Bug 1729232
Summary: | rebuild of sssd-container 7.6 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Ferdinand bot (Userspace containerization team) <cyborg-bugzilla> |
Component: | sssd-container | Assignee: | SSSD Maintainers <sssd-maint> |
Status: | CLOSED ERRATA | QA Contact: | sssd-qe <sssd-qe> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.6 | CC: | jhrozek, mupadhye, mzidek, ndehadra |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | sssd-container-7.6-28 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-07-29 16:39:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ferdinand bot (Userspace containerization team)
2019-07-11 16:06:54 UTC
Atomic host Version: 7.6.6 (2019-07-24 08:47:27) IPA-IMAGE: ipa-server-container-4.6.4-28 SSSD-IMAGE: sssd-container-7.6-28 # atomic run ipadocker rpm -q ipa-server ipa-server-4.6.4-10.el7_6.6.x86_64 # atomic run sssd rpm -q ipa-client ipa-client-4.6.4-10.el7_6.6.x86_64 Verified the bug with following scenarios: A) CVE Scan: IPA-IMAGE ------------ [root@nikhil-atomic-host-7 ~]# atomic scan --scanner openscap --scan_type cve rhel7/ipa-server docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2019-07-25-14-55-14-754765:/scanin -v /var/lib/atomic/openscap/2019-07-25-14-55-14-754765:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1 rhel7/ipa-server (7a59f8d4e569e6c) rhel7/ipa-server passed the scan Files associated with this scan are in /var/lib/atomic/openscap/2019-07-25-14-55-14-754765. SSSD-IMAGE ------------- [root@nikhil-atomic-host-7 ~]# atomic scan --scanner openscap --scan_type cve rhel7/sssd docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2019-07-25-14-56-19-990281:/scanin -v /var/lib/atomic/openscap/2019-07-25-14-56-19-990281:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1 rhel7/sssd (18820ca6d4d40a2) rhel7/sssd passed the scan Files associated with this scan are in /var/lib/atomic/openscap/2019-07-25-14-56-19-990281. B) Regressions Tests: ------------------------ 1. Verified that IPA-client is installed through sssd-container image against ipa-container IPA server. 2. Verified that IPA commands klist works when ipa-client is configured with sssd-container image. 3. Verified that trust related commands like id and other windows AD user details can be viewed from client machine. 4. verified that ssh works for ipa client setup using sssd-container image. 5. Verified that ipa-user details can be viewed from client machine. 6. Verified that latest version of ipa-client is available with sssd-container image. 7. Verified that IPA-client is un-installed through sssd-container image against RHEL ipa-server. Verified with [root@trinity ~]# atomic host status State: idle; auto updates disabled Deployments: ● ostree://rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard Version: 7.6.6 (2019-07-24 08:47:27) Commit: 33bb37a7d207ce653eab70306d18deea7daf444b6b7f7aeadef722f96d7e8e6d GPGSignature: Valid signature by 567E347AD0044ADE55BA8A5F199E2F91FD431D51 [root@trinity ~]# docker inspect rhel7/sssd | grep url "authoritative-source-url": "registry.access.redhat.com", "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/rhel7/sssd/images/7.6-28", "authoritative-source-url": "registry.access.redhat.com", "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/rhel7/sssd/images/7.6-28", [root@trinity ~]# atomic scan --scanner openscap --scan_type cve rhel7/sssd docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2019-07-26-08-51-34-722030:/scanin -v /var/lib/atomic/openscap/2019-07-26-08-51-34-722030:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1 rhel7/sssd (18820ca6d4d40a2) rhel7/sssd passed the scan Files associated with this scan are in /var/lib/atomic/openscap/2019-07-26-08-51-34-722030. SSSD as System-Container Sanity Services ======================================== Deny specific ad user login to Atomic host Passed Discover Windows Domain on atomic host using realm cli Passed Disjoin Atomic host from AD Domain using realm leave Cli Passed Join AD Domain using adcli as membership-software Passed Permit specific ad user login to Atomic host Passed Query AD users using ID command Passed Realm join with membership software samba Passed Verify sssd selinux label Passed Verify uninstall container leaves domain Passed SSSD container as Application Container ============================================ Create a sssd application container on Atomic host Passed Query AD users using ID command from sssd app container Passed Spawn sssd app container using realm join with adcli option Passed Verify sssd application container runs as unprivileged Passed kinit as AD User from sssd app container should be successfull Passed SSSD Container with KCM ======================== Access user secrets using KCM responder URI Passed Create multiple sssd application containers Passed KCM socket should auto start secrets socket Passed Share KCM Credential cache with other containers Passed Verify ccname type is KCM in sssd application container Passed Verify sssd kcm socket Passed Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:1929 *** Bug 1734120 has been marked as a duplicate of this bug. *** |