Bug 1457876

Summary: ipa-backup fails silently
Product: Red Hat Enterprise Linux 7 Reporter: Thorsten Scherf <tscherf>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: asakure, enewland, fbarreto, frenaud, gparente, ksiddiqu, myusuf, pasik, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.5.4-9.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 16:42:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thorsten Scherf 2017-06-01 12:39:33 UTC 
Description of problem:

When ipa-backup is called for the first time, the LDAP database is exported to /var/lib/dirsrv/slapd-<instance>/ldif/<instance>-userRoot.ldif. db2ldif is called for this. The tool runs under the dirsrv user context. When you call ipa-restore, the same ldif file is mangled by RemoveRUVParser(). Since the tool runs under root, also the mangled ldif file is now owned by root. 

When you now call ipa-backup the next time, the db2ldif fails, because the tool does not have permissions to write to the ldif file which is owned by root (instead of dirsrv).


I think this is the problematic code in ldif2db():

  ipautil.backup_file(ldiffile)                                              
        with open(ldiffile, 'wb') as out_file:                                     
            ldif_writer = ldif.LDIFWriter(out_file)                                
            with open(srcldiffile, 'rb') as in_file:                               
                ldif_parser = RemoveRUVParser(in_file, ldif_writer, self.log)   
                ldif_parser.parse()           

Another problem is, that ipa-backup returns with "The ipa-backup command was successful" although the db2ldif failed.

Version-Release number of selected component (if applicable):
ipa-4.4

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 3 Petr Vobornik 2017-06-09 15:51:45 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7010
Comment 4 Martin Bašti 2017-06-15 08:41:26 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/e8358eaea9ccf05c5c5ac0bf5c970663c611e333
Comment 6 Mohammad Rizwan 2018-01-09 10:28:26 UTC 
Version:
ipa-server-4.5.4-7.el7.x86_64
389-ds-base-1.3.7.5-11.el7.x86_64

steps:
1. Install ipa Master
2. $ ipa-backup
3. $ ipa-restore <path-to-backup-directory>
4. $ ls -ldZ /var/lib/dirsrv/slapd-<instance-name>/ldif/
5. $ ls -lZ /var/lib/dirsrv/slapd-<instance-name>/ldif/
6. $  ipa-backup -d


Actual result:

[root@bkr-hv01-guest02 ~]# ls -ldZ /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif
drwxrwx---. dirsrv dirsrv unconfined_u:object_r:dirsrv_var_lib_t:s0 /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif

[root@bkr-hv01-guest02 ~]# ls -lZ /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif
-rw-r--r--. root root unconfined_u:object_r:dirsrv_var_lib_t:s0 TESTRELM-TEST-ipaca.ldif
-rw-r--r--. root root unconfined_u:object_r:dirsrv_var_lib_t:s0 TESTRELM-TEST-userRoot.ldif

[root@bkr-hv01-guest02 ~]# ipa-backup -d
[..]
ipa.ipaserver.install.ipa_backup.Backup: CRITICAL: db2ldif failed: [09/Jan/2018:05:08:46.212938677 -0500] - ERR - slapd_bootstrap_config - %s: %s: %s
 - /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif[09/Jan/2018:05:08:46.320040402 -0500] - WARN - load_config_dse - Config Warning: - nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 4096 (the current process limit). Server will use a setting of 4096.
[09/Jan/2018:05:08:46.407005661 -0500] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
[09/Jan/2018:05:08:46.413888259 -0500] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match
[09/Jan/2018:05:08:46.419228069 -0500] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
[09/Jan/2018:05:08:46.429246592 -0500] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
[09/Jan/2018:05:08:46.438221259 -0500] - NOTICE - ldbm_back_start - found 8010080k physical memory
[09/Jan/2018:05:08:46.438965801 -0500] - NOTICE - ldbm_back_start - found 7372328k available
[09/Jan/2018:05:08:46.439430891 -0500] - NOTICE - ldbm_back_start - cache autosizing: db cache: 200252k
[09/Jan/2018:05:08:46.440042688 -0500] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 196608k
[09/Jan/2018:05:08:46.441733911 -0500] - NOTICE - ldbm_back_start - cache autosizing: userRoot dn cache (3 total): 65536k
[09/Jan/2018:05:08:46.443076469 -0500] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 196608k
[09/Jan/2018:05:08:46.444817426 -0500] - NOTICE - ldbm_back_start - cache autosizing: ipaca dn cache (3 total): 65536k
[09/Jan/2018:05:08:46.445821890 -0500] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 196608k
[09/Jan/2018:05:08:46.447345397 -0500] - NOTICE - ldbm_back_start - cache autosizing: changelog dn cache (3 total): 65536k
[09/Jan/2018:05:08:46.448330677 -0500] - NOTICE - ldbm_back_start - total cache size: 969352806 B; 
[09/Jan/2018:05:08:46.466278396 -0500] - DEBUG - ldbm_usn_init - backend: changelog (global mode)
[09/Jan/2018:05:08:46.467578224 -0500] - DEBUG - ldbm_usn_init - backend: userRoot (global mode)
[09/Jan/2018:05:08:46.468353594 -0500] - DEBUG - ldbm_usn_init - backend: ipaca (global mode)
[09/Jan/2018:05:08:46.476491262 -0500] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=testrelm,dc=test--no CoS Templates found, which should be added before the CoS Definition.
ldiffile: /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif/TESTRELM-TEST-ipaca.ldif
[09/Jan/2018:05:08:46.481779742 -0500] - ERR - ldbm_back_ldbm2ldif - db2ldif: can't open /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif/TESTRELM-TEST-ipaca.ldif: 13 (Permission denied) while running as user "dirsrv"
[09/Jan/2018:05:08:46.483030518 -0500] - INFO - dblayer_pre_close - Waiting for 4 database threads to stop
[09/Jan/2018:05:08:47.468001528 -0500] - INFO - dblayer_pre_close - All database threads now stopped

ipa-backup returns with "The ipa-backup command was successful" although the db2ldif failed
Comment 8 Mohammad Rizwan 2018-01-09 10:31:29 UTC 
Based on observation from comment#6, making the bug "FailedQA"
Comment 10 Florence Blanc-Renaud 2018-01-12 15:32:04 UTC 
Moving the bug back to ASSIGNED as the backport was missing
Comment 11 Florence Blanc-Renaud 2018-01-12 19:49:37 UTC 
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/58f3af38f8a0853b4a74c86e5f6252684f814a26
Comment 18 Mohammad Rizwan 2018-01-25 07:31:00 UTC 
version:
ipa-server-4.5.4-9.el7.x86_64
389-ds-base-1.3.7.5-13.el7.x86_64

steps:
1. Install ipa Master
2. $ ipa-backup
3. $ ipa-restore <path-to-backup-directory>
4. $ ls -ldZ /var/lib/dirsrv/slapd-<instance-name>/ldif/
5. $ ls -lZ /var/lib/dirsrv/slapd-<instance-name>/ldif/
6. $  ipa-backup -d

Actual result:
No error has been observed while $ ipa-backup -d ran.

Thus based on above observation, marking bug verified.
Comment 22 errata-xmlrpc 2018-04-10 16:42:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0918
Comment 23 Florence Blanc-Renaud 2018-08-21 12:34:17 UTC 
Tests
master:
https://pagure.io/freeipa/c/51240f3558b60f35d551188f88329f48fc456778

ipa-4-6:
https://pagure.io/freeipa/c/683324271027e2cc64634bb6bdadb47d849931cc

ipa-4-7:
https://pagure.io/freeipa/c/9d5cc29d33e18e36f95d875ce4154d00e154db5b