Bug 2132731

Summary: [ansible-freeipa] ipaserver: Add missing idstart check
Product: Red Hat Enterprise Linux 9 Reporter: Thomas Woerner <twoerner>
Component: ansible-freeipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: Varun Mylaraiah <mvarun>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.1CC: ipa-qe, mjurasek, mvarun
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ansible-freeipa-1.9.0-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2132729
: 2132976 2132977 (view as bug list) Environment:
Last Closed: 2023-05-09 07:25:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2132729    
Bug Blocks: 2132976, 2132977    

Description Thomas Woerner 2022-10-06 13:42:23 UTC 
+++ This bug was initially created as a clone of Bug #2132729 +++

Description of problem:
The idstart needs to be larger than UID_MAX or GID_MAX from /etc/login.defs.
The check is missing in ipaserver role.

Version-Release number of selected component (if applicable):
ansible-freeipa-1.8.3

How reproducible:
Always

Steps to Reproduce:
1. Deploy using "ipaserver_idstart: 1000"
2. Check UID_MAX/GID_MAX in /etc/login.defs
3. Check for ipaRangeType errors in sssd_sub.example.com.log file.

Actual results:
No failure if ipaserver_idstart is too low.

Expected results:
Failure if ipaserver_idstart is too low.

--- Additional comment from Thomas Woerner on 2022-10-06 13:40:55 UTC ---

Upstream PR: https://github.com/freeipa/ansible-freeipa/pull/897
Comment 7 Varun Mylaraiah 2022-12-20 13:47:27 UTC 
Verified
ansible-core-2.14.1-1.el9.x86_64
ansible-freeipa-1.9.0-1.el9.noarch

Passed	ansible_freeipa_tests/master/test_idm_deploy_master.py::TestMaster_Verify_Idstart::test_server_install_with_idstart

DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 PLAYBOOK: install-server.yaml **************************************************
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 1 plays in install-server.yaml
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 PLAY [Playbook to configure IPA servers] ***************************************
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [Gathering Facts] *********************************************************
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /root/install-server.yaml:2
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 ok: [master.ipadomain.test]
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [ipaserver : Import variables specific to distribution] *******************
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /usr/share/ansible/roles/ipaserver/tasks/main.yml:4
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 ok: [master.ipadomain.test] => (item=/usr/share/ansible/roles/ipaserver/vars/default.yml) => {"ansible_facts": {"ipaserver_packages": ["ipa-server", "python3-libselinux"], "ipaserver_packages_adtrust": ["freeipa-server-trust-ad"], "ipaserver_packages_dns": ["ipa-server-dns"], "ipaserver_packages_firewalld": ["firewalld"]}, "ansible_included_var_files": ["/usr/share/ansible/roles/ipaserver/vars/default.yml"], "ansible_loop_var": "item", "changed": false, "item": "/usr/share/ansible/roles/ipaserver/vars/default.yml"}
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [ipaserver : Install IPA server] ******************************************
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /usr/share/ansible/roles/ipaserver/tasks/main.yml:19
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 included: /usr/share/ansible/roles/ipaserver/tasks/install.yml for master.ipadomain.test
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [ipaserver : Install - Ensure that IPA server packages are installed] *****
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:5
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 ok: [master.ipadomain.test] => {"changed": false, "msg": "Nothing to do", "rc": 0, "results": []}
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [ipaserver : Install - Ensure that IPA server packages for dns are installed] ***
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:10
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 skipping: [master.ipadomain.test] => {"changed": false, "skip_reason": "Conditional result was False"}
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [ipaserver : Install - Ensure that IPA server packages for adtrust are installed] ***
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:16
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 skipping: [master.ipadomain.test] => {"changed": false, "skip_reason": "Conditional result was False"}
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [ipaserver : Install - Ensure that firewall packages installed] ***********
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:22
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 ok: [master.ipadomain.test] => {"changed": false, "msg": "Nothing to do", "rc": 0, "results": []}
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [ipaserver : Firewalld service - Ensure that firewalld is running] ********
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:31
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 ok: [master.ipadomain.test] => {"changed": false, "enabled": true, "name": "firewalld", "state": "started", "status": {"AccessSELinuxContext": "system_u:object_r:firewalld_unit_file_t:s0", "ActiveEnterTimestamp": "Sun 2022-12-18 22:53:34 EST", "ActiveEnterTimestampMonotonic": "158262980", "ActiveExitTimestamp": "Sun 2022-12-18 22:52:22 EST", "ActiveExitTimestampMonotonic": "86740203", "ActiveState": "active", "After": "system.slice polkit.service dbus-broker.service basic.target sysinit.target dbus.socket", "AllowIsolate": "no", "AssertResult": "yes", "AssertTimestamp": "Sun 2022-12-18 22:53:34 EST", "AssertTimestampMonotonic": "158114354", "Before": "multi-user.target shutdown.target network-pre.target", "BlockIOAccounting": "no", "BlockIOWeight": "[not set]", "BusName": "org.fedoraproject.FirewallD1", "CPUAccounting": "yes", "CPUAffinityFromNUMA": "no", "CPUQuotaPerSecUSec": "infinity", "CPUQuotaPeriodUSec": "infinity", "CPUSchedulingPolicy": "0", "CPUSchedulingPriority": "0", "CPUSchedulingResetOnFork": "no", "CPUShares": "[not set]", "CPUUsageNSec": "1064712000", "CPUWeight": "[not