Bug 1895197
Summary: | improve IPA PKI susbsystem detection by other means than a directory presence, use pki-server subsystem-find [rhel-7.9.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Marc Sauton <msauton> |
Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.9 | CC: | edewata, jreznik, ksiddiqu, pcech, rcritten, sigbjorn.lie, tscherf |
Target Milestone: | rc | Keywords: | TestCaseProvided, Triaged, ZStream |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.6.8-5.el7_9.4 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-03-16 13:56:37 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Marc Sauton
2020-11-06 01:23:58 UTC
Notes for triage: looks like an easy fix. The "pki-server subsystem-show kra" command could be used. If the KRA is configured, the output looks like: # pki-server subsystem-show kra Subsystem ID: kra Instance ID: pki-tomcat Enabled: True If the KRA hasn't been configured, the output looks like: # pki-server subsystem-show kra ERROR: ERROR: No kra subsystem in instance pki-tomcat. (return code = 1) If the server doesn't have PKI configured at all (no CA, no KRA), the output is: # pki-server subsystem-show kra ERROR: Invalid instance pki-tomcat. (return code 1) Notes: - pki-server does not require the services to be up. The command can be used even during an upgrade when some of the services are stopped. - The command /usr/sbin/pki-server is delivered in the package pki-server. freeipa-server indirectly requires pki-server pkg through pki-ca and pki-kra packages, meaning that the command is always installed on a freeipa server. Upstream ticket: https://pagure.io/freeipa/issue/8596 Fixed upstream master: https://pagure.io/freeipa/c/930453b65ea17e190a46208763d366739646264b https://pagure.io/freeipa/c/526686ec1c6f0fa018c4ffd61ef091783a48163f Test case provided upstream in test_integration/test_upgrade.py::TestUpgrade::test_kra_detection ipa-4-8: af830c0 Improve PKI subsystem detection 7d47e37 ipatests: add test for PKI subsystem detection ipa-4-9: cf30cc3 Improve PKI subsystem detection 24f6a36 ipatests: add test for PKI subsystem detection Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/137c4567e3b266c7318f3ac7228b65daa3863825 https://pagure.io/freeipa/c/8367ede02b0a7881f4785ff7d2c90a7d2ee54c4c Test fixed: Fixed upstream master: https://pagure.io/freeipa/c/6e0634bd72f60295b86a1561adf94f14d6948009 Test Fixed upstream ipa-4-8: https://pagure.io/freeipa/c/35be9259bf4d00fe9423819273d482f590a94cd6 ipa-4-9: https://pagure.io/freeipa/c/0db289695c8225cad5c17c6a5846ff0a373c3ce6 Test Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/46a4e93da1034d596fa58ab4d1c4d0ac637ecebc Verified based on following details. IPA Version: ============= 2021-02-10T07:12:25+0000 TASK [List installed IPA packages version] ************************************* 2021-02-10T07:12:26+0000 ok: [master.testrelm.test] => (item=ipa-server) => 2021-02-10T07:12:26+0000 msg: 2021-02-10T07:12:26+0000 - arch: x86_64 2021-02-10T07:12:26+0000 epoch: null 2021-02-10T07:12:26+0000 name: ipa-server 2021-02-10T07:12:26+0000 release: 5.el7_9.4 2021-02-10T07:12:26+0000 source: rpm 2021-02-10T07:12:26+0000 version: 4.6.8 snip from test-result log: ========================== test "test_kra_detection" is executed successfully. ============================= test session starts ============================== platform linux2 -- Python 2.7.5, pytest-3.10.1, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python2 cachedir: .pytest_cache metadata: {'Python': '2.7.5', 'Platform': 'Linux-3.10.0-1160.17.1.el7.x86_64-x86_64-with-redhat-7.9-Maipo', 'Packages': {'py': '1.10.0', 'pytest': '3.10.1', 'pluggy': '0.13.1'}, 'Plugins': {u'html': u'1.22.1', u'multihost': u'1.1', u'sourceorder': u'0.5', u'metadata': u'1.11.0'}} rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: plugins: metadata-1.11.0, html-1.22.1, multihost-1.1, sourceorder-0.5 collecting ... collected 3 items test_integration/test_upgrade.py::TestUpgrade::test_invoke_upgrader PASSED [ 33%] test_integration/test_upgrade.py::TestUpgrade::test_double_encoded_cacert PASSED [ 66%] test_integration/test_upgrade.py::TestUpgrade::test_kra_detection PASSED [100%] ---------------- generated xml file: /home/cloud-user/junit.xml ---------------- ----------- generated html file: file:///home/cloud-user/report.html ----------- ========================== 3 passed in 618.53 seconds ========================== Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: ipa security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:0860 |