Bug 1729232

Summary: rebuild of sssd-container 7.6
Product: Red Hat Enterprise Linux 7 Reporter: Ferdinand bot (Userspace containerization team) <cyborg-bugzilla>
Component: sssd-containerAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: sssd-qe <sssd-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.6CC: jhrozek, mupadhye, mzidek, ndehadra
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-container-7.6-28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-29 16:39:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ferdinand bot (Userspace containerization team) 2019-07-11 16:06:54 UTC 
Hello,

this bug has been created by bot Ferdinand
in order to be able to create Errata advisory.

With regards,
Ferdinand, member of the bot family,
Userspace Containerization Team, <user-cont>
Comment 3 Nikhil Dehadrai 2019-07-25 16:57:59 UTC 
Atomic host Version: 7.6.6 (2019-07-24 08:47:27)
IPA-IMAGE: ipa-server-container-4.6.4-28
SSSD-IMAGE: sssd-container-7.6-28
# atomic run ipadocker rpm -q ipa-server
ipa-server-4.6.4-10.el7_6.6.x86_64
# atomic run sssd rpm -q ipa-client
ipa-client-4.6.4-10.el7_6.6.x86_64


Verified the bug with following scenarios:
A) CVE Scan:

IPA-IMAGE
------------
[root@nikhil-atomic-host-7 ~]# atomic scan --scanner openscap --scan_type cve rhel7/ipa-server
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2019-07-25-14-55-14-754765:/scanin -v /var/lib/atomic/openscap/2019-07-25-14-55-14-754765:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1

rhel7/ipa-server (7a59f8d4e569e6c)

rhel7/ipa-server passed the scan

Files associated with this scan are in /var/lib/atomic/openscap/2019-07-25-14-55-14-754765.


SSSD-IMAGE
-------------
[root@nikhil-atomic-host-7 ~]# atomic scan --scanner openscap --scan_type cve rhel7/sssd
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2019-07-25-14-56-19-990281:/scanin -v /var/lib/atomic/openscap/2019-07-25-14-56-19-990281:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1

rhel7/sssd (18820ca6d4d40a2)

rhel7/sssd passed the scan

Files associated with this scan are in /var/lib/atomic/openscap/2019-07-25-14-56-19-990281.


B) Regressions Tests:
------------------------
1. Verified that IPA-client is installed through sssd-container image against ipa-container IPA server.
2. Verified that IPA commands klist works when ipa-client is configured with sssd-container image.
3. Verified that trust related commands like id and other windows AD user details can be viewed from client machine.
4. verified that ssh works for ipa client setup using sssd-container image.
5. Verified that ipa-user details can be viewed from client machine.
6. Verified that latest version of ipa-client is available with sssd-container image.
7. Verified that IPA-client is un-installed through sssd-container image against RHEL ipa-server.
Comment 5 Madhuri 2019-07-26 09:05:45 UTC 
Verified with

[root@trinity ~]# atomic host status
State: idle; auto updates disabled
Deployments:
● ostree://rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
                   Version: 7.6.6 (2019-07-24 08:47:27)
                    Commit: 33bb37a7d207ce653eab70306d18deea7daf444b6b7f7aeadef722f96d7e8e6d
              GPGSignature: Valid signature by 567E347AD0044ADE55BA8A5F199E2F91FD431D51

[root@trinity ~]# docker inspect rhel7/sssd | grep url
                "authoritative-source-url": "registry.access.redhat.com",
                "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/rhel7/sssd/images/7.6-28",
                "authoritative-source-url": "registry.access.redhat.com",
                "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/rhel7/sssd/images/7.6-28",

[root@trinity ~]# atomic scan --scanner openscap --scan_type cve rhel7/sssd
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2019-07-26-08-51-34-722030:/scanin -v /var/lib/atomic/openscap/2019-07-26-08-51-34-722030:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1

rhel7/sssd (18820ca6d4d40a2)

rhel7/sssd passed the scan

Files associated with this scan are in /var/lib/atomic/openscap/2019-07-26-08-51-34-722030.

SSSD as System-Container Sanity Services
========================================

Deny specific ad user login to Atomic host                  Passed
Discover Windows Domain on atomic host using realm cli      Passed
Disjoin Atomic host from AD Domain using realm leave Cli    Passed
Join AD Domain using adcli as membership-software           Passed
Permit specific ad user login to Atomic host                Passed
Query AD users using ID command                             Passed
Realm join with membership software samba                   Passed
Verify sssd selinux label                                   Passed
Verify uninstall container leaves domain                    Passed

SSSD container as Application Container
============================================

Create a sssd application container on Atomic host              Passed
Query AD users using ID command from sssd app container         Passed
Spawn sssd app container using realm join with adcli option     Passed
Verify sssd application container runs as unprivileged          Passed
kinit as AD User from sssd app container should be successfull  Passed

SSSD Container with KCM
========================

Access user secrets using KCM responder URI                 Passed
Create multiple sssd application containers                 Passed
KCM socket should auto start secrets socket                 Passed
Share KCM Credential cache with other containers            Passed
Verify ccname type is KCM in sssd application container     Passed
Verify sssd kcm socket                                      Passed
Comment 8 errata-xmlrpc 2019-07-29 16:39:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:1929
Comment 9 dhodovsk 2019-07-30 14:43:13 UTC 
*** Bug 1734120 has been marked as a duplicate of this bug. ***