Bug 1698384
| Summary: | ipa-kra-install fails due to fs.protected_regular=1 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | François Cami <fcami> |
| Component: | freeipa | Assignee: | François Cami <fcami> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 30 | CC: | abokovoy, contribs, ipa-maint, jcholast, jhrozek, pvoborni, rcritten, ssorce, twoerner |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | freeipa-4.8.2-1.fc31 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-20 01:02:15 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The following patch fixes the issue:
diff -rU2 1/ipaserver/install/krainstance.py 2/ipaserver/install/krainstance.py
--- 1/ipaserver/install/krainstance.py 2019-04-10 09:47:00.741398165 +0200
+++ 2/ipaserver/install/krainstance.py 2019-04-10 10:07:43.516687770 +0200
@@ -155,5 +155,4 @@
os.close(cfg_fd)
pent = pwd.getpwnam(self.service_user)
- os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
self.tmp_agent_db = tempfile.mkdtemp(
prefix="tmp-", dir=paths.VAR_LIB_IPA)
@@ -293,4 +292,7 @@
config.write(f)
+ # chown after write is necessary when fs.protected_regular=1
+ os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
+
try:
DogtagInstance.spawn_instance(
Upstream ticket: https://pagure.io/freeipa/issue/7906 Fixed upstream master: https://pagure.io/freeipa/c/cf42dc1f2930cba3fca144ad4b7c1c01e9ed9163 Fixed upstream ipa-4-7: https://pagure.io/freeipa/c/a0973db29e0074d0c0732973fe73418430fec9fc FEDORA-2019-75a963e4cb has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-75a963e4cb freeipa-4.8.2-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-75a963e4cb freeipa-4.8.2-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. |
ipa-kra-install fails on f30+: 2019-04-09T22:15:46Z DEBUG [3/11]: configuring KRA instance 2019-04-09T22:15:46Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 605, in start_creation run_step(full_msg, method) File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 591, in run_step method() File "/usr/lib/python3.7/site-packages/ipaserver/install/krainstance.py", line 292, in __spawn_instance with open(cfg_file, "w") as f: PermissionError: [Errno 13] Permission denied: '/tmp/tmpm1rqniqo' 2019-04-09T22:15:46Z DEBUG [error] PermissionError: [Errno 13] Permission denied: '/tmp/tmpm1rqniqo' 2019-04-09T22:15:46Z DEBUG Removing /var/lib/ipa/tmp-gt08zqc7 2019-04-09T22:15:46Z DEBUG Removing /root/.dogtag/pki-tomcat/kra 2019-04-09T22:15:46Z DEBUG File "/usr/lib/python3.7/site-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3.7/site-packages/ipapython/install/cli.py", line 347, in run return cfgr.run() File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.7/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.7/site-packages/ipaserver/install/server/__init__.py", line 583, in main replica_install(self) File "/usr/lib/python3.7/site-packages/ipaserver/install/server/replicainstall.py", line 400, in decorated func(installer) File "/usr/lib/python3.7/site-packages/ipaserver/install/server/replicainstall.py", line 1274, in install kra.install(api, config, options, custodia=custodia) File "/usr/lib/python3.7/site-packages/ipaserver/install/kra.py", line 94, in install promote=promote) File "/usr/lib/python3.7/site-packages/ipaserver/install/krainstance.py", line 142, in configure_instance self.start_creation(runtime=120) File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 605, in start_creation run_step(full_msg, method) File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 591, in run_step method() File "/usr/lib/python3.7/site-packages/ipaserver/install/krainstance.py", line 292, in __spawn_instance with open(cfg_file, "w") as f: This is because the temp (/tmp) configuration file is first chowned to a non-root account and then opened rw by root. This is related to https://bugzilla.redhat.com/show_bug.cgi?id=1677027