Bug 1197290
| Summary: | realm crash during kickstart | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Scott Poore <spoore> | ||||||||||||||||||||||||||||||
| Component: | anaconda | Assignee: | David Shea <dshea> | ||||||||||||||||||||||||||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||||||||||||||||||||||
| Severity: | unspecified | Docs Contact: | |||||||||||||||||||||||||||||||
| Priority: | unspecified | ||||||||||||||||||||||||||||||||
| Version: | 22 | CC: | anaconda-maint-list, awilliam, g.kaviyarasu, jonathan, mkosek, pschindl, robatino, stefw, vanmeeuwen+fedora | ||||||||||||||||||||||||||||||
| Target Milestone: | --- | ||||||||||||||||||||||||||||||||
| Target Release: | --- | ||||||||||||||||||||||||||||||||
| Hardware: | x86_64 | ||||||||||||||||||||||||||||||||
| OS: | Unspecified | ||||||||||||||||||||||||||||||||
| Whiteboard: | abrt_hash:755ef70308544a72015a055eddb12f6981580c8a4249943fb912eab015866c5d AcceptedBlocker | ||||||||||||||||||||||||||||||||
| Fixed In Version: | anaconda-22.20.2-1.fc22 | Doc Type: | Bug Fix | ||||||||||||||||||||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||||||||||||||||||||
| Clone Of: | |||||||||||||||||||||||||||||||||
| : | 1197838 (view as bug list) | Environment: | |||||||||||||||||||||||||||||||
| Last Closed: | 2015-03-07 00:06:00 UTC | Type: | --- | ||||||||||||||||||||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||||||||||||||||||||
| Documentation: | --- | CRM: | |||||||||||||||||||||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||||||||||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||||||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||||||||||||||||
| Embargoed: | |||||||||||||||||||||||||||||||||
| Bug Depends On: | |||||||||||||||||||||||||||||||||
| Bug Blocks: | 1043121, 1197838 | ||||||||||||||||||||||||||||||||
| Attachments: |
|
||||||||||||||||||||||||||||||||
Created attachment 996350 [details]
File: anaconda-tb
Created attachment 996351 [details]
File: anaconda.log
Created attachment 996352 [details]
File: dnf.log
Created attachment 996353 [details]
File: dnf.rpm.log
Created attachment 996354 [details]
File: environ
Created attachment 996355 [details]
File: ks.cfg
Created attachment 996356 [details]
File: lsblk_output
Created attachment 996357 [details]
File: nmcli_dev_list
Created attachment 996358 [details]
File: os_info
Created attachment 996359 [details]
File: program.log
Created attachment 996360 [details]
File: storage.log
Created attachment 996361 [details]
File: syslog
Created attachment 996362 [details]
File: ifcfg.log
Created attachment 996363 [details]
File: packaging.log
Failure occurred testing kickstart with realm join. I am able to join successfully after a kickstart but, not when realm is included in ks.cfg.
Something to note (not sure if it's related though) is that when I do successfully join an IPA domain using realmd after kickstart, I do have to install python-sssdconfig.
[root@fedora0 ~]# realm join -v --one-time-password=MyPassword example.test
* Resolving: _ldap._tcp.example.test
* Performing LDAP DSE lookup on: 192.168.122.201
* Successfully discovered: example.test
* Required files: /usr/sbin/ipa-client-install, /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd
* LANG=C /usr/sbin/ipa-client-install --domain example.test --realm EXAMPLE.TEST --mkhomedir --enable-dns-updates --unattended --force-join --password MyPassword --force-ntpd
There was a problem importing one of the required Python modules. The
error was:
No module named SSSDConfig
! Running ipa-client-install failed
realm: Couldn't join realm: Running ipa-client-install failed
[root@fedora0 ~]# dnf -y install python-sssdconfig
Using metadata from Sat Feb 28 03:46:08 2015
Dependencies resolved.
=======================================================================================================
Package Arch Version Repository Size
=======================================================================================================
Installing:
python-sssdconfig noarch 1.12.4-2.fc22 updates-testing 96 k
Transaction Summary
=======================================================================================================
Install 1 Package
Total download size: 96 k
Installed size: 219 k
Downloading Packages:
python-sssdconfig-1.12.4-2.fc22.noarch.rpm 13 kB/s | 96 kB 00:07
-------------------------------------------------------------------------------------------------------
Total 1.5 kB/s | 96 kB 01:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Installing : python-sssdconfig-1.12.4-2.fc22.noarch 1/1
Verifying : python-sssdconfig-1.12.4-2.fc22.noarch 1/1
Installed:
python-sssdconfig.noarch 1.12.4-2.fc22
Complete!
[root@fedora0 ~]# realm join -v --one-time-password=MyPassword example.test
* Resolving: _ldap._tcp.example.test
* Performing LDAP DSE lookup on: 192.168.122.201
* Successfully discovered: example.test
* Required files: /usr/sbin/ipa-client-install, /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd
* LANG=C /usr/sbin/ipa-client-install --domain example.test --realm EXAMPLE.TEST --mkhomedir --enable-dns-updates --unattended --force-join --password MyPassword --force-ntpd
Discovery was successful!
