Bug 1866811

Summary:	gssapi packages missing on upgrade
Product:	[oVirt] ovirt-appliance	Reporter:	Yedidyah Bar David <didi>
Component:	General	Assignee:	Yedidyah Bar David <didi>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Pavol Brilla <pbrilla>
Severity:	high	Docs Contact:
Priority:	urgent
Version:	---	CC:	asocha, bugs, emarcus, lleistne, michal.skrivanek, mkalinin, mperina, mtessun
Target Milestone:	ovirt-4.4.2	Keywords:	ZStream
Target Release:	4.4.2	Flags:	sbonazzo: ovirt-4.4? mtessun: planning_ack+ sbonazzo: devel_ack+ lleistne: testing_ack+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ovirt-engine-appliance-4.4-20200826172858.1.el8	Doc Type:	Bug Fix
Doc Text:	Cause: mod_auth_gssapi package was not included in oVirt Appliance Consequence: Upgrade from 4.3 to 4.4 failed while restoring SSO configuration requiring the gssapi module for processing "GssapiCredStore keytab:/etc/httpd/http.keytab" directive. Fix: mod_auth_gssapi has been added to oVirt appliance Result: Upgrade from 4.3 to 4.4 is now possible even with SSO configuration included.	Story Points:	---
Clone Of:
Clones:	1867038 (view as bug list)		Environment:
Last Closed:	2020-09-22 10:31:27 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	Integration	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1867038

Description Yedidyah Bar David 2020-08-06 12:55:51 UTC

Description of problem:

Our documentation says [1] to install mod_auth_gssapi for configuring single-sign-on.

Since recently, engine-backup also backs up the configuration file that the documentation says to create, to include (also) the command:

GssapiCredStore keytab:/etc/httpd/http.keytab

On upgrade from a system that followed this, engine-setup fails when starting httpd, and httpd log complains about this command (GssapiCredStore), because the module is missing.

We should IMO include in the appliance all the packages we document to install, even optionally. For this specific case, the list is:

ovirt-engine-extension-aaa-misc ovirt-engine-extension-aaa-ldap mod_auth_gssapi mod_session

We should probably review all documentation for similar cases.

[1] https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html/administration_guide/configuring_ldap_and_kerberos_for_single_sign-on

Version-Release number of selected component (if applicable):
4.4

How reproducible:
Always

Steps to Reproduce:
1. Setup 4.3 hosted-engine
2. Follow docs (above [1]) to configure single-sign-on
3. Upgrade to 4.4

Actual results:
Fails
hosted-engine log has:

2020-08-06 15:22:07,968+0300 INFO otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:109 TASK [ovirt.engine-setup : Run engine-setup with answerfile]
2020-08-06 15:23:18,434+0300 DEBUG otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:103 {'msg': 'non-zero return code', 'cmd': ['engine-setup', '--accept-defaults', '--config-append=/root/ovirt-engine-answers'], 'stdout': "[ INFO  ] Stage: Initializing\n[ INFO  ] Stage: Environment setup\n

... (all in a single line. Perhaps we should also try to split it in the log...)

[ ERROR ] Failed to execute stage 'Closing up': Failed to start service 'httpd'\n

Expected results:
Succeeds

Additional info:

A workaround is probably (still verifying) to create a file e.g. /usr/share/ansible/roles/ovirt.hosted_engine_setup/hooks/enginevm_before_engine_setup/install-gssapi.yml with content:

- name: Install mod_auth_gssapi
  package:
      name: mod_auth_gssapi
      state: present

Comment 1 Sandro Bonazzola 2020-08-07 09:33:39 UTC

If I understood correctly, the only required package to make upgrade succeed in this case is mod_auth_gssapi.
Pushed https://gerrit.ovirt.org/110693 adding it to appliance.

Since our documentation suggest also
- ovirt-engine-extension-aaa-misc
- ovirt-engine-extension-aaa-ldap (added explicitly despite it's already included by ovirt-engine-extension-aaa-ldap-setup we already require there)
- mod_session

I pushed https://gerrit.ovirt.org/110698 separately.
I tend to agree we should have them in.
Size increase is minimal and shouldn't cause issues if not utilized.
Martin any objection?


> We should probably review all documentation for similar cases.

Can you handle didi?

Comment 2 Martin Perina 2020-08-07 09:37:26 UTC

(In reply to Sandro Bonazzola from comment #1)
> If I understood correctly, the only required package to make upgrade succeed
> in this case is mod_auth_gssapi.
> Pushed https://gerrit.ovirt.org/110693 adding it to appliance.
> 
> Since our documentation suggest also
> - ovirt-engine-extension-aaa-misc
> - ovirt-engine-extension-aaa-ldap (added explicitly despite it's already
> included by ovirt-engine-extension-aaa-ldap-setup we already require there)
> - mod_session
> 
> I pushed https://gerrit.ovirt.org/110698 separately.
> I tend to agree we should have them in.
> Size increase is minimal and shouldn't cause issues if not utilized.
> Martin any objection?
> 

Artur, any other package needed for Keycloak/RHSSO integration?

> 
> > We should probably review all documentation for similar cases.
> 
> Can you handle didi?

Eli Marcus is working on Keycloak/RHSSO integration in BZ1658698

Comment 3 Artur Socha 2020-08-07 10:46:00 UTC

For keycloak integration we need mod_auth_openidc. For centos8 this is available as module.

dnf module enable mod_auth_openidc:2.3 -y
dnf install mod_auth_openidc

Comment 4 Artur Socha 2020-08-07 10:47:07 UTC

(In reply to Artur Socha from comment #3)
> For keycloak integration we need mod_auth_openidc. For centos8 this is
> available as module.
> 
> dnf module enable mod_auth_openidc:2.3 -y
> dnf install mod_auth_openidc

ovirt-engine-extension-aaa-misc is required as well.

Comment 5 Marina Kalinin 2020-08-07 16:17:32 UTC

Can someone please confirm the workaround in this KCS? https://access.redhat.com/solutions/5305591.

Comment 7 Sandro Bonazzola 2020-08-10 12:29:33 UTC

(In reply to Artur Socha from comment #4)
> (In reply to Artur Socha from comment #3)
> > For keycloak integration we need mod_auth_openidc. For centos8 this is
> > available as module.
> > 
> > dnf module enable mod_auth_openidc:2.3 -y
> > dnf install mod_auth_openidc
> 
> ovirt-engine-extension-aaa-misc is required as well.

Are these needed if we restore a database from an engine which was using them? Will engine die if they'renot in? Or can they be re-added in a second step?

Comment 8 Artur Socha 2020-08-10 12:42:46 UTC

They all can be added later. Without those packages user will not be able to login but the engine's service will be up and running.

Comment 9 Artur Socha 2020-08-10 12:45:00 UTC

(In reply to Artur Socha from comment #8)
> They all can be added later. Without those packages user will not be able to
> login but the engine's service will be up and running.

One more thing that has just come to my mind.  In case of re-adding ovirt-engine-extension-aaa-misc  engine's restart will be needed.
Similarly when mod_auth_openidc is installed httpd must be restarted.

Comment 10 Michal Skrivanek 2020-08-26 18:40:59 UTC

any patch missing? If not please move to MODIFIED