Bug 1732981
| Summary: | When nuxwdog is enabled pkidaemon status shows instances as stopped. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Matthew Harmsen <mharmsen> |
| Component: | pki-core | Assignee: | RHCS Maintainers <rhcs-maint> |
| Status: | CLOSED ERRATA | QA Contact: | PKI QE <bugzilla-pkiqe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | low | ||
| Version: | 8.3 | CC: | aakkiang, edewata, mharmsen, rhcs-maint, skhandel |
| Target Milestone: | rc | Keywords: | TestCaseProvided |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | pki-core-10.6-8030020200806183337.5ff1562f | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1487418 | Environment: | |
| Last Closed: | 2020-11-04 03:15:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1487418 | ||
| Bug Blocks: | |||
|
Comment 1
Dinesh Prasanth
2020-02-24 15:42:10 UTC
I think we don't need to fix "pkidaemon status" itself, but we need to make sure that "pki-server status" shows the correct information when nuxwdog/keyring is used before closing this ticket. per comments 1 & 2: QE will basically verify this bug; adding to https://projects.engineering.redhat.com/browse/RHCS-1139 Fixed via PR: https://github.com/dogtagpki/pki/pull/491 Commit information: =================== commit 08370498e120b5f2d880b4fe78cf19a488e8b8eb (HEAD -> master, origin/master, origin/HEAD) Author: Dinesh Prasanth M K <dmoluguw> Date: Tue Jul 21 17:39:50 2020 -0400 Fix pki-server status CLI to accept nuxwdog enabled service This patch fixes pki-server to pick up the right systemd unit file name if the nuxwdog is enabled on the PKI server. Signed-off-by: Dinesh Prasanth M K <dmoluguw> commit 75fed9db697d2e51137cd8cd60d8402a123b4bca Author: Dinesh Prasanth M K <dmoluguw> Date: Tue Jul 21 16:35:37 2020 -0400 Print the SD name when executing pki-server status Signed-off-by: Dinesh Prasanth M K <dmoluguw> Test Procedure: =============== 1. Install CA (and other subsystems as needed) 2. run pkidaemon status <instance> 3. run pki-server status <instance> Test 1: Compare the outputs of #2 and #3. Make sure #3 captures all output from #2 Test 2: Enable Nuxwdog and rerun test #1 Documentation: ============== Cause: pkidaemon was hard-coded to get status of PKI servers that DON'T use nuxwdog Consequence: There was no CLI to report status of PKI servers that use nuxwdog Fix: `pkidaemon` is deprecated in favor of `pki-server status` since PKI version 10.7.2.. This bug fix ensures that all the content of `pkidaemon` CLI is reported via `pki-server status`. The new CLI also captures status of PKI servers that use nuxwdog Result: `pki-server status` reports ALL the status report that pkidaemon show and also can handle scenarios where PKI servers use nuxwdog Moving the BZ to POST >>> Verified on below builds: [root@pki1 ~]# rpm -qa | grep pki python3-pki-10.9.1-1.module+el8.3.0+7594+3661a26e.noarch pki-tools-10.9.1-1.module+el8.3.0+7594+3661a26e.x86_64 pki-ca-10.9.1-1.module+el8.3.0+7594+3661a26e.noarch pki-tks-10.9.1-1.module+el8pki+7595+528e2489.noarch pki-base-10.9.1-1.module+el8.3.0+7594+3661a26e.noarch pki-servlet-4.0-api-9.0.30-1.module+el8.3.0+6730+8f9c6254.noarch pki-base-java-10.9.1-1.module+el8.3.0+7594+3661a26e.noarch pki-servlet-engine-9.0.30-1.module+el8.3.0+6730+8f9c6254.noarch pki-server-10.9.1-1.module+el8.3.0+7594+3661a26e.noarch pki-kra-10.9.1-1.module+el8.3.0+7594+3661a26e.noarch pki-tps-10.9.1-1.module+el8pki+7595+528e2489.x86_64 pki-ocsp-10.9.1-1.module+el8pki+7595+528e2489.noarch pki-symkey-10.9.1-1.module+el8.3.0+7594+3661a26e.x86_64 [root@pki1 ~]# rpm -qa | grep jss jss-4.7.2-1.module+el8.3.0+7594+3661a26e.x86_64 tomcatjss-7.5.0-1.module+el8.3.0+7355+c59bcbd9.noarch >>> Following is the observation [dmoluguw: Please provide your inputs]: 1. pkidaemon status shows instance as stopped after enabling nuxwdog 2. pki-server status shows status as running and active but does not show the nuxwdog enable true as pkidaemon status shows in RHEL79 https://bugzilla.redhat.com/show_bug.cgi?id=1487418#c13 >>> Following are the logs [Nuxwdog is enabled for topology-02-CA]: > systemctl stop pki-tomcatd > pki-server instance-nuxwdog-enable topology-02-CA -------------------------------------------- Nuxwdog enabled for instance topology-02-CA. -------------------------------------------- > pki-server status topology-02-CA Instance ID: topology-02-CA Active: False Unsecure Port: 20080 Secure Port: 20443 Tomcat Port: 20005 CA Subsystem: Type: Root CA (Security Domain) SD Name: topology-02_Foobarmaster.org SD Registration URL: https://pki1.example.com:20443 Enabled: True Unsecure URL: http://pki1.example.com:20080/ca/ee/ca Secure Agent URL: https://pki1.example.com:20443/ca/agent/ca Secure EE URL: https://pki1.example.com:20443/ca/ee/ca Secure Admin URL: https://pki1.example.com:20443/ca/services PKI Console URL: https://pki1.example.com:20443/ca > pkidaemon status topology-02-CA WARNING: pkidaemon status has been deprecated. Use pki-server status instead. Status for topology-02-CA: topology-02-CA is stopped > systemctl start pki-tomcatd-nuxwdog@topology-02-CA [topology-02-CA] Please provide the password for internal: ************ [topology-02-CA] Please provide the password for internaldb: ********** [topology-02-CA] Please provide the password for replicationdb: ************ > systemctl | grep pki pki-tomcatd-nuxwdog loaded active running PKI Tomcat Server topology-02-CA Started by Nuxwdog pki-tomcatd loaded active running PKI Tomcat Server topology-02-KRA pki-tomcatd loaded active running PKI Tomcat Server topology-02-OCSP pki-tomcatd loaded active running PKI Tomcat Server topology-02-TKS pki-tomcatd loaded active running PKI Tomcat Server topology-02-TPS system-pki\x2dtomcatd.slice loaded active active system-pki\x2dtomcatd.slice system-pki\x2dtomcatd\x2dnuxwdog.slice loaded active active system-pki\x2dtomcatd\x2dnuxwdog.slice > systemctl status pki-tomcatd-nuxwdog ● pki-tomcatd-nuxwdog - PKI Tomcat Server topology-02-CA Started by Nuxwdog Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd-nuxwdog@.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2020-08-10 17:49:08 IST; 1h 20min ago Process: 38490 ExecStartPost=/usr/bin/setfacl -x u:pkiuser /run/systemd/ask-password (code=exited, status=0/SUCCESS) Process: 38400 ExecStartPre=/usr/bin/pkidaemon start topology-02-CA (code=exited, status=0/SUCCESS) Process: 38371 ExecStartPre=/usr/sbin/pki-server migrate topology-02-CA (code=exited, status=0/SUCCESS) Process: 38368 ExecStartPre=/usr/sbin/pki-server upgrade topology-02-CA (code=exited, status=0/SUCCESS) Process: 38340 ExecStartPre=/usr/bin/pki-server-nuxwdog (code=exited, status=0/SUCCESS) Process: 38338 ExecStartPre=/usr/bin/setfacl -m u:pkiuser:wx /run/systemd/ask-password (code=exited, status=0/SUCCESS) Main PID: 38489 (java) Tasks: 91 (limit: 23665) Memory: 176.0M CGroup: /system.slice/system-pki\x2dtomcatd\x2dnuxwdog.slice/pki-tomcatd-nuxwdog └─38489 /usr/lib/jvm/jre-openjdk/bin/java -Dcom.redhat.fips=false -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-launcher.jar:/usr/lib/jvm/java/> Aug 10 17:49:08 pki1.example.com systemd[1]: pki-tomcatd-nuxwdog: Found left-over process 38365 (sleep) in control group while starting unit. Ignoring. Aug 10 17:49:08 pki1.example.com systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies. Aug 10 17:49:08 pki1.example.com systemd[1]: Started PKI Tomcat Server topology-02-CA Started by Nuxwdog. Aug 10 17:49:08 pki1.example.com server[38489]: Java virtual machine used: /usr/lib/jvm/jre-openjdk/bin/java Aug 10 17:49:08 pki1.example.com server[38489]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-launcher.jar:/usr/lib/jvm/java/lib/tools.jar Aug 10 17:49:08 pki1.example.com server[38489]: main class used: org.apache.catalina.startup.Bootstrap Aug 10 17:49:08 pki1.example.com server[38489]: flags used: -Dcom.redhat.fips=false Aug 10 17:49:08 pki1.example.com server[38489]: options used: -Dcatalina.base=/var/lib/pki/topology-02-CA -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/topology-02-CA/temp -Djava.util.logging.confi> Aug 10 17:49:08 pki1.example.com server[38489]: arguments used: start Aug 10 17:49:10 pki1.example.com server[38489]: WARNING: Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1.1]] > pkidaemon status topology-02-CA WARNING: pkidaemon status has been deprecated. Use pki-server status instead. Status for topology-02-CA: topology-02-CA is stopped > pki-server status topology-02-CA Instance ID: topology-02-CA Active: True Unsecure Port: 20080 Secure Port: 20443 Tomcat Port: 20005 CA Subsystem: Type: Root CA (Security Domain) SD Name: topology-02_Foobarmaster.org SD Registration URL: https://pki1.example.com:20443 Enabled: True Unsecure URL: http://pki1.example.com:20080/ca/ee/ca Secure Agent URL: https://pki1.example.com:20443/ca/agent/ca Secure EE URL: https://pki1.example.com:20443/ca/ee/ca Secure Admin URL: https://pki1.example.com:20443/ca/services PKI Console URL: https://pki1.example.com:20443/ca >>> tail -5 /etc/sysconfig/topology-02-CA TOMCAT_USER="pkiuser" TOMCAT_SECURITY="true" # Use Nuxwdog to start server USE_NUXWDOG="true" > >>> Following is the observation [dmoluguw: Please provide your inputs]: > 1. pkidaemon status shows instance as stopped after enabling nuxwdog pkidaemon is deprecated (See the WARNING when you execute). Whatever you observe seems to be the right behavior > 2. pki-server status shows status as running and active but does not > show the nuxwdog enable true as pkidaemon status shows in RHEL79 > https://bugzilla.redhat.com/show_bug.cgi?id=1487418#c13 Good catch. I have fixed it via PR: https://github.com/dogtagpki/pki/pull/515 This is not a blocker and does not alter the way of how the product operates. So, I'm inclined to ignore this for the purpose of verification of this BZ. If you are OK with it, the above PR will be delivered in PKI 10.10 (RHEL8.4)
> pki-server status shows the status of instance even when nuxwdog is enabled. It is not a major issue/ blocker, if it is not showing the status of nuxwdog (enable/disable). We can take this in RHEL8.4.
> pkidaemon status is still breaking but it is deprecated so I am marking this BZ verified on the basis of https://bugzilla.redhat.com/show_bug.cgi?id=1732981#c10.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:4847 |