Bug 1511607

Summary: ipa-backup does not backup Custodia keys and files
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: asakure, enewland, frenaud, ksiddiqu, ndehadra, pasik, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.4-7.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 16:48:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1498523    

Description Petr Vobornik 2017-11-09 17:00:15 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/7247

ipa-backup does not back up ipa-custodia's config file and server keys. This causes some issues when a server is restored and then used as source for replica installation.

Downstream issue: https://bugzilla.redhat.com/show_bug.cgi?id=1498523
Comment 2 Petr Vobornik 2017-11-09 17:00:32 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7247
Comment 3 Petr Vobornik 2017-11-13 12:35:34 UTC 
Possible workaround (not confirmed) is hinted in bug 1498523:

"""
Backup the tob e edited config files). Edit sysrestore state (in /var/lib/ipa/sysrestore dir) and delete "custodia" entry. Try (on the master) to delete /etc/ipa/custodia/server.keys then run ipa-
server-update (this should re-generate the server.keys file), then retry replica2 install.
"""
Comment 4 Tomas Krizek 2017-11-13 17:12:29 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/8bbeedc93fd442cbbb9bb70e5f446011e95211db
Comment 5 Petr Vobornik 2017-11-20 14:42:09 UTC 
ipa-4-6:
    a926a00 Backup ipa-custodia conf and keys


ipa-4-5:
    07c0825 Backup ipa-custodia conf and keys
Comment 11 Nikhil Dehadrai 2017-12-18 14:49:04 UTC 
IPA-server-version: ipa-server-4.5.4-7.el7.x86_64

Tested the bug with following steps:
1. Setup ipa master with latest version.
2. Run the following backup command:
#ipa-backup -v --logs --log-file=ipabackup_test.log

Tested the bug for following scenarios:

Scenario-1: (Check backup log)
-----------------------------------
3. [root@ndipa ~]# cat ipabackup_test.log | grep custodia
Stopping ipa-custodia Service
2017-12-18T10:47:58Z DEBUG args=tar --exclude=/var/lib/ipa/backup --xattrs --selinux -cf /tmp/tmpJh0vt9ipa/ipa/files.tar /usr/share/ipa/html /etc/pki/pki-tomcat /etc/sysconfig/pki /etc/httpd/alias /var/lib/pki /var/lib/ipa/sysrestore /var/lib/ipa-client/sysrestore /var/lib/ipa/dnssec /var/lib/sss/pubconf/krb5.include.d/ /var/lib/authconfig/last /var/lib/certmonger /var/lib/ipa /var/run/dirsrv /var/lock/dirsrv /etc/dirsrv/slapd-TESTRELM-TEST /var/lib/dirsrv/scripts-TESTRELM-TEST /var/lib/dirsrv/slapd-TESTRELM-TEST /etc/named.conf /etc/named.keytab /etc/resolv.conf /etc/sysconfig/pki-tomcat /etc/sysconfig/dirsrv /etc/sysconfig/ntpd /etc/sysconfig/krb5kdc /etc/sysconfig/ipa-dnskeysyncd /etc/sysconfig/ipa-ods-exporter /etc/sysconfig/named /etc/sysconfig/ods /etc/sysconfig/authconfig /etc/ipa/nssdb/pwdfile.txt /etc/pki/ca-trust/source/ipa.p11-kit /etc/nsswitch.conf /etc/krb5.keytab /etc/sssd/sssd.conf /etc/openldap/ldap.conf /etc/security/limits.conf /etc/httpd/conf/password.conf /var/lib/ipa/gssproxy/http.keytab /etc/ipa/kdcproxy/ipa-kdc-proxy.conf /etc/httpd/conf.d/ipa-pki-proxy.conf /etc/httpd/conf.d/ipa-rewrite.conf /etc/httpd/conf.d/nss.conf /etc/httpd/conf.d/ipa.conf /etc/ssh/sshd_config /etc/ssh/ssh_config /etc/krb5.conf /var/lib/ipa-client/pki/kdc-ca-bundle.pem /var/lib/ipa-client/pki/ca-bundle.pem /etc/ipa/ca.crt /etc/ipa/default.conf /etc/dirsrv/ds.keytab /etc/ntp.conf /etc/samba/smb.conf /root/ca-agent.p12 /var/lib/ipa/ra-agent.pem /var/lib/ipa/ra-agent.key /root/cacert.p12 /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kdc.crt /var/kerberos/krb5kdc/kdc.key /var/kerberos/krb5kdc/cacert.pem /etc/systemd/system/multi-user.target.wants/ipa.service /etc/systemd/system/httpd.service.d/ipa.conf /etc/systemd/system/multi-user.target.wants/sssd.service /etc/systemd/system/multi-user.target.wants/certmonger.service /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd /etc/opendnssec/conf.xml /etc/opendnssec/kasp.xml /etc/opendnssec/zonelist.xml /var/opendnssec/kasp.db /etc/ipa/dnssec/softhsm2.conf /etc/ipa/dnssec/softhsm_pin_so /etc/ipa/dnssec/ipa-dnskeysyncd.keytab /etc/ipa/custodia/server.keys /etc/ipa/custodia/custodia.conf /etc/hosts /etc/ipa/nssdb/cert8.db /etc/ipa/nssdb/key3.db /etc/ipa/nssdb/secmod.db /etc/sysconfig/dirsrv-TESTRELM-TEST /etc/tmpfiles.d/dirsrv-TESTRELM-TEST.conf /var/log/pki/ /var/log/httpd /var/log/ipaserver-install.log /var/log/kadmind.log /var/log/messages /var/log/ipaclient-install.log /var/log/secure /var/named/data/named.run /var/log/dirsrv/slapd-TESTRELM-TEST
Starting ipa-custodia Service

