Bug 739604

Summary: ipa-server-install :: failing to configure CA :: restorecon returning 1 when changing context
Product: Red Hat Enterprise Linux 6 Reporter: Jenny Severance <jgalipea>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: urgent    
Version: 6.1CC: dwalsh, mkosek, nsoman
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.1.1-3.el6 Doc Type: Bug Fix
Doc Text:
Do not document
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 18:31:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 743047    

Description Jenny Severance 2011-09-19 15:47:31 UTC 
Description of problem:
IPA server is now failing to install as restorecon returns 1 when changing context and IPA is expecting 0 for success.

Unexpected error - see ipaserver-install.log for details:
 Command '/sbin/restorecon /var/lib/pki-ca/publish' returned non-zero exit status 1


ipa-server-install.log

<snip>

2011-09-19 11:36:41,937 DEBUG stderr=
2011-09-19 11:36:42,002 DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -f XXXXXXXX -A -t CT,C,C -n TESTRELM IPA CA -a -i /tmp/tmpo5puqh
2011-09-19 11:36:42,003 DEBUG stdout=
2011-09-19 11:36:42,004 DEBUG stderr=
2011-09-19 11:36:42,005 DEBUG   duration: 0 seconds
2011-09-19 11:36:42,006 DEBUG   [8/17]: fixing RA database permissions
2011-09-19 11:36:42,008 DEBUG   duration: 0 seconds
2011-09-19 11:36:42,009 DEBUG   [9/17]: setting up signing cert profile
2011-09-19 11:36:42,012 DEBUG   duration: 0 seconds
2011-09-19 11:36:42,013 DEBUG   [10/17]: set up CRL publishing
2011-09-19 11:36:44,042 DEBUG args=/sbin/restorecon /var/lib/pki-ca/publish
2011-09-19 11:36:44,043 DEBUG stdout=
2011-09-19 11:36:44,044 DEBUG stderr=
2011-09-19 11:36:44,067 DEBUG Command '/sbin/restorecon /var/lib/pki-ca/publish' returned non-zero exit status 1
  File "/usr/sbin/ipa-server-install", line 1068, in <module>
    sys.exit(main())

  File "/usr/sbin/ipa-server-install", line 871, in main
    subject_base=options.subject)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 544, in configure_instance
    self.start_creation("Configuring certificate server", 210)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 276, in start_creation
    method()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 1047, in __enable_crl_publish
    ipautil.run(["/sbin/restorecon", publishdir])

  File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 242, in run
    raise CalledProcessError(p.returncode, args)


</snip>


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Martin Kosek 2011-09-19 15:58:03 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1816
Comment 2 Rob Crittenden 2011-09-19 15:58:58 UTC 
This isn't a regression in IPA code.

Dan Walsh tells me that restorecon returns 1 when it changes a context. Not
sure if this is something new or if something else changed.
Comment 4 Daniel Walsh 2011-09-19 16:08:17 UTC 
You should probably just ignore the status output from restorecon.
Comment 5 Martin Kosek 2011-09-20 06:56:04 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/1d8a891844ad8505e376c473f42055368ba00767
ipa-2-1: https://fedorahosted.org/freeipa/changeset/7a4295ef1ae1d4e7d51d4c7072102694243873e2
Comment 8 Jenny Severance 2011-09-21 14:26:41 UTC 
fix verified :

<snip>

2011-09-21 10:07:43,622 DEBUG   [9/17]: setting up signing cert profile
2011-09-21 10:07:43,623 DEBUG   duration: 0 seconds
2011-09-21 10:07:43,623 DEBUG   [10/17]: set up CRL publishing
2011-09-21 10:07:43,759 DEBUG args=/sbin/restorecon /var/lib/pki-ca/publish
2011-09-21 10:07:43,759 DEBUG stdout=
2011-09-21 10:07:43,759 DEBUG stderr=
2011-09-21 10:07:43,759 DEBUG   duration: 0 seconds
2011-09-21 10:07:43,759 DEBUG   [11/17]: set certificate subject base
2011-09-21 10:07:43,761 DEBUG   duration: 0 seconds

</snip>

version:

ipa-server-2.1.1-3.el6.x86_64
Comment 10 Martin Kosek 2011-11-01 09:37:18 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document
Comment 11 errata-xmlrpc 2011-12-06 18:31:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html