Bug 2332433

Summary: IPA Client Fails to Install/Initialize on Fedora Atomic Because of Missing Directories
Product: [Fedora] Fedora Reporter: Alex Botelho <botelho2305>
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: ASSIGNED --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: abokovoy, akarypid, ftrivino, ipa-maint, mhjacks, pvoborni, rcritten, ssorce, twoerner, yacoob
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
tmpfiles config that seems to fix the missing directories error none

Description Alex Botelho 2024-12-14 23:39:30 UTC 
Description of problem: FreeIPA client cannot be initialized/installed on a custom SilverBlue image (with freeipa-client installed) with ```ipa-client-install``` because directories are missing.

How reproducible:
Every time.

Steps to Reproduce:
1. On a vanilla SilverBlue image use the following Containerfile:
```
FROM quay.io/fedora-ostree-desktops/silverblue:41

RUN dnf install freeipa-client --assumeyes
```

2. Build a custom image: ```sudo podman build -t freeipa-bootc -f Containerfile```

3. Switch SilverBlue to the custom image: ```sudo bootc switch --transport containers-storage localhost/freeipa-bootc```

4. Run ```ipa-client-install --mkhomedir``` and complete a regular FreeIPA client install.

Actual results:
```
[Errno 2] No such file or directory: '/var/lib/ipa-client/sysrestore/sysrestore.state'
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
```

Creating /var/lib/ipa-client by hand leads to ```certmonger.service``` failing, complaining about ```/var/lib/certmonger``` and other files missing.

Expected results:
Successful IPA client initialization/install.

Additional info, possible fix:
I added the below ```system-tmpfiles``` configuration to ```/etc/tmpfiles.d```:
```
d /var/lib/certmonger 0755 root root
d /var/lib/certmonger/cas
d /var/lib/certmonger/local
d /var/lib/certmonger/requests
d /var/lib/ipa-client 0755 root root
d /var/lib/ipa-client/pki
d /var/lib/ipa-client/sysrestore
```
Although obviously the package(s) would include it in ```/usr/lib/tmpfiles.d``` instead.

Logging into the system fails regardless, but that seems unrelated, and I will file a separate bug for that.

I also added a link to the Bluefin (Fedora uBlue image) issue I filed which is related.
Comment 1 Alex Botelho 2024-12-14 23:40:45 UTC 
Created attachment 2062510 [details]
tmpfiles config that seems to fix the missing directories error
Comment 2 Alexander Bokovoy 2024-12-15 08:22:20 UTC 
Thanks for the report. We are planning to work on bootc integration early 2025. This is not the only problem to solve, unfortunately.

I mentioned some of these issues in my Flock to Fedora talk this year https://cfp.fedoraproject.org/flock-2024/talk/Q8MNVM/. We have been blocked so far by a number of issues in rpm-ostree and bootc around SELinux policy and handling of xattrs in the derived images. The latter issue was recently resolved (and, for example, SSSD started to work properly in a fully setup environment), so there is some progress. 

Using tmpfiles needs to be limited to specific packages. FreeIPA should not own tmpfiles for certmonger, for example, so that part cannot be merged to FreeIPA.

We also need to properly handle client upgrades to be run in a systemd unit at deployment side rather than during the package upgrade. I have opened https://pagure.io/freeipa/issue/9684 for that and will intend to handle tmpfiles there as well but this will come in 2025.

Moving the state to assigned to indicate it is in plans to work on this bug.
Comment 3 Alex Botelho 2024-12-19 01:45:13 UTC 
Thanks for your time Alex! I've opened a merge request with Bluefin to remove freeipa-client and sssd-ipa from their image for now. I will try and keep an eye on progress for all of this and have Bluefin add it back in once it works.

YouTube seems uninterested in buffering that video at the moment for some reason. I will definitely have a look at a later time.

Cheers!
Comment 4 yacoob 2025-07-19 22:28:01 UTC 
FWIW, it's not limited to the client alone - freeipa-server-common package contains a number of directories under /var/lib and they are all missing on a silverblue install. Which in turn breaks ipa-server-install.
Comment 5 Alexander Bokovoy 2025-08-04 05:52:44 UTC 
(In reply to yacoob from comment #4)
> FWIW, it's not limited to the client alone - freeipa-server-common package
> contains a number of directories under /var/lib and they are all missing on
> a silverblue install. Which in turn breaks ipa-server-install.

Yes, it is a known problem. We aren't started working on the fix yet, but we intend to. Before it is fixed, we do not support running IPA server in the bootc environments.

I'm moving this bug to Rawhide. If we'd fix it, there will be no intent to backport to F41, for sure.