[Freeipa-devel] [PATCH] 391-395, 398 Fedora 19 build and install fixes

Tomas Babej tbabej at redhat.com
Fri Mar 29 07:13:15 UTC 2013 

On 03/28/2013 03:04 PM, Martin Kosek wrote:
> On 03/28/2013 10:20 AM, Martin Kosek wrote:
>> On 03/27/2013 10:42 AM, Tomas Babej wrote:
>>> On Tue 26 Mar 2013 06:49:59 PM CET, Martin Kosek wrote:
>>>> On 03/26/2013 06:32 PM, Tomas Babej wrote:
>>>>> On 03/26/2013 05:38 PM, Martin Kosek wrote:
>>>>>> On 03/21/2013 11:59 AM, Martin Kosek wrote:
>>>>>>> This set of patches (details in commit messages) allow build and
>>>>>>> installation
>>>>>>> of FreeIPA in Fedora 19. I tested server and replica install
>>>>>>> (master on f18,
>>>>>>> replica on f19) and both worked fine.
>>>>>>>
>>>>>>> The patches are compatible with Fedora 18 (I tested).
>>>>>>>
>>>>>>> If your Fedora 19 does not have bind-9.9.2-11.P1.fc19, you may need
>>>>>>> to get that
>>>>>>> from koji:
>>>>>>>
>>>>>>> Bug 920713 - named timeouts when started via systemd
>>>>>>>
>>>>>>> Also, to fix trusts and ipa-adtrust-install, I had to use my custom
>>>>>>> build of
>>>>>>> 389-ds-base as current builds do not accepts Kerberos tickets
>>>>>>> greater than 2048
>>>>>>> bytes. This is the bug I filed:
>>>>>>>
>>>>>>> Bug 923879 - 389-ds-base cannot handle Kerberos tickets with PAC
>>>>>>>
>>>>>>> Martin
>>>>>>>
>>>>>> Sending rebased patches (there was a conflic in spec changelog).
>>>>>>
>>>>>> Martin
>>>>>>
>>>>> This still needs the following rebase (changelog is not in
>>>>> chronological order):
>>>>>
>>>>> -* Wed Mar 13 2013 Martin Kosek <mkosek at redhat.com> - 3.1.99-2
>>>>> +* Tue Mar 26 2013 Martin Kosek <mkosek at redhat.com> - 3.1.99-2
>>>> Right, I will fix that.
>>>>
>>>>> The build on F19 went OK, however, IPA installation on F19 fails with
>>>>> the
>>>>> following error:
>>>>>
>>>>> [snip]
>>>>> Configuring certificate server (pki-tomcatd): Estimated time 3
>>>>> minutes 30 seconds
>>>>>     [1/20]: creating certificate server user
>>>>>     [2/20]: configuring certificate server instance
>>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>>> IOError: [Errno 2] No such file or directory:
>>>>> '/root/.pki/pki-tomcat/ca_admin_cert.p12'
>>>> What pki-ca version do you use? There were some related fixes for bugs
>>>> I found in pki-ca component (see Bug 919476). I used
>>>> pki-ca-10.0.1-2.1.fc19.noarch
>>>>
>>> The version is the same.
>>>
>>>> If you have this version or higher, what is the root cause of the
>>>> failure? Is there any useful info in ipaserver-install.log?
>>>>
>>> I haven't been able to identify the cause. There seems to be an issue with
>>> certmonger as well,
>>> since consenquent uninstallation fails with:
>>>
>>>
>> [snip]
>>> 2013-03-26T17:03:19Z INFO The ipa-server-install command failed, exception:
>>> IOError: [Errno 2] No such file or directory:
>>> '/root/.pki/pki-tomcat/ca_admin_cert.p12'
>>>
>>>> Thanks,
>>>> Martin
>>>>
>>>>>
>>>>> Patches work fine on F18.
>>>>>
>>>>> Tomas
>>>
>> Tomas is investigating the Fedora 19 failure, it was most probably caused by
>> improperly upgraded VM. Sending updated and rebased patchset addressing issues
>> found so far.
>>
>> I also reopened BIND bug as BIND does not start after reboot due to wrong
>> tmpfiles.d configuration:
>> https://bugzilla.redhat.com/show_bug.cgi?id=920713
>> But this should not affect the patches as the fix would need to be done only in
>> bind packages.
>>
>> Martin
>>
> Attaching one more fix for PKI CA installation, installer in F19 seems more
> sensitive to the certificate downloaded via sslget from pki-ca. It may contain
> DOS line endings which breaks certutil cert import and crashes the install.
> Patch 398 fixes it - tested both on F18 and F19.
>
> Martin
Patches work fine both on F18 and F19 and indeed fix the discovered issues.

There's still the following problem that *can* occur(not 100% reproducible)
when installing rpms:

[snip]
   Installing : freeipa-server-3.1.99GITa9b9b77-0.fc19.x86_64 4/7
   Installing : freeipa-server-selinux-3.1.99GITa9b9b77-0.fc19.x86_64 5/7
libsemanage.semanage_exec_prog: Child process /sbin/load_policy did not 
exit cleanly.
libsemanage.semanage_reload_policy: load_policy returned error code -1.
libsemanage.semanage_exec_prog: Child process /sbin/load_policy did not 
exit cleanly.
libsemanage.semanage_reload_policy: load_policy returned error code -1.
semodule:  Failed!
   Installing : freeipa-server-trust-ad-3.1.99GITa9b9b77-0.fc19.x86_64 6/7

Consenquently, it causes the following failure during ipa-server-install:

[12/14]: configuring SELinux for httpd
WARNING: could not set the following SELinux boolean(s):
   httpd_can_network_connect -> on
   httpd_manage_ipa -> on
The web interface may not function correctly until the booleans
are successfully changed with the command:
/usr/sbin/setsebool -P httpd_can_network_connect=on httpd_manage_ipa=on
Try updating the policycoreutils and selinux-policy packages.
   [13/14]: restarting httpd
...

However, this looks like a bug in SELinux policy, probably. The workaround
(manual setting of SELinux booleans) is printed out by 
ipa-server-install script,
so I would not consider it as a blocker for this patchset.

ACK.

Tomas

More information about the Freeipa-devel mailing list