[root@ndipa ~]# echo $?
0

I am able to successfully grep custodia files:
/etc/ipa/custodia/server.keys 
/etc/ipa/custodia/custodia.conf


Scenario-2: (Check backup tar files) 
---------------------------------------
[root@ndipa ipa-full-2017-12-18-16-18-00]# ls -l
total 11268
drwxr-xr-x. 15 root   root      4096 Dec 18 17:35 etc
-rw-r--r--.  1 root   root   4232529 Dec 18 16:17 files.tar
-rw-r--r--.  1 root   root       165 Dec 18 16:17 header
-rw-r--r--.  1 root   root   6050789 Dec 18 16:18 ipa-full.tar
drwxr-xr-x.  2 root   root        44 Dec 18 17:35 root
drwx------.  5 dirsrv dirsrv     138 Dec 18 16:17 TESTRELM-TEST
-rw-------.  1 dirsrv dirsrv  770273 Dec 18 16:17 TESTRELM-TEST-ipaca.ldif
-rw-------.  1 dirsrv dirsrv  464358 Dec 18 16:17 TESTRELM-TEST-userRoot.ldif
drwxr-xr-x.  3 root   root        19 Dec 18 17:35 usr
drwxr-xr-x.  9 root   root        98 Dec 18 17:35 var

[root@ndipa custodia]# pwd
/var/lib/ipa/backup/ipa-full-2017-12-18-16-18-00/etc/ipa/custodia
[root@ndipa custodia]# ls -l
total 8
-rw-r--r--. 1 root root  638 Dec 18 16:03 custodia.conf
-rw-------. 1 root root 3351 Dec 12 15:39 server.keys


Upon extracting the tar file, we could see the custodia files as well.


Scenario-3: (Restore backup)
--------------------------------
[root@ndipa backup]# ls -l /etc/ipa/custodia/
total 8
-rw-r--r--. 1 root root  638 Dec 18 16:03 custodia.conf
-rw-------. 1 root root 3351 Dec 12 15:39 server.keys
[root@ndipa backup]# rm -rf /etc/ipa/custodia/custodia.conf /etc/ipa/custodia/server.keys 
[root@ndipa backup]# ls -l /etc/ipa/custodia/
total 0
[root@ndipa backup]# ls -l
total 0
drwxr-x---. 7 dirsrv dirsrv 190 Dec 18 17:35 ipa-full-2017-12-18-16-18-00
ipa.ipaserver.install.ipa_restore.Restore: INFO: The ipa-restore command was successful
[root@ndipa ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@ndipa ~]# kinit admin
Password for admin: 

[root@ndipa ~]# ls -l /etc/ipa/custodia/
total 8
-rw-r--r--. 1 root root  638 Dec 18 16:03 custodia.conf
-rw-------. 1 root root 3351 Dec 12 15:39 server.keys
[root@ndipa ~]# 


Scenario-4: (Install Replica against restored IPA-Master)
----------------------------------------------------------

On Replica system:
-------------------
[root@ndclient ~]# tail -1 /var/log/ipareplica-install.log 
2017-12-18T14:36:58Z INFO The ipa-replica-install command was successful

[root@ndclient ~]# kinit admin
Password for admin: 

[root@ndclient ~]# ipa host-find
---------------
2 hosts matched
---------------
  Host name: ndclient.testrelm.test
  Principal name: host/ndclient.testrelm.test
  Principal alias: host/ndclient.testrelm.test
  SSH public key fingerprint: SHA256:1EnGEUdQ/gv6LzXvPbc8XxLAjRKRtAhe7up5KV54//Y (ssh-rsa),
                              SHA256:+96k5fM+g3sOyaoO5r9SNTzJIkrL7j7V+VR8mt7hprY (ecdsa-sha2-nistp256),
                              SHA256:Wy5x6kY/Zfk2gnQfW2hvs/Tio8IYe8qwhpF4ge/TxKQ (ssh-ed25519)

  Host name: ndipa.testrelm.test
  Principal name: host/ndipa.testrelm.test
  Principal alias: host/ndipa.testrelm.test
  SSH public key fingerprint: SHA256:j+1dwHR7vTsQcI1sJNjgOh5pvw/NHTHxbAq8q9jOytc (ssh-rsa),
                              SHA256:9vd5BcSfN7ss09EcxAWxVIsyddT/xK/2ZIxXLiCwBy0 (ecdsa-sha2-nistp256),
                              SHA256:aW1IpxYl/WB9hMnYV2mE3dtvCflu8qICkCrHXK/Erwk (ssh-ed25519)
----------------------------
Number of entries returned 2
----------------------------
[root@ndclient ~]# ipa-replica-manage list
ndipa.testrelm.test: master
ndclient.testrelm.test: master
[root@ndclient ~]# 
[root@ndclient ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@ndclient ~]# ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@ndclient ~]# 

Thus on the basis of above observations, marking the status of bug to "VERIFIED"
Comment 16 errata-xmlrpc 2018-04-10 16:48:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0918