set]", "CacheDirectoryMode": "0755", "CanFreeze": "yes", "CanIsolate": "no", "CanReload": "yes", "CanStart": "yes", "CanStop": "yes", "CapabilityBoundingSet": "cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override cap_mac_admin cap_syslog cap_wake_alarm cap_block_suspend cap_audit_read cap_perfmon cap_bpf cap_checkpoint_restore", "CleanResult": "success", "CollectMode": "inactive", "ConditionResult": "yes", "ConditionTimestamp": "Sun 2022-12-18 22:53:34 EST", "ConditionTimestampMonotonic": "158114351", "ConfigurationDirectoryMode": "0755", "Conflicts": "nftables.service iptables.service ipset.service shutdown.target ip6tables.service ebtables.service", "ControlGroup": "/system.slice/firewalld.service", "ControlGroupId": "5325", "ControlPID": "0", "CoredumpFilter": "0x33", "DefaultDependencies": "yes", "DefaultMemoryLow": "0", "DefaultMemoryMin": "0", "Delegate": "no", "Description": "firewalld - dynamic firewall daemon", "DevicePolicy": "auto", "Documentation": "\"man:firewalld(1)\"", "DynamicUser": "no", "EnvironmentFiles": "/etc/sysconfig/firewalld (ignore_errors=yes)", "ExecMainCode": "0", "ExecMainExitTimestampMonotonic": "0", "ExecMainPID": "21701", "ExecMainStartTimestamp": "Sun 2022-12-18 22:53:34 EST", "ExecMainStartTimestampMonotonic": "158118252", "ExecMainStatus": "0", "ExecReload": "{ path=/bin/kill ; argv[]=/bin/kill -HUP $MAINPID ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }", "ExecReloadEx": "{ path=/bin/kill ; argv[]=/bin/kill -HUP $MAINPID ; flags= ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }", "ExecStart": "{ path=/usr/sbin/firewalld ; argv[]=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }", "ExecStartEx": "{ path=/usr/sbin/firewalld ; argv[]=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS ; flags= ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }", "ExitType": "main", "FailureAction": "none", "FileDescriptorStoreMax": "0", "FinalKillSignal": "9", "FragmentPath": "/usr/lib/systemd/system/firewalld.service", "FreezerState": "running", "GID": "[not set]", "GuessMainPID": "yes", "IOAccounting": "no", "IOReadBytes": "18446744073709551615", "IOReadOperations": "18446744073709551615", "IOSchedulingClass": "2", "IOSchedulingPriority": "4", "IOWeight": "[not set]", "IOWriteBytes": "18446744073709551615", "IOWriteOperations": "18446744073709551615", "IPAccounting": "no", "IPEgressBytes": "[no data]", "IPEgressPackets": "[no data]", "IPIngressBytes": "[no data]", "IPIngressPackets": "[no data]", "Id": "firewalld.service", "IgnoreOnIsolate": "no", "IgnoreSIGPIPE": "yes", "InactiveEnterTimestamp": "Sun 2022-12-18 22:52:22 EST", "InactiveEnterTimestampMonotonic": "86818969", "InactiveExitTimestamp": "Sun 2022-12-18 22:53:34 EST", "InactiveExitTimestampMonotonic": "158118695", "InvocationID": "b1a56ad6f7984ee6bf99ba8fda8e7c3b", "JobRunningTimeoutUSec": "infinity", "JobTimeoutAction": "none", "JobTimeoutUSec": "infinity", "KeyringMode": "private", "KillMode": "mixed", "KillSignal": "15", "LimitAS": "infinity", "LimitASSoft": "infinity", "LimitCORE": "infinity", "LimitCORESoft": "0", "LimitCPU": "infinity", "LimitCPUSoft": "infinity", "LimitDATA": "infinity", "LimitDATASoft": "infinity", "LimitFSIZE": "infinity", "LimitFSIZESoft": "infinity", "LimitLOCKS": "infinity", "LimitLOCKSSoft": "infinity", "LimitMEMLOCK": "8388608", "LimitMEMLOCKSoft": "8388608", "LimitMSGQUEUE": "819200", "LimitMSGQUEUESoft": "819200", "LimitNICE": "0", "LimitNICESoft": "0", "LimitNOFILE": "524288", "LimitNOFILESoft": "1024", "LimitNPROC": "14342", "LimitNPROCSoft": "14342", "LimitRSS": "infinity", "LimitRSSSoft": "infinity", "LimitRTPRIO": "0", "LimitRTPRIOSoft": "0", "LimitRTTIME": "infinity", "LimitRTTIMESoft": "infinity", "LimitSIGPENDING": "14342", "LimitSIGPENDINGSoft": "14342", "LimitSTACK": "infinity", "LimitSTACKSoft": "8388608", "LoadState": "loaded", "LockPersonality": "no", "LogLevelMax": "-1", "LogRateLimitBurst": "0", "LogRateLimitIntervalUSec": "0", "LogsDirectoryMode": "0755", "MainPID": "21701", "ManagedOOMMemoryPressure": "auto", "ManagedOOMMemoryPressureLimit": "0", "ManagedOOMPreference": "none", "ManagedOOMSwap": "auto", "MemoryAccounting": "yes", "MemoryAvailable": "infinity", "MemoryCurrent": "25841664", "MemoryDenyWriteExecute": "no", "MemoryHigh": "infinity", "MemoryLimit": "infinity", "MemoryLow": "0", "MemoryMax": "infinity", "MemoryMin": "0", "MemorySwapMax": "infinity", "MountAPIVFS": "no", "NFileDescriptorStore": "0", "NRestarts": "0", "NUMAPolicy": "n/a", "Names": "firewalld.service