Bug 1758771
Summary: | [RHOSP15] IDM TLS Everywhere missing libraries | |||
---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Brendan Shephard <bshephar> | |
Component: | python-novajoin | Assignee: | Ade Lee <alee> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Pavan <pkesavar> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 15.0 (Stein) | CC: | alee, batkisso, dwilde, ggrasza, hjensas, ipilcher, jschluet, moguimar, msalmanmasood, nkinder, rcritten | |
Target Milestone: | z3 | Keywords: | Regression, TestOnly, Triaged, ZStream | |
Target Release: | 15.0 (Stein) | |||
Hardware: | All | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | python-novajoin-1.2.1-0.20191217180446.265146e.el8ost | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1782594 (view as bug list) | Environment: | ||
Last Closed: | 2020-09-24 14:46:38 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1782594 |
Description
Brendan Shephard
2019-10-05 13:32:05 UTC
python-nss isn't included in RHEL 8. It looks like the code which uses this import is no longer used so the create_nssdb() method can just be removed altogether. I just updated my Director node and it seems to work now. It still has the python-nss package installed from pip, so that might have helped me with the initial error. But the krb5_conf issue is gone now. My overcloud is deployed as well. So it seems to be working. (In reply to Brendan Shephard from comment #2) > I just updated my Director node and it seems to work now. It still has the > python-nss package installed from pip, so that might have helped me with the > initial error. But the krb5_conf issue is gone now. > > My overcloud is deployed as well. So it seems to be working. How did you actually work around this? (In reply to Ian Pilcher from comment #6) > How did you actually work around this? Nevermind. I see that you still have python-nss installed via pip. So unless I'm very much mistaken, this is going to break internal TLS, as the overcloud nodes will presumably have the same issue. Marking this as a regression. (In reply to Rob Crittenden from comment #1) > python-nss isn't included in RHEL 8. It looks like the code which uses this > import is no longer used so the create_nssdb() method can just be removed > altogether. scripts/novajoin-ipa-setup:100-112 if precreate_opts_specified: # IPA v4.5.0 switched client from NSS to OpenSSL if version.NUM_VERSION >= 40500: cafile = novajoin.create_cafile(opts.server, opts.realm) # Workaround for https://pagure.io/freeipa/issue/7145 try: args['tls_ca_cert'] = cafile.decode('UTF-8') except AttributeError: args['tls_ca_cert'] = cafile else: nss_db = novajoin.create_nssdb(opts.server, opts.realm) try: args['nss_dir'] = nss_db.secdir.decode('UTF-8') except AttributeError: args['nss_dir'] = nss_db.secdir Novajon is not branched, if we remove this code it will no longer work with IPA < v4.5.0. Is it safe to do this, or do we risk breaking someone's deployment that run with an older version of IPA? Another option would be to conditionally import nss.nss, and only raise the exception if IPA version < 40500 ? Hitting the same issue with python3-novajoin-1.1.2-0.20190912190429.b971c78.el8ost.noarch Attempted the workaround but failed even after installing the nss with no luck. Traceback (most recent call last): File "/bin/novajoin-ipa-setup", line 23, in <module> from novajoin import configure_ipa File "/usr/lib/python3.6/site-packages/novajoin/configure_ipa.py", line 55, in <module> import nss.nss as nss *** Bug 1791304 has been marked as a duplicate of this bug. *** According to our records, this should be resolved by python-novajoin-1.2.1-0.20191217180446.265146e.el8ost. This build is available now. |