Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Red Hat Customer
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – Attachment 1364119 Details for
Bug 1514241
[Regression] gssproxy-0.7.0-24.fc27 breaks NFS4 krb5i mounts
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh90 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
vagrant reproducer
Vagrantfile (text/plain), 17.54 KB, created by
rob.verduijn
on 2017-12-07 09:20:28 UTC
(
hide
)
Description:
vagrant reproducer
Filename:
MIME Type:
Creator:
rob.verduijn
Created:
2017-12-07 09:20:28 UTC
Size:
17.54 KB
patch
obsolete
># -*- mode: ruby -*- ># vi: set ft=ruby : > ># All Vagrant configuration is done below. The "2" in Vagrant.configure ># configures the configuration version (we support older styles for ># backwards compatibility). Please don't change it unless you know what ># you're doing. >Vagrant.configure("2") do |config| > config.vm.box_check_update = true > config.vm.define :ipaserver do |ipaserver| > ipaserver.vm.network :private_network,:ip =>'192.168.122.2',:libvirt__network_name=>'default',:auto_config=>false > ipaserver.vm.hostname = "ipa.example.com" > ipaserver.vm.box = "centos/7" > ipaserver.vm.provision "shell", inline: <<-SHELL > # I want firewalld running (I use this for checks from the clients) > systemctl enable firewalld.service > systemctl start firewalld.service > > # update and install > yum update -q -y > yum install -q -y ipa-server ipa-server-dns psmisc qemu-guest-agent screen bash-completion sssd-tools > > # enable ssh access with passwords and pubkeys > sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config > sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config > systemctl restart sshd.service > > # set the nfs-idmap method to sss > sed -i 's/#Method = nsswitch/Method = sss/' /etc/idmapd.conf > systemctl restart nfs-idmapd.service > > # start qemu-guest-agent > systemctl start qemu-guest-agent > > # root password > echo centos74 | passwd --stdin root > > # make sure the server can always resolv itself > echo '192.168.122.2 ipa.example.com ipa' >> /etc/hosts > > # disable and stop chronyd > systemctl disable chronyd.service > systemctl stop chronyd.service > > # enable and start ntp and ntpdate > systemctl enable ntpdate.service > systemctl enable ntpd.service > systemctl start ntpdate.service > systemctl start ntpd.service > > # set 127.0.0.1 to localhost > sed -i '1d' /etc/hosts > > # we need the dns from the ipa server now > nmcli connection down 'Wired connection 1' > nmcli connection del 'Wired connection 1' > # we no longer want dns from the host > nmcli connection mod 'System eth0' ipv4.ignore-auto-dns true > nmcli connection up 'System eth0' > nmcli connection add type ethernet con-name eth1 ifname eth1 > nmcli connection mod eth1 ipv4.addresses 192.168.122.2/24 ipv4.dns 192.168.122.2 ipv4.method manual > nmcli connection up eth1 > > # configure ipa server with dns > ipa-server-install \ > --unattended \ > --setup-dns \ > --realm=EXAMPLE.COM \ > --domain=example.com \ > --ds-password=centos74 \ > --admin-password=centos74 \ > --hostname=ipa.example.com \ > --no-forwarders \ > --auto-reverse > > # obtain principal > echo centos74 | kinit admin > > # add reverse zone > ipa dnszone-add 122.168.192.in-addr.arpa. > > # Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone > ipa dnszone-mod example.com. --allow-sync-ptr=TRUE > > # add hosts > ipa host-add nfs.example.com --password=centos74 --ip-address=192.168.122.3 > ipa host-add fedoraclient.example.com --password=centos74 --ip-address=192.168.122.4 > ipa host-add centosclient.example.com --password=centos74 --ip-address=192.168.122.5 > > # add automount maps > # vers=4 is because kde does not work well with nfs > 4.0 > # async for speed > # ip address to save time on mounting the home share > ipa automountkey-add default auto.direct --key='/home' --info='-vers=4,rw,async,noatime,timeo=14,soft,sec=krb5p,acl 192.168.122.3:/homes' > ipa automountkey-add default auto.direct --key='/test' --info='-rw,noatime,timeo=14,soft,sec=krb5p,acl nfs.example.com:/test' > > # add user > echo -e "centos74\ncentos73\n" | ipa user-add testuser --first=test --last=user --shell='/bin/bash' --password > > # open