>> when >>>>>> the test fails so it would not block other tests from performing >>>>>> properly. >>>>>> >>>>>> Lenka >>>>>> >>>>>> >>>>> Hi, >>>>> >>>>> ACK, works well. >>>>> >>>>> Pavel^3 Vomacka >>>>> >>>> >>>> NACK, don't use naked except, specify at least 'Exception' >>>> + except: >>>> >>> >>> Thanks, patch fixed according to Petr's review attached. >>> >>> Lenka >> >> Ticket 5505 was pushed. So the workaround can be removed. Do you >> prefer to do it in this patch? >> >> Also, maybe it would be good to test both cases and check if the >> error is actually the right one. > > Hi, > > attaching patch fixed according to recently pushed changes. > > Lenka Hi, NACK, 1) The data definition for user3 (user.DATA3) is not used anywhere. And the definition is actually the same as definition of user4. So, I think that it could be removed. 2) This is just a detail, but I would rather use 'combobox_input' or 'combobox_textbox' as parameter name because the parameter actually doesn't represent the value of combobox. Otherwise it works as expected. -- Pavel^3 Vomacka From mbasti at redhat.com Thu Mar 31 11:10:59 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 31 Mar 2016 13:10:59 +0200 Subject: [Freeipa-devel] [TEST][patch-0033] Added assertion errors to topology tests, track N 5772 In-Reply-To: <56FCF6F3.9040007@redhat.com> References: <56FCF65C.8000709@redhat.com> <56FCF6F3.9040007@redhat.com> Message-ID: <56FD05C3.6010305@redhat.com> On 31.03.2016 12:07, Oleg Fayans wrote: > Please, disregard it for a while, it does not pass lint. > > On 03/31/2016 12:05 PM, Oleg Fayans wrote: >> >> NACK Please send unrelated changes in separate patches. I do not see relation between changing variable names, adding assertion messages and setting replication sleep-a-bit wait. IMO to the ticket in the patch only assertion changes are related. For the pylint related errors: assert ('any value', 'in tuple') is always true. right syntax is assert (any test), ('error msg') Martin^2 From mbasti at redhat.com Thu Mar 31 11:45:03 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 31 Mar 2016 13:45:03 +0200 Subject: [Freeipa-devel] [PATCH 0088-0095] Add --forward-policy option into installers In-Reply-To: <56F01891.5030704@redhat.com> References: <56E1E3B2.3070907@redhat.com> <20160310211744.GD32482@mail.corp.redhat.com> <56F01891.5030704@redhat.com> Message-ID: <56FD0DBF.7030307@redhat.com> On 21.03.2016 16:51, Petr Spacek wrote: > On 10.3.2016 22:17, Lukas Slebodnik wrote: >> On (10/03/16 22:14), Petr Spacek wrote: >>> Hello, >>> >>> I forgot to send a patches before I leave, so here it is: >>> >>> Auto-detect default value for --forward-policy option in installers >>> >>> See >>> https://fedorahosted.org/freeipa/ticket/5710 >>> commit messages, and design page >>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/AutomaticEmptyZones >>> >>> >>> I did not have time to test it thoroughly but it LGTM :-D >>> >>> Please note that this is first part, it does not solve upgrade (yet) and >>> warnings in forwardzone-* interface. >>> >>> This can be solved in another patch set, this can be pushed if it passes review. >>> >> ENOPATH > LOL, here it is. > > > * Remove function ipapython.ipautil.host_exists() * ACK * Extend installers with --forward-policy option * 1) There is no --forward-policy option in ipa-dns-install * Move automatic empty zone list into ipapython.dnsutil and make it reusable * ACK * Add assert_absolute_dnsname() helper to ipapython.dnsutil * ACK * Move function is_auto_empty_zone() into ipapython.dnsutil * ACK * Use shared sanity check and tests ipapython.dnsutil.is_auto_empty_zone() * ACK * Add function ipapython.dnsutil.inside_auto_empty_zone() * ACK * Auto-detect default value for --forward-policy option in installers * LGTM, but ipa-dns-install is missing option --forward-policy # ipa-dns-install ... Unexpected error - see /var/log/ipaserver-install.log for details: AttributeError: Values instance has no attribute 'forward_policy' Summary: 6 ACKs, 1 LGTM, 1 NACK => NACK Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Mar 31 12:55:33 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 31 Mar 2016 08:55:33 -0400 Subject: [Freeipa-devel] [TEST][patch-0032] Added a kdestroy call to clean ccache In-Reply-To: <56FCC8B6.8080605@redhat.com> References: <56FBACBF.8050906@redhat.com> <56FBE61F.4000202@redhat.com> <56FCC8B6.8080605@redhat.com> Message-ID: <56FD1E45.7010709@redhat.com> Oleg Fayans wrote: > Hi, > > The updated patch is included > > On 03/30/2016 08:50 PM, Robbie Harwood wrote: >> Rob Crittenden writes: >> >>> Would it be more robust to call kdestroy -A or is that just overkill in >>> this case? >> >> I believe it would be superior to call `kdestroy -A`, yes. >> > Untested but LGTM. rob From ldoudova at redhat.com Thu Mar 31 14:16:44 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Thu, 31 Mar 2016 16:16:44 +0200 Subject: [Freeipa-devel] [TESTS][PATCH 0011] WebUI: Creating