Hostname: fedora0.example.test
Realm: EXAMPLE.TEST
DNS Domain: example.test
IPA Server: vm1.example.test
BaseDN: dc=example,dc=test
Synchronizing time with KDC...
Downloading the CA certificate via HTTP, this is INSECURE
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.TEST
Issuer: CN=Certificate Authority,O=EXAMPLE.TEST
Valid From: Wed Feb 11 23:46:12 2015 UTC
Valid Until: Sun Feb 11 23:46:12 2035 UTC
Enrolled in IPA realm EXAMPLE.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.TEST
trying https://vm1.example.test/ipa/json
Forwarding 'ping' to json server 'https://vm1.example.test/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://vm1.example.test/ipa/json'
Systemwide CA database updated.
Added CA certificates to the default NSS database.
DNS server record set to: fedora0.example.test -> 192.168.122.30
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://vm1.example.test/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.test as NIS domain.
Client configuration complete.
* /usr/bin/systemctl enable sssd.service
* /usr/bin/systemctl restart sssd.service
* /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
* Successfully enrolled machine in realm
[root@fedora0 ~]# id admin
uid=252400000(admin) gid=252400000(admins) groups=252400000(admins)
[root@fedora0 ~]#
I forgot to mention that this was seen running the kickstart via virt-install. I don't think that affects things but, it's more information.
qemu-img create -f qcow2 -o preallocation=metadata $DISKIMAGE 8G
virt-install --connect=qemu:///system \
--network=bridge:virbr0 \
--initrd-inject=/tmp/${VMNAME}.ks \
--extra-args="ks=file:/${VMNAME}.ks $EXTRAARGS" \
--name=$VMNAME \
--disk path=$DISKIMAGE,format=qcow2,size=8 \
--ram 1024 \
--vcpus=1 \
--check-cpu \
--hvm \
--location=$OSIMG \
--nographics
with ${VMNAME}.ks being the ks.cfg included from comment #6.
This is the Fedora Release Alpha Criteria that I think applies to this bug: https://fedoraproject.org/wiki/Fedora_22_Alpha_Release_Criteria#Remote_authentication Discussed at today's blocker review meeting [1]. This bug was accepted as Alpha Blocker - This bug is a clear violation of the Alpha criterion: "It must be possible to join the system to a FreeIPA or Active Directory domain at install time and post-install, and the system must respect the identity, authentication and access control configuration provided by the domain." http://meetbot.fedoraproject.org/fedora-blocker-review/2015-03-02/ python-blivet-1.0.1-1.fc22, anaconda-22.20.2-1.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/anaconda-22.20.2-1.fc22,python-blivet-1.0.1-1.fc22 Package python-blivet-1.0.1-1.fc22, anaconda-22.20.2-1.fc22: * should fix your issue, * was pushed to the Fedora 22 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing python-blivet-1.0.1-1.fc22 anaconda-22.20.2-1.fc22' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-3110/anaconda-22.20.2-1.fc22,python-blivet-1.0.1-1.fc22 then log in and leave karma (feedback). anaconda-22.20.3-1.fc22, python-blivet-1.0.2-1.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/python-blivet-1.0.2-1.fc22,anaconda-22.20.3-1.fc22 So the updates previously submitted (#c20 and #c21) were unpushed because of major problems caused by the new python-blivet. However, looking through the changelogs, nothing in python-blivet 1.0.1 is actually needed to fix an Alpha blocker. The important fixes were in anaconda-22.20.2. Looking through the anaconda 22.20.1 -> 22.20.2 changes, I don't see anything that requires blivet 1.0.1 either. So I believe all we need for Alpha - currently, at least - is an update containing anaconda-22.20.2-1.fc22 (note: *NOT* 22.20.3) and no blivet update. I have tested a live compose with blivet 1.0 and anaconda 22.20.2 and it worked fine. If we then find further blockers in anaconda we would have to revert the commits that adjusted to blivet 1.0.1 or create a new branch starting from 22.20.2, and if we found further blockers in blivet we would have to create a branch from 1.0.0. But both of those seem perfectly possible, right? We don't need any builds-to-obsolete-old-builds or epoch bumps or anything awkward like that. anaconda-22.20.2-1.