Bug 1483159

Summary: Server deployment still sets up Firefox extension, this is no longer necessary and broken on F27+
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 27CC: abokovoy, dueno, ipa-maint, jcholast, jhrozek, kparal, pvoborni, rcritten, robatino, ssorce, tkrizek
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: AcceptedBlocker
Fixed In Version: freeipa-4.6.0-2.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-09 04:10:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1396702    
Attachments:
Description Flags
ipaserver-install.log from an affected deployment attempt (with the bad F26 update) none

Description Adam Williamson 2017-08-18 22:07:37 UTC 
There's a point during the ipa-server-install process where it tries to use `/usr/bin/signtool` to sign a Firefox extension. According to rcrit, this extension isn't even used any more.

In Fedora 27+, signtool is no longer supported:
https://fedoraproject.org/wiki/Changes/NSSSigntoolDeprecation

and the binary has been moved to `%{_libdir}/nss/unsupported-tools/` instead of `/usr/bin/`, so the script will blow up as soon as it reaches this point.

It sounds like the 'correct' fix here is just to get rid of all the stuff dealing with this extension, if it's really no longer used, rather than find a different way to sign it.

Nominating as an F27 Beta blocker, as this breaks FreeIPA server deployment: "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried." - https://fedoraproject.org/wiki/Fedora_27_Alpha_Release_Criteria#Role_definition_requirements . Domain controller is a release-blocking role.

Note this change was also mistakenly sent to Fedora 26 in a candidate update, but openQA caught the breakage of FreeIPA and we were able to avoid the update going stable: https://bodhi.fedoraproject.org/updates/FEDORA-2017-3f11b3237a#comment-648102 . The update has now been revised so signtool is not moved (the change will happen only in F27+).
Comment 1 Adam Williamson 2017-08-18 22:11:48 UTC 
Created attachment 1315406 [details]
ipaserver-install.log from an affected deployment attempt (with the bad F26 update)
Comment 2 Kamil Páral 2017-08-21 16:57:08 UTC 
Discussed during blocker review [1]:

AcceptedBlocker (Beta) - breaks deployment of FreeIPA servers, clear violation of Alpha criterion "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started..." for the domain controller role

[1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-08-21/
Comment 3 Rob Crittenden 2017-08-29 17:16:29 UTC 
*** Bug 1486383 has been marked as a duplicate of this bug. ***
Comment 4 Petr Vobornik 2017-09-01 19:55:08 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7135
Comment 5 Petr Vobornik 2017-09-01 20:40:48 UTC 
FreeIPA 4.6 which will land in F27 removes the extension. But there is also some cleanup required so upstream ticket 7135 was opened.

https://github.com/freeipa/freeipa/pull/1034
Comment 6 Fedora Update System 2017-09-05 16:42:23 UTC 
389-ds-base-1.3.7.3-1.fc27 freeipa-4.6.0-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a79e85e4d3
Comment 7 Adam Williamson 2017-09-05 16:45:42 UTC 
It looks like the 4.6.0 changes fix things sufficiently that deployment succeeds, which is all this bug is really about. So I've set the 4.6.0 update as fixing it. I guess you're OK tracking the cleanups in upstream tickets?
Comment 8 Alexander Bokovoy 2017-09-06 14:58:07 UTC 
Yes, since https://bugzilla.redhat.com/show_bug.cgi?id=1488640 already has a beta blocker status, it is sufficient to us to unblock base functionality in web UI.
Comment 9 Fedora Update System 2017-09-07 14:29:55 UTC 
389-ds-base-1.3.7.3-1.fc27, freeipa-4.6.0-2.fc27, python-pyldap-2.4.37-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a79e85e4d3
Comment 10 Fedora Update System 2017-09-09 04:10:50 UTC 
389-ds-base-1.3.7.3-1.fc27, freeipa-4.6.0-2.fc27, python-pyldap-2.4.37-2.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.