up the firewall > firewall-cmd --permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,88/udp,464/udp,53/udp,123/udp} > firewall-cmd --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,88/udp,464/udp,53/udp,123/udp} > > SHELL > # ipaserver needs more resources than the default asssignment of 1cpu/512Mb > # see https://github.com/vagrant-libvirt/vagrant-libvirt for all options > ipaserver.vm.provider :libvirt do |domain| > domain.uri = 'qemu+tcp://vimes.tjako.thuis/system' > domain.memory = 4096 > domain.cpus = 2 > domain.graphics_ip = '0.0.0.0' > # passthrouhg /dev/random to make sure we got plenty entropy (requires vagrant >= 1.9 > domain.random :model => 'random' > # I like spice > domain.video_type = 'qxl' > domain.graphics_type = 'spice' > domain.channel :type => 'unix', :target_name => 'org.qemu.guest_agent.0', :target_type => 'virtio' > domain.channel :type => 'spicevmc', :target_name => 'com.redhat.spice.0', :target_type => 'virtio' > end > end > > config.vm.define :nfsserver do |nfsserver| > nfsserver.vm.network :private_network,:ip =>'192.168.122.3',:libvirt__network_name=>'default',:auto_config=>false > nfsserver.vm.hostname = "nfs.example.com" > nfsserver.vm.box = "centos/7" > nfsserver.vm.provision "shell", inline: <<-SHELL > # I want firewalld running (I use this for checks from the clients) > systemctl enable firewalld.service > systemctl start firewalld.service > > # update and install > yum update -q -y > yum install -q -y ipa-client ipa-admintools qemu-guest-agent screen bash-completion sssd-tools > > # start qemu-guest-agent > systemctl start qemu-guest-agent > > # enable ssh access with passwords and pubkeys > sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config > sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config > systemctl restart sshd.service > > # set the nfs-idmap method to sss > sed -i 's/#Method = nsswitch/Method = sss/' /etc/idmapd.conf > > # root password > echo centos74 | passwd --stdin root > > # create exports and example file > echo '/exports *(rw,crossmnt,fsid=0,sec=krb5p)' > /etc/exports > echo '/exports/homes *(rw,async)' >> /etc/exports > echo '/exports/test *(rw)' >> /etc/exports > mkdir -p /exports/{homes,test} > echo "example" > /exports/test/example.txt > > # we need the dns from the ipa server now > nmcli connection down 'Wired connection 1' > nmcli connection del 'Wired connection 1' > # we no longer want dns from the host > nmcli connection mod 'System eth0' ipv4.ignore-auto-dns true > nmcli connection up 'System eth0' > nmcli connection add type ethernet con-name eth1 ifname eth1 > nmcli connection mod eth1 ipv4.addresses 192.168.122.3/24 ipv4.dns 192.168.122.2 ipv4.method manual > nmcli connection up eth1 > > # now wait for the ipa configuration to finish > while ! curl -s http://192.168.122.2 2>&1 1>/dev/null ; do > echo 'waiting for ipa to finish configuring' > sleep 10 > done > > # add system to ipa > ipa-client-install --mkhomedir -U -w centos74 --ip-address=192.168.122.3 > > # create homedir > mkdir /exports/homes/testuser > rsync -a /etc/skel/ /exports/homes/testuser/ > chown -R testuser:testuser /exports/homes/testuser/ > > # obtain principal > echo centos74 | kinit admin > > # add nfs server principal > ipa service-add nfs/nfs.example.com@EXAMPLE.COM > > # install principal in keytab > ipa-getkeytab -p nfs/nfs.example.com@EXAMPLE.COM -k /etc/krb5.keytab > > # enable and start nfs-server > systemctl enable nfs-server.service > systemctl start nfs-server.service > > # open firewall > firewall-cmd --add-service=nfs > firewall-cmd --add-service=nfs --permanent > > SHELL > # see https://github.com/vagrant-libvirt/vagrant-libvirt for all options > nfsserver.vm.provider :libvirt do |domain| > domain.uri = 'qemu+tcp://vimes.tjako.thuis/system' > # passthrouhg /dev/random to make sure we got plenty entropy (requires vagrant >= 1.9 > domain.random :model => 'random' > # I like spice > domain.video_type = 'qxl' > domain.graphics_type = 'spice' > domain.channel :type => 'unix', :target_name => 'org.qemu.guest_agent.0', :target_type => 'virtio' > domain.channel :type => 'spicevmc', :target_name => 'com.redhat.spice.0', :target_type => 'virtio' > end > > end > > config.vm.define :centosclient do |centosclient| > centosclient.vm.network :private_network,:ip =>'192.168.122.5',:libvirt__network_name=>'default',:auto_config=>false > centosclient.vm.hostname = "centosclient.example.com" > centosclient.vm.box = "centos/7" > centosclient.vm.provision "shell", inline: <<-SHELL > # I want firewalld running (I use this for checks from the clients) > systemctl enable firewalld.service > systemctl start firewalld.service > > # update and install > yum update -q -y > yum install -q -y ipa-client ipa-admintools qemu-guest-agent screen bash-completion sssd-tools > > # enable ssh access with passwords and pubkeys > sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config > sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config > systemctl restart sshd.service > > # set the nfs-idmap method to sss > sed -i 's/#Method = nsswitch/Method = sss/' /etc/idmapd.conf > > # root password > echo centos74 | passwd --stdin root > > # vagrant password > echo centos74 | passwd --stdin vagrant > > # move the homedir of the vagrant user (usermod causes conflicts due to this script being run via the vagrant account) > rsync -avXA /home/vagrant /var/lib > sed -i 's!/home/vagrant!/var/lib/vagrant!' /etc/passwd > rm -rf /home/vagrant > > # we need the dns from the ipa server now > nmcli connection down 'Wired connection 1' > nmcli connection del 'Wired connection 1' > # we no longer want dns from the host > nmcli connection mod 'System eth0' ipv4.ignore-auto-dns true > nmcli connection up 'System eth0' > nmcli connection add type ethernet con-name eth1 ifname eth1 > nmcli connection mod eth1 ipv4.addresses 192.168.122.5/24 ipv4.dns 192.168.122.2 ipv4.method manual > nmcli connection up eth1 > > # now wait for the ipa configuration to finish > while ! curl -s http://192.168.122.2 2>&1 1>/dev/null ; do > echo 'waiting for ipa to finish configuring' > sleep 10 > done > > # add system to ipa > ipa-client-install -U -w centos74 --ip-address=192.168.122.5 > > # configure automount > ipa-client-automount -U --location=default > > # set nfs selinux boolean > setsebool -P use_nfs_home_dirs 1 > > # a autofs restart is needed here > systemctl restart autofs > > > # obtain principal > echo centos74 | kinit admin > SHELL > # graphical fedora desktop needs more resources than the default asssignment of 1cpu/512Mb > # see https://github.com/vagrant-libvirt/vagrant-libvirt for all options > centosclient.vm.provider :libvirt do |domain| > domain.uri = 'qemu+tcp://vimes.tjako.thuis/system' > domain.graphics_ip = '0.0.0.0' > # passthrouhg /dev/random to make sure we got plenty entropy (requires vagrant >= 1.9 > domain.random :model => 'random' > # I like spice > domain.video_type = 'qxl' > domain.graphics_type = 'spice' > domain.channel :type => 'unix', :target_name => 'org.qemu.guest_agent.0', :target_type => 'virtio' > domain.channel :type => 'spicevmc', :target_name => 'com.redhat.spice.0', :target_type => 'virtio' > end > end > > config.vm.define :fedoraclient do |fedoraclient| > fedoraclient.vm.network :private_network,:ip =>'192.168.122.4',:libvirt__network_name=>'default',:auto_config=>false > fedoraclient.vm.hostname = "fedoraclient.example.com" > fedoraclient.vm.box = "fedora/27-cloud-base" > fedoraclient.vm.provision "shell", inline: <<-SHELL > # update and install > dnf update -q -y > dnf install -q -y ipa-client ipa-admintools tuned httpd NetworkManager qemu-guest-agent screen bash-completion sssd-tools > > # enable and start tuned > systemctl enable tuned.service > systemctl start tuned.service > > # start qemu-guest-agent > systemctl start qemu-guest-agent > > # enable ssh with passwords and pubkeys > sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config > sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config > systemctl restart sshd.service > > # set the nfs-idmap method to sss > sed -i 's/#Method = nsswitch/Method = sss/' /etc/idmapd.conf > systemctl restart nfs-idmapd.service > > # root password > echo centos74 | passwd --stdin root > > # vagrant password > echo centos74 | passwd --stdin vagrant > > # move the homedir of the vagrant user (usermod causes conflicts due to this script being run via the vagrant account) > rsync -avXA /home/vagrant /var/lib > sed -i 's!/home/vagrant!/var/lib/vagrant!' /etc/passwd > rm -rf /home/vagrant > > # start network manager because it is not running for some reason > systemctl start NetworkManager.service > > # we need the dns from the ipa server now > nmcli connection down 'Wired connection 1' > nmcli connection del 'Wired connection 1' > # we no longer want dns from the host > nmcli connection mod 'System eth0' ipv4.ignore-auto-dns true > nmcli connection up 'System eth0' > nmcli connection add type ethernet con-name eth1 ifname eth1 > nmcli connection mod eth1 ipv4.addresses 192.168.122.4/24 ipv4.dns 192.168.122.2 ipv4.method manual > nmcli connection up eth1 > > # now wait for the ipaserver configuration to finish > while ! curl -s http://192.168.122.2 2>&1 1>/dev/null ; do > echo 'waiting for ipa to finish configuring' > sleep 10 > done > > # add system to ipa (no mkhome because we got automount home) > ipa-client-install -U -w centos74 --ip-address=192.168.122.4 > > # for some reason libsss_sudo is missing > #dnf install -y libsss_sudo > #systemctl restart sssd.service > > # workaround for autofs/sssd racecondition bug : https://fedorahosted.org/sssd/ticket/3080 (FIXED) > #echo '[Service]' > /etc/systemd/system/sssd.service.d/00_boot_delay.conf > #echo 'ExecStartPre=/bin/sleep 10' >> /etc/systemd/system/sssd.service.d/00_boot_delay.conf > #systemctl daemon-reload > #systemctl restart sssd.service > > # configure automount > ipa-client-automount -U --location=default > > # fix the nssswitch entry so it uses sss for automount > sed -i 's/automount: files nisplus/automount: files sss/' /etc/nsswitch.conf > > # set nfs selinux boolean > setsebool -P use_nfs_home_dirs 1 > > # a autofs restart is needed here > systemctl restart autofs > > # obtain principal > echo centos74 | kinit admin > > # add http server principal for gssproxy test > ipa service-add HTTP/fedoraclient.example.com@EXAMPLE.COM > > # install the http keytab > ipa-getkeytab -p HTTP/fedoraclient.example.com@EXAMPLE.COM -k /var/lib/gssproxy/clients/48.keytab > > # enable debugging > echo 'debug = true' >> /etc/gssproxy/gssproxy.conf > echo 'debug_level = 9' >> /etc/gssproxy/gssproxy.conf > > # restart the service > systemctl restart gssproxy.service > > # create the workaround script for bug 178 > # #178 Interaction between httpd and nfs-client changes location of keytab for apache nfs access > # https://pagure.io/gssproxy/issue/178 > echo '#!/bin/bash' > /root/workaround.bash > echo '# workaround for bug 178' >> /root/workaround.bash > echo '# #178 Interaction between httpd and nfs-client changes location of keytab for apache nfs access' >> /root/workaround.bash > echo '# https://pagure.io/gssproxy/issue/178' >> /root/workaround.bash > echo 'mkdir -p /var/kerberos/krb5/user/48/' >> /root/workaround.bash > echo 'cp /var/lib/gssproxy/clients/48.keytab /var/kerberos/krb5/user/48/client.keytab' >> /root/workaround.bash > echo 'chown apache:apache /var/kerberos/krb5/user/48/client.keytab' >> /root/workaround.bash > echo 'chcon -t krb5_keytab_t /var/kerberos/krb5/user/48/client.keytab' >> /root/workaround.bash > echo 'systemctl restart gssproxy.service' >> /root/workaround.bash > chmod +x /root/workaround.bash > > # install latest gssproxy to avoid bug https://bugzilla.redhat.com/show_bug.cgi?id=1514241 > yum update -q -y --enablerepo=updates-testing gssproxy > > SHELL > # graphical fedora desktop needs more resources than the default asssignment of 1cpu/512Mb > # see https://github.com/vagrant-libvirt/vagrant-libvirt for all options > fedoraclient.vm.provider :libvirt do |domain| > domain.uri = 'qemu+tcp://vimes.tjako.thuis/system' > domain.graphics_ip = '0.0.0.0' > # passthrouhg /dev/random to make sure we got plenty entropy (requires vagrant >= 1.9 > domain.random :model => 'random' > # I like spice > domain.video_type = 'qxl' > domain.graphics_type = 'spice' > domain.channel :type => 'unix', :target_name => 'org.qemu.guest_agent.0', :target_type => 'virtio' > domain.channel :type => 'spicevmc', :target_name => 'com.redhat.spice.0', :target_type => 'virtio' > end > end >end
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1364119">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 1514241
: 1364119