user without private group In-Reply-To: <56FCFF33.7060801@redhat.com> References: <56CF0AD6.4060505@redhat.com> <56DD9E73.1020609@redhat.com> <56DEBE89.70808@redhat.com> <56DEC2DF.3000801@redhat.com> <56E1B5CC.7070208@redhat.com> <56EBD74C.40709@redhat.com> <56FCFF33.7060801@redhat.com> Message-ID: <56FD314C.4080809@redhat.com> On 03/31/2016 12:42 PM, Pavel Vomacka wrote: > > > On 03/18/2016 11:24 AM, Lenka Doudova wrote: >> >> >> On 03/10/2016 06:58 PM, Petr Vobornik wrote: >>> On 03/08/2016 01:17 PM, Lenka Doudova wrote: >>>> >>>> >>>> On 03/08/2016 12:59 PM, Petr Vobornik wrote: >>>>> On 03/07/2016 04:29 PM, Pavel Vomacka wrote: >>>>>> >>>>>> >>>>>> On 02/25/2016 03:08 PM, Lenka Doudova wrote: >>>>>>> Hi, >>>>>>> >>>>>>> here's a patch for webUI tests that provides test for creating user >>>>>>> without private group. >>>>>>> Related to ticket https://fedorahosted.org/freeipa/ticket/4986 >>>>>>> >>>>>>> Since the option to specify GID when creating a user is not >>>>>>> available >>>>>>> https://fedorahosted.org/freeipa/ticket/5505 the test creates a new >>>>>>> posix group, makes it a default user group instead of 'ipausers' >>>>>>> and >>>>>>> then attemps to create the user without private group. Returning >>>>>>> default user group value to 'ipausers' is provided even for >>>>>>> cases when >>>>>>> the test fails so it would not block other tests from performing >>>>>>> properly. >>>>>>> >>>>>>> Lenka >>>>>>> >>>>>>> >>>>>> Hi, >>>>>> >>>>>> ACK, works well. >>>>>> >>>>>> Pavel^3 Vomacka >>>>>> >>>>> >>>>> NACK, don't use naked except, specify at least 'Exception' >>>>> + except: >>>>> >>>> >>>> Thanks, patch fixed according to Petr's review attached. >>>> >>>> Lenka >>> >>> Ticket 5505 was pushed. So the workaround can be removed. Do you >>> prefer to do it in this patch? >>> >>> Also, maybe it would be good to test both cases and check if the >>> error is actually the right one. >> >> Hi, >> >> attaching patch fixed according to recently pushed changes. >> >> Lenka > Hi, > > NACK, > > 1) The data definition for user3 (user.DATA3) is not used anywhere. > And the definition is actually the same as definition of user4. So, I > think that it could be removed. > > 2) This is just a detail, but I would rather use 'combobox_input' or > 'combobox_textbox' as parameter name because the parameter actually > doesn't represent the value of combobox. > > Otherwise it works as expected. > > -- > Pavel^3 Vomacka > Hi, thanks for comments, updated patch attached. Lenka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ldoudova-0011.4-WebUI-Test-creating-user-without-private-group.patch Type: text/x-patch Size: 7091 bytes Desc: not available URL: From pvomacka at redhat.com Thu Mar 31 14:59:08 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 31 Mar 2016 16:59:08 +0200 Subject: [Freeipa-devel] [PATCH] 0011 webui: Offer OTP generation for host enrollment in the UI Message-ID: <56FD3B3C.9020307@redhat.com> Hello, This patch adds option to add host dialog which allows to show generated OTP. The patch also changes the way of informing user about success of adding host but only when the 'Generate OTP' option is checked. https://fedorahosted.org/freeipa/ticket/4602 -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0011-Add-option-to-show-OTP-when-adding-host.patch Type: text/x-patch Size: 7109 bytes Desc: not available URL: From ofayans at redhat.com Thu Mar 31 15:15:35 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 31 Mar 2016 17:15:35 +0200 Subject: [Freeipa-devel] [TEST][patch-0033] Added assertion errors to topology tests, track N 5772 In-Reply-To: <56FD05C3.6010305@redhat.com> References: <56FCF65C.8000709@redhat.com> <56FCF6F3.9040007@redhat.com> <56FD05C3.6010305@redhat.com> Message-ID: <56FD3F17.8000507@redhat.com> Hi Martin, Thanks for the review. The updated patch(es) are included Testrun output can be found here: http://fpaste.org/347800/59421745/ On 03/31/2016 01:10 PM, Martin Basti wrote: > > > On 31.03.2016 12:07, Oleg Fayans wrote: >> Please, disregard it for a while, it does not pass lint. >> >> On 03/31/2016 12:05 PM, Oleg Fayans wrote: >>> >>> > NACK > > Please send unrelated changes in separate patches. I do not see relation > between changing variable names, adding assertion messages and setting > replication sleep-a-bit wait. Agreed. There are two necessary bugfixes for the testsuite to run. They were put into a separate patch > > IMO to the ticket in the patch only assertion changes are related. > > For the pylint related errors: > assert ('any value', 'in tuple') > is always true. > right syntax is > assert (any test), ('error msg') thank you! > > Martin^2 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0033.1-Added-assertion-error-messages-in-topology-tests.patch Type: text/x-patch Size: 7886 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0034-Bugfixes-in-replication_topology-tests.patch Type: text/x-patch Size: 3950 bytes Desc: not available URL: