Bug 1857157
| Summary: | replica install failing with avc denial for custodia component | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Kaleem <ksiddiqu> |
| Component: | ipa | Assignee: | Thomas Woerner <twoerner> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | urgent | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.3 | CC: | cheimes, rcritten, ssidhaye, tscherf |
| Target Milestone: | rc | Keywords: | Regression, TestBlocker |
| Target Release: | 8.3 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.8.7-7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 02:51:20 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Kaleem
2020-07-15 09:42:05 UTC
Fixed upstream master: https://pagure.io/freeipa/c/69da03b4ca16ca42fe6828d7e2e4b525f8f1087e Fixed upstream ipa-4-8: https://pagure.io/freeipa/c/d83b760d1f76a3ba8e527dd27551e51a600b22c0 Reproducer: [root@replica ~]# rpm -q ipa-server ipa-selinux ipa-server-4.8.7-6.module+el8.3.0+7359+7ce322ce.x86_64 ipa-selinux-4.8.7-6.module+el8.3.0+7359+7ce322ce.noarch 2020-07-20T12:09:01+0000 [ipa_pytests.qe_class.QeHost.replica.cmd23] DEBUG [1/2]: starting ipa-otpd 2020-07-20T12:09:01+0000 [ipa_pytests.qe_class.QeHost.replica.cmd23] DEBUG [2/2]: configuring ipa-otpd to start on boot 2020-07-20T12:09:02+0000 [ipa_pytests.qe_class.QeHost.replica.cmd23] DEBUG Done configuring ipa-otpd. 2020-07-20T12:09:02+0000 [ipa_pytests.qe_class.QeHost.replica.cmd23] DEBUG Configuring ipa-custodia 2020-07-20T12:09:02+0000 [ipa_pytests.qe_class.QeHost.replica.cmd23] DEBUG [1/4]: Generating ipa-custodia config file 2020-07-20T12:09:02+0000 [ipa_pytests.qe_class.QeHost.replica.cmd23] DEBUG Custodia uses 'master.testrealm.test' as master peer. 2020-07-20T12:09:02+0000 [ipa_pytests.qe_class.QeHost.replica.cmd23] DEBUG [2/4]: Generating ipa-custodia keys 2020-07-20T12:09:02+0000 [ipa_pytests.qe_class.QeHost.replica.cmd23] DEBUG [3/4]: starting ipa-custodia 2020-07-20T12:09:04+0000 [ipa_pytests.qe_class.QeHost.replica.cmd23] DEBUG [4/4]: configuring ipa-custodia to start on boot 2020-07-20T12:09:04+0000 [ipa_pytests.qe_class.QeHost.replica.cmd23] DEBUG Done configuring ipa-custodia. 2020-07-20T12:09:05+0000 [ipa_pytests.qe_class.QeHost.replica.cmd23] DEBUG 503 Server Error: Service Unavailable for url: https://master.testrealm.test/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.tMFmmKPp0RcH5gihE6slX9lkk7Cqkdfe_76y4IpaYm9gFfVMTyLiFYsc-Ct5hAOjX_gWD1eQjrL4aADroNz3s_vGSqIKgLRoxhsA7fkxDkDw8o9AEi43YDwaYSB7OxcFkXjfXT6f8WZBZXinM8sycKSZE6Apxav54lAV_2DIUbtmk61SlhLaNdazB67zy8sbWiKROWGF8rKF2get_B9oT2xGDm4Z03zAwCaTwS0WFRtHPpl_JZftTR5P9KP-eY923ulNbOWb8JXLlG15erEIEDNjgOATYI5TC_IadiGuve6Ro9A3faTH_xCuBZT-VZUlsEfmeTKYzHXA4BGu3xo5pA.pKBgcFv3bOiX7K64Y4OF4Q.7szdAiJnwfcqr7BeHKPySUcMmQMONPTL25HYqiCkXOkSo5VRHRAYH0cJ5WE-cEWs-BTOY5xU8bqX_S9U7yPZv5GrNyxx8HkyTt5dPLJzJTS6edj6gNSKPtoq7LNWJFlUJZ8h_T6loggSShpZmXfhQo2TSRknASZuHNtTlxWjPeaO2cI6L3tQmplpO_LL4tv0ekhEMy2CfXnHvql7WSkSA6P-ChZZ6khGNa_dFHGeAJp4N4WtP08vb5DsIqvZ2tSVTPHzSL29o0iBt5LEFF4s7vvguZMPiipIs7ocXcIdmQpe8Vk6YEhMQHMW2Ucq8rqrjIj5orB1Ilds-EkiBPchJE0oFy-bYH0FP9q-4kSP-8wjY20ht03dYq3cjpxh8VOqbZBwefWR-QmJExsLSz4OiLK0o5k0ZMhOZfXJWFuaD5mKoVU2EjKNNVCrEuGA_x5A38zN1DJ6hz4LfNfbh8Pab7H3usRTpfMND4OxK3hdzr8QDndFOIieB0rg_JJQYPuE_iAPf1d698jmlGThKpCIyIDeUDre2do2y6dYMnYjcntYwgp_36_9AXV0qRil-k1lPLd-qSSRKZ9cqgTgOALUcPkleFSWoBShxeN7Y_-YgZ0OclNLCYyNwUX14QN-xck7Jk3y8JNRuaTzVK69NxRJlv33TVwk9XW1JocdMWDfLuk.trGBfjwQmLfwdYu0xZ78rvstLwdE2_-aq9qhyQQYYd0 2020-07-20T12:09:05+0000 [ipa_pytests.qe_class.QeHost.replica.cmd23] DEBUG The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information 2020-07-20T12:09:05+0000 [ipa_pytests.qe_class.QeHost.replica.cmd23] DEBUG Your system may be partly configured. 2020-07-20T12:09:05+0000 [ipa_pytests.qe_class.QeHost.replica.cmd23] DEBUG Run /usr/sbin/ipa-server-install --uninstall to clean up. 2020-07-20T12:09:05+0000 [ipa_pytests.qe_class.QeHost.replica.cmd23] DEBUG 2020-07-20T12:09:06+0000 [paramiko.transport] DEBUG [chan 23] EOF received (23) 2020-07-20T12:09:06+0000 [paramiko.transport] DEBUG [chan 23] EOF sent (23) Fixed version [root@replica ~]# grep -nr "ipa-custodia.sock" /var/log/audit/audit.log [root@replica ~]# rpm -q ipa-server ipa-selinux ipa-server-4.8.7-7.module+el8.3.0+7376+c83e4fcd.x86_64 ipa-selinux-4.8.7-7.module+el8.3.0+7376+c83e4fcd.noarch [root@replica ~]# replica install log 2020-07-20T06:16:42Z DEBUG stderr= 2020-07-20T06:16:42Z DEBUG Restart of ipa.service complete 2020-07-20T06:16:42Z INFO The ipa-replica-install command was successful Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:4670 |