Bug 1879604

Summary: pkispawn logs files are empty
Product: Red Hat Enterprise Linux 8 Reporter: François Cami <fcami>
Component: ipaAssignee: François Cami <fcami>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 8.3CC: abokovoy, afarley, bugzilla-pkiqe, cheimes, edewata, ksiddiqu, lmiksik, mpolovka, pcech, rcritten, rhcs-maint, tscherf, twoerner
Target Milestone: rcKeywords: Regression, TestCaseProvided
Target Release: 8.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.8.7-12 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1879515 Environment:
Last Closed: 2020-11-04 02:51:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description François Cami 2020-09-16 15:42:05 UTC 
+++ This bug was initially created as a clone of Bug #1879515 +++

Description of problem:
When installing a CA instance in IPA, pkispawn no longer logs installation steps and debug logs to /var/log/pki/pki-$subsystem-spawn.$date.log. The log files are empty. The debug logs are important for IPA to understand and debug installation problems.

Version-Release number of selected component (if applicable):
pki-base-10.9.3-1.module+el8.3.0+7928+ce88aa94.noarch
ipa-server-4.8.7-10.module+el8.3.0+7702+ced5f219.x86_64


How reproducible:
always

Steps to Reproduce:
1. dnf -y module enable idm:DL1
2. dnf install ipa-server
3. ipa-server-install

Actual results:
# ls -la /var/log/pki/pki-ca-spawn.20200916083742.log 
-rw-rw-r--. 1 root root 0 Sep 16 08:37 /var/log/pki/pki-ca-spawn.20200916083742.log

Expected results:
The log file contains detailed debug logging of every step.

Additional info:
Comment 1 François Cami 2020-09-16 15:44:29 UTC 
this is due to:
https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
and can be worked around on ipa side by adding --debug to the pkispawn invocation.
Comment 6 François Cami 2020-09-16 17:08:16 UTC 
Upstream issue: https://pagure.io/freeipa/issue/8503
PR: https://github.com/freeipa/freeipa/pull/5113

Logs showing the issue (the file only contains the gzip headers): http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/ae7eb046-f838-11ea-8647-fa163e5fd761/test_integration-test_replica_promotion.py-TestSubCAkeyReplication-test_subca_replica/master.ipa.test/var/log/pki/

Proper log with --debug invocation: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/7465d796-f83c-11ea-ae35-fa163e43b58c/test_integration-test_external_ca.py-TestExternalCAProfileScenarios-test_valid_v1_template/master.ipa.test/var/log/pki/
Comment 10 Alexander Bokovoy 2020-09-17 07:40:33 UTC 
Move to assigned state, based on the upstream PR work.
Comment 11 François Cami 2020-09-17 11:49:41 UTC 
Upstream PR:
https://github.com/freeipa/freeipa/pull/5113
is approved and running through upstream gating.
Comment 12 François Cami 2020-09-17 11:50:47 UTC 
It has upstream test coverage:

Expected failure without the fix: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/f2117a58-f871-11ea-9e9e-fa163e2dc507/report.html

self = <ipatests.test_integration.test_commands.TestIPACommand object at 0x7fdcb353db20>

    def test_pkispawn_log_is_present(self):
        """
        This testcase checks if pkispawn logged properly.
        It is a candidate from being moved out of test_commands.
        """
        result = self.master.run_command(
            ["ls", "/var/log/pki/"]
        )
        pkispawnlogfile = None
        for file in result.stdout_text.splitlines():
            if file.startswith("pki-ca-spawn"):
                pkispawnlogfile = file
                break
        assert pkispawnlogfile is not None
        pkispawnlogfile = os.path.sep.join(("/var/log/pki", pkispawnlogfile))
        pkispawnlog = self.master.get_file_contents(
            pkispawnlogfile, encoding='utf-8'
        )
        # Totally arbitrary. pkispawn debug logs tend to be > 10KiB.
>       assert len(pkispawnlog) > 1024
E       AssertionError: assert 0 > 1024
E        +  where 0 = len('')

test_integration/test_commands.py:1318: AssertionError
 -------------------------------Captured log call-------------------------------- 
INFO     ipatests.pytest_ipa.integration.host.Host.master.IPAOpenSSHTransport:transport.py:391 RUN ['ls', '/var/log/pki/']
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd430:transport.py:513 RUN ['ls', '/var/log/pki/']
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd430:transport.py:557 pki-ca-spawn.20200916231608.log
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd430:transport.py:557 pki-tomcat
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd430:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.master.IPAOpenSSHTransport:transport.py:436 GET /var/log/pki/pki-ca-spawn.20200916231608.log
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd431:transport.py:513 RUN ['cat', '/var/log/pki/pki-ca-spawn.20200916231608.log']
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd431:transport.py:217 Exit code: 0


Green run with the fix: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/cf98f4e8-f8b1-11ea-8724-fa163e54c0e1/report.html
Comment 14 François Cami 2020-09-17 14:00:11 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/c31bf3d430763ef5b0ef28510995af48dccde287
https://pagure.io/freeipa/c/be7bf98b3b8cb1db9d4baa5548991ac72049ade8
Comment 15 François Cami 2020-09-17 16:45:25 UTC 
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/d1c860e59b5237178066ed963cc2fa50d99cd690
https://pagure.io/freeipa/c/97c6d2d2c2359b8ff5585afa0d2e5f5599cd5048
Comment 20 Michal Polovka 2020-09-24 17:07:32 UTC 
Manual verification:

[root@ip test]# rpm -q ipa-server
ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64

[root@ip test]# cat /etc/os-release 
NAME="Red Hat Enterprise Linux"
VERSION="8.3 (Ootpa)"


[root@ip test]# ipa-server-install --domain dom-$(hostname -f) --realm DOM-$(hostname -f | tr '[:lower:]' '[:upper:]') -a ***** -p ***** -U
...output truncated...
SUCCESS

[root@ip test]# ls /var/log/pki
/var/log/pki/pki-ca-spawn.20200924124514.log  pki-tomcat


[root@ip test]# head /var/log/pki/pki-ca-spawn.20200924124514.log 
2020-09-24 12:45:14 INFO: Connecting to LDAP server at ldap://never.gonna.give.you.up:389
2020-09-24 12:45:14 INFO: Connecting to LDAP server at ldap://never.gonna.let.you.down:389
2020-09-24 12:45:14 DEBUG: Installing Maven dependencies: False
2020-09-24 12:45:14 INFO: BEGIN spawning CA subsystem in pki-tomcat instance
2020-09-24 12:45:14 INFO: Loading instance: pki-tomcat
2020-09-24 12:45:14 INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
2020-09-24 12:45:14 INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
2020-09-24 12:45:14 INFO: Setting up pkiuser group
2020-09-24 12:45:14 INFO: Reusing existing pkiuser group with GID n
2020-09-24 12:45:14 INFO: Setting up pkiuser user


Hereby marking as VERIFIED. Automation exists in test test_pkispawn_log_is_present added in ipatests/test_integration/test_commands.py
Comment 23 errata-xmlrpc 2020-11-04 02:51:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4670
Comment 25 Red Hat Bugzilla 2023-09-15 00:48:16 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days