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/anaconda-22.20.2-1.fc22 Package anaconda-22.20.2-1.fc22: * should fix your issue, * was pushed to the Fedora 22 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing anaconda-22.20.2-1.fc22' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-3284/anaconda-22.20.2-1.fc22 then log in and leave karma (feedback). This looks like it's fixed. Using same test as above with RC3: From anaconda.log: 16:21:48,840 INFO anaconda: /sbin/anaconda 22.20.2-1 From program.log: 16:25:29,353 INFO program: Running... realm join --install /mnt/sysimage --verbose --one-time-password=MyPassword example.test 16:25:46,172 INFO program: * Resolving: _ldap._tcp.example.test 16:25:46,177 INFO program: * Performing LDAP DSE lookup on: 192.168.122.201 16:25:46,177 INFO program: * Successfully discovered: example.test 16:25:46,177 INFO program: * Assuming packages are installed 16:25:46,177 INFO program: * LANG=C /usr/sbin/ipa-client-install --domain example.test --realm EXAMPLE.TEST --mkhomedir --enable-dns-updates --unattended --force-join --password MyPassword --force-ntpd 16:25:46,178 INFO program: Discovery was successful! 16:25:46,178 INFO program: Hostname: fedora0.example.test 16:25:46,178 INFO program: Realm: EXAMPLE.TEST 16:25:46,178 INFO program: DNS Domain: example.test 16:25:46,178 INFO program: IPA Server: vm1.example.test 16:25:46,178 INFO program: BaseDN: dc=example,dc=test 16:25:46,178 INFO program: Synchronizing time with KDC... 16:25:46,179 INFO program: Downloading the CA certificate via HTTP, this is INSECURE 16:25:46,179 INFO program: Successfully retrieved CA cert 16:25:46,179 INFO program: Subject: CN=Certificate Authority,O=EXAMPLE.TEST 16:25:46,179 INFO program: Issuer: CN=Certificate Authority,O=EXAMPLE.TEST 16:25:46,179 INFO program: Valid From: Wed Feb 11 23:46:12 2015 UTC 16:25:46,179 INFO program: Valid Until: Sun Feb 11 23:46:12 2035 UTC 16:25:46,179 INFO program: 16:25:46,180 INFO program: Enrolled in IPA realm EXAMPLE.TEST 16:25:46,180 INFO program: Created /etc/ipa/default.conf 16:25:46,180 INFO program: New SSSD config will be created 16:25:46,180 INFO program: Configured sudoers in /etc/nsswitch.conf 16:25:46,180 INFO program: Configured /etc/sssd/sssd.conf 16:25:46,180 INFO program: Configured /etc/krb5.conf for IPA realm EXAMPLE.TEST 16:25:46,180 INFO program: trying https://vm1.example.test/ipa/json 16:25:46,181 INFO program: Forwarding 'ping' to json server 'https://vm1.example.test/ipa/json' 16:25:46,181 INFO program: Forwarding 'ca_is_enabled' to json server 'https://vm1.example.test/ipa/json' 16:25:46,181 INFO program: Systemwide CA database updated. 16:25:46,181 INFO program: Added CA certificates to the default NSS database. 16:25:46,181 INFO program: DNS server record set to: fedora0.example.test -> 192.168.122.30 16:25:46,181 INFO program: Forwarding 'host_mod' to json server 'https://vm1.example.test/ipa/json' 16:25:46,181 INFO program: SSSD enabled 16:25:46,182 INFO program: Configured /etc/openldap/ldap.conf 16:25:46,182 INFO program: Unable to find 'admin' user with 'getent passwd admin'! 16:25:46,182 INFO program: Unable to reliably detect configuration. Check NSS setup manually. 16:25:46,182 INFO program: NTP enabled 16:25:46,182 INFO program: Configured /etc/ssh/ssh_config 16:25:46,182 INFO program: Configured /etc/ssh/sshd_config 16:25:46,182 INFO program: Configuring example.test as NIS domain. 16:25:46,183 INFO program: Client configuration complete. 16:25:46,183 INFO program: 16:25:46,183 INFO program: * /usr/bin/systemctl enable sssd.service 16:25:46,183 INFO program: * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service 16:25:46,183 INFO program: Running in chroot, ignoring request. 16:25:46,183 INFO program: * Successfully enrolled machine in realm [root@fedora0 anaconda]# id admin uid=252400000(admin) gid=252400000(admins) groups=252400000(admins) Looks good. I'll give karma too. anaconda-22.20.2-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Version-Release number of selected component: anaconda-22.20.1-1 The following was filed automatically by anaconda: anaconda 22.20.1-1 exception report Traceback (most recent call first): File "/usr/lib64/python2.7/site-packages/pyanaconda/kickstart.py", line 569, in execute rc = iutil.execWithRedirect("realm", argv)[0] File "/usr/lib64/python2.7/site-packages/pyanaconda/install.py", line 112, in doConfiguration ksdata.realm.execute(storage, ksdata, instClass) File "/usr/lib64/python2.7/threading.py", line 766, in run self.__target(*self.__args, **self.__kwargs) File "/usr/lib64/python2.7/site-packages/pyanaconda/threads.py", line 238, in run threading.Thread.run(self, *args, **kwargs) TypeError: 'int' object has no attribute '__getitem__' Additional info: addons: com_redhat_kdump cmdline: /usr/bin/python2 /sbin/anaconda cmdline_file: method=http://dl.fedoraproject.org/pub/alt/stage/22_Alpha_TC7/Server/x86_64/os/ ks=file:/fedora0.ks console=tty0 console=ttyS0,115200 executable: /sbin/anaconda hashmarkername: anaconda kernel: 4.0.0-0.rc1.git0.1.fc22.x86_64 product: Fedora" release: Cannot get release name. type: anaconda version: Fedora