Bug 1410354

Summary: ipa-server-install fails when /usr is read only
Product: Red Hat Enterprise Linux 8 Reporter: Jan Pazdziora <jpazdziora>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED WONTFIX QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: abokovoy, frenaud, jpazdziora, pasik, pcech, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-30 14:15:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1405325    

Description Jan Pazdziora 2017-01-05 09:32:27 UTC
Description of problem:

When /usr filesystem is read-only, ipa-server-install fails with

  [error] IOError: [Errno 13] Permission denied: '/usr/share/ipa/html/krb5.ini'

Version-Release number of selected component (if applicable):

ipa-server-4.4.0-12.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. yum install -y ipa-server
2. chattr -R +i /usr
   # We use chattr to emulate separate /usr mounted as read-only.
   # Ignore chattr: Operation not supported while reading flags on error messages on symlinks
3. ipa-server-install -U -r EXAMPLE.TEST -n example.test -a Secret123 -p Secret123

Actual results:

  [22/31]: configure certificate renewals
  [23/31]: configure RA certificate renewal
  [24/31]: configure Server-Cert certificate renewal
  [25/31]: Configure HTTP to proxy connections
  [26/31]: restarting certificate server
  [27/31]: migrating certificate profiles to LDAP
  [28/31]: importing IPA certificate profiles
  [29/31]: adding default CA ACL
  [30/31]: adding 'ipa' CA entry
  [31/31]: updating IPA configuration
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv). Estimated time: 10 seconds
  [1/3]: configuring ssl for ds instance
  [2/3]: restarting directory server
  [3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
  [1/9]: adding kerberos container to the directory
  [2/9]: configuring KDC
  [error] IOError: [Errno 13] Permission denied: '/usr/share/ipa/html/krb5.ini'
ipa.ipapython.install.cli.install_tool(Server): ERROR    [Errno 13] Permission denied: '/usr/share/ipa/html/krb5.ini'
ipa.ipapython.install.cli.install_tool(Server): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Expected results:

The command passes as it should not be generating content in /usr. If some IPA server instance-specific content is needed, it should live in /var.

Additional info:

Comment 2 Petr Vobornik 2017-01-05 12:53:40 UTC
There is more files in /usr/ipa which are generated on installation. I.e. it's current limitation of IPA that it doesn't work with readonly /usr .

This issue/RFE is tracked in https://fedorahosted.org/freeipa/ticket/2465 which had also RH bugzilla: bug 800546

Comment 3 Jan Pazdziora 2017-01-05 13:54:36 UTC
(In reply to Petr Vobornik from comment #2)
> There is more files in /usr/ipa which are generated on installation.

Right. I'm aware of

/usr/share/ipa/html/ca.crt
/usr/share/ipa/html/configure.jar
/usr/share/ipa/html/kerberosauth.xpi
/usr/share/ipa/html/krb5.ini
/usr/share/ipa/html/krb.con
/usr/share/ipa/html/krb.js
/usr/share/ipa/html/krbrealm.con
/usr/share/ipa/html/preferences.html

Comment 4 Petr Vobornik 2017-01-13 17:36:41 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2465

Comment 8 Alexander Bokovoy 2020-02-13 08:05:25 UTC
Kerberos-specific configuration comes from 

commit e40c583b12ed3d0b1db62154b7b0b84eed44ed6e
Author: Rob Crittenden <rcritten>
Date:   Mon Oct 29 12:00:48 2007 -0400

    Create configuration for MIT Windows kerberos client and install into
    http://hostname/config so users can point their MIT client at the IPA
    server and automatically fetch the configuration.

Most of that can be moved to /etc/ipa/html and symlinked in the same way we do with sssbrowser.html and unauthorized.html in install/html/Makefile.am.

So this is doable with an ease.

Comment 9 Florence Blanc-Renaud 2020-02-14 14:56:00 UTC
Thank you taking your time and submitting this request for Red Hat Enterprise Linux 7. Unfortunately, this bug cannot be kept even as a stretch goal and was postponed to RHEL8.

Comment 12 Petr Čech 2020-11-30 14:15:48 UTC
This BZ has been evaluated multiple times over the last several years and we assessed that it is a valuable request to keep in the backlog and address it at some point in future. Time showed that we did not have such capacity, nor have it now nor will have in the foreseeable future. In such a situation keeping it in the backlog is misleading and setting the wrong expectation that we will be able to address it. Unfortunately we will not. To reflect this we are closing this BZ. If you disagree with the decision please reopen or open a new support case and create a new BZ. However this does not guarantee that the request will not be closed during the triage as we are currently applying much more rigor to what we actually can accomplish in the foreseeable future. Contributions and collaboration in the upstream community and CentOS Stream is always welcome!
Thank you for understanding
Red Hat Enterprise Linux Identity Management Team