dbus-org.fedoraproject.FirewallD1.service", "NeedDaemonReload": "no", "Nice": "0", "NoNewPrivileges": "no", "NonBlocking": "no", "NotifyAccess": "none", "OOMPolicy": "stop", "OOMScoreAdjust": "0", "OnFailureJobMode": "replace", "OnSuccessJobMode": "fail", "Perpetual": "no", "PrivateDevices": "no", "PrivateIPC": "no", "PrivateMounts": "no", "PrivateNetwork": "no", "PrivateTmp": "no", "PrivateUsers": "no", "ProcSubset": "all", "ProtectClock": "no", "ProtectControlGroups": "no", "ProtectHome": "no", "ProtectHostname": "no", "ProtectKernelLogs": "no", "ProtectKernelModules": "no", "ProtectKernelTunables": "no", "ProtectProc": "default", "ProtectSystem": "no", "RefuseManualStart": "no", "RefuseManualStop": "no", "ReloadResult": "success", "RemainAfterExit": "no", "RemoveIPC": "no", "Requires": "sysinit.target dbus.socket system.slice", "Restart": "no", "RestartKillSignal": "15", "RestartUSec": "100ms", "RestrictNamespaces": "no", "RestrictRealtime": "no", "RestrictSUIDSGID": "no", "Result": "success", "RootDirectoryStartOnly": "no", "RuntimeDirectoryMode": "0755", "RuntimeDirectoryPreserve": "no", "RuntimeMaxUSec": "infinity", "RuntimeRandomizedExtraUSec": "0", "SameProcessGroup": "no", "SecureBits": "0", "SendSIGHUP": "no", "SendSIGKILL": "yes", "Slice": "system.slice", "StandardError": "null", "StandardInput": "null", "StandardOutput": "null", "StartLimitAction": "none", "StartLimitBurst": "5", "StartLimitIntervalUSec": "10s", "StartupBlockIOWeight": "[not set]", "StartupCPUShares": "[not set]", "StartupCPUWeight": "[not set]", "StartupIOWeight": "[not set]", "StateChangeTimestamp": "Sun 2022-12-18 23:26:22 EST", "StateChangeTimestampMonotonic": "2126908434", "StateDirectoryMode": "0755", "StatusErrno": "0", "StopWhenUnneeded": "no", "SubState": "running", "SuccessAction": "none", "SyslogFacility": "3", "SyslogLevel": "6", "SyslogLevelPrefix": "yes", "SyslogPriority": "30", "SystemCallErrorNumber": "2147483646", "TTYReset": "no", "TTYVHangup": "no", "TTYVTDisallocate": "no", "TasksAccounting": "yes", "TasksCurrent": "2", "TasksMax": "22947", "TimeoutAbortUSec": "1min 30s", "TimeoutCleanUSec": "infinity", "TimeoutStartFailureMode": "terminate", "TimeoutStartUSec": "1min 30s", "TimeoutStopFailureMode": "terminate", "TimeoutStopUSec": "1min 30s", "TimerSlackNSec": "50000", "Transient": "no", "Type": "dbus", "UID": "[not set]", "UMask": "0022", "UnitFilePreset": "enabled", "UnitFileState": "enabled", "UtmpMode": "init", "WantedBy": "multi-user.target", "Wants": "network-pre.target", "WatchdogSignal": "6", "WatchdogTimestampMonotonic": "0", "WatchdogUSec": "0"}}
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [ipaserver : Firewalld - Verify runtime zone "{{ ipaserver_firewalld_zone }}"] ***
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:37
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 skipping: [master.ipadomain.test] => {"changed": false, "skip_reason": "Conditional result was False"}
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [ipaserver : Firewalld - Verify permanent zone "{{ ipaserver_firewalld_zone }}"] ***
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:44
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 skipping: [master.ipadomain.test] => {"changed": false, "skip_reason": "Conditional result was False"}
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [ipaserver : include_tasks] ***********************************************
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:54
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 skipping: [master.ipadomain.test] => {"changed": false, "skip_reason": "Conditional result was False"}
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 TASK [ipaserver : Install - Server installation test] **************************
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 task path: /usr/share/ansible/roles/ipaserver/tasks/install.yml:60
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 fatal: [master.ipadomain.test]: FAILED! => {"changed": false, "msg": "idstart (1000) must be larger than UID_MAX/GID_MAX (60000) setting in /etc/login.defs."}
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 PLAY RECAP *********************************************************************
DEBUG    pytest_multihost.host.Host.ansible.cmd20:transport.py:563 master.ipadomain.test      : ok=6    changed=0    unreachable=0    failed=1    skipped=5    rescued=0    ignored=0   


Based on the test result, marking the bug Verified
Comment 10 errata-xmlrpc 2023-05-09 07:25:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ansible-freeipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:2168