RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1165351 - Errata TPS test fails due to dependent packages not found
Summary: Errata TPS test fails due to dependent packages not found
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.1
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: ---
Assignee: Matthew Harmsen
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-11-18 20:33 UTC by Asha Akkiangady
Modified: 2015-03-05 08:19 UTC (History)
5 users (show)

Fixed In Version: pki-core-10.1.2-7.el7
Doc Type: Bug Fix
Doc Text:
TPS testing during QE revealed that the shell scripts needed to be modified to work appropriately when invoked from a 'systemctl' process.
Clone Of:
Environment:
Last Closed: 2015-03-05 08:19:49 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0346 0 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2015-03-05 12:39:54 UTC

Description Asha Akkiangady 2014-11-18 20:33:15 UTC 
Description of problem:
pki-core packages errata (https://errata.devel.redhat.com/advisory/18533) TPS tests are failing due to its complexity dependency chain. 

Version-Release number of selected component (if applicable):
pki-core-10.1.2-4.el7

How reproducible:

Steps to reproduce:

First QE want to know why "Requires: policycoreutils-python", why is this a run time dependency. Trying to resolve all the versioning of this package with multilib library dependencies down to glibc and then its dependencies are impossible.

Matthew, can you please do the following ..

[1]  Make sure that pki-core packages are built against the correct versions of the build dependencies for RHEL 7.1
[2]  Please set the appropriate dependent erratas in the Errata Tool 

Matthew, once you are confident that the errata is filed correctly, we will run the tests again and log bugs for issues we have found. 

Actual results:


Expected results:


Additional info:
Comment 2 Nathan Kinder 2014-11-18 21:24:05 UTC 
(In reply to Asha Akkiangady from comment #0) 
> First QE want to know why "Requires: policycoreutils-python", why is this a
> run time dependency.

The installer uses semanage to do things such as port labelling, which allows us to work in SELinux enforcing mode.  The policycoreutils-python package provides the semanage command:

---------------------------------------------------------
[nkinder@localhost ~]$ rpm -ql policycoreutils-python
...
/usr/sbin/semanage
...
---------------------------------------------------------

> 
> Matthew, can you please do the following ..
> 
> [1]  Make sure that pki-core packages are built against the correct versions
> of the build dependencies for RHEL 7.1

Builds run in brew, and the package level requirements work fine there.  I don't think that there is a problem here.

> [2]  Please set the appropriate dependent erratas in the Errata Tool 

The TPS failures don't look like they are related to package dependencies, and I don't see anything in the reported errors that refers to policycoreutils-python.  I see the following:

1. The 'VerifyTest' test in tps-rpmtest fails.  This is related to the /usr/share/pki/etc/pki.conf configuration file template being modified in the %post phase of pki-base.  This is done to allow us to set the 64-bit JNI path, which can't be set at build time since a noarch package might be built on a 32-bit system and installed on a 64-bit system.  This is certainly something that can be addressed in the pki-base package by performing the sed at instance creation time on the real config file that is created form the template instead of modifying the template at RPM installation time.

  http://nest.test.redhat.com/mnt/qa/scratch/x86-64-7s-v1/2014:18533/tps/tps-rpmtest.html#VerifyTest-2-2-0

There is also a rpm verify failure for glibc-debuginfo, which seems unrelated.  Was glibc-debuginfo manually installed on the TPS system?

2. The 'REBUILD' test in tps-srpmtest fails.  This is related to a deprecation warning that is reported by the compiler.  It seems that TPS is being more strict than Brew when it builds the packages (either by a build option, or a difference in the compiler used), or there is a version difference in whatever Java code that contains the now deprecated class.

-------------------------------------------------------------------------
  Note: com/netscape/cmsutil/crypto/CryptoUtil.java uses or overrides a deprecated API.
-------------------------------------------------------------------------

  http://nest.test.redhat.com/mnt/qa/scratch/x86-64-7s-v1/2014:18533/tps/tps-srpmtest.html#Rebuild%20Test-7-6-1
Comment 3 Roshni 2014-11-19 16:23:07 UTC 
The following are the dependency failures I see...

=== InstallTest =====================
Install test FAILED
Output from RPM Command:
error: Failed dependencies:
	mvn(org.jboss.spec.javax.servlet:jboss-servlet-api_2.5_spec) is needed by resteasy-base-tjws-3.0.6-1.el7.noarch
	mvn(org.jboss.spec.javax.annotation:jboss-annotations-api_1.1_spec) is needed by resteasy-base-jaxrs-3.0.6-1.el7.noarch
	policycoreutils-python is needed by pki-server-10.1.2-4.el7.noarch
Comment 6 Matthew Harmsen 2014-11-25 00:28:40 UTC 
Checked into 'DOGTAG_10_1_RHEL_BRANCH':

    commit 5bed59556f48f0b6e01a0806e3621137b570d353
    Author: Matthew Harmsen <mharmsen>
    Date:   Wed Nov 19 14:57:43 2014 -0700
    
        Remove legacy multilib JNI_JAR_DIR logic
        
        * Bugzilla Bug #1165351 - Errata TPS test fails due to dependent
          packages not found
Comment 8 Roshni 2014-11-26 13:45:20 UTC 
 Based on Matt's comment https://bugzilla.redhat.com/show_bug.cgi?id=871171#c32 I am changing the status of the bug to ASSIGNED.
Comment 9 Matthew Harmsen 2014-11-26 15:17:04 UTC 
The following was copied from https://bugzilla.redhat.com/show_bug.cgi?id=871171#c32:

The following code snippet apparently does not work when invoked via the 'systemctl' process:

    # Dogtag 10 Conditional Variables
    jni_jar_dir=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR`
    # Override jni_jar_dir using a user-defined value if one exists
    jni_jar_dir=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR`

While this code was tested and found to work from shell scripts, the code within the '/usr/share/pki/scripts/operations' as called from the systemctl process will be changed to the following:

    # Use a user-defined value for jni_jar_dir if one exists
    jni_jar_dir=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR`
    if [ -z ${jni_jar_dir} ] ; then
        # Otherwise set it to the default value
        jni_jar_dir=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR`
    fi
Comment 10 Matthew Harmsen 2014-11-26 20:31:25 UTC 
(In reply to Matthew Harmsen from comment #9)
> The following was copied from
> https://bugzilla.redhat.com/show_bug.cgi?id=871171#c32:
> 
> The following code snippet apparently does not work when invoked via the
> 'systemctl' process:
> 
>     # Dogtag 10 Conditional Variables
>     jni_jar_dir=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR`
>     # Override jni_jar_dir using a user-defined value if one exists
>     jni_jar_dir=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR`
> 
> While this code was tested and found to work from shell scripts, the code
> within the '/usr/share/pki/scripts/operations' as called from the systemctl
> process will be changed to the following:
> 
>     # Use a user-defined value for jni_jar_dir if one exists
>     jni_jar_dir=`source /etc/pki/pki.conf && echo $JNI_JAR_DIR`
>     if [ -z ${jni_jar_dir} ] ; then
>         # Otherwise set it to the default value
>         jni_jar_dir=`source /usr/share/pki/etc/pki.conf && echo $JNI_JAR_DIR`
>     fi

correction used (implemented similarly on all other shell tests):

    jni_jar_dir=`source /usr/share/pki/etc/pki.conf && source /etc/pki/pki.conf && echo $JNI_JAR_DIR`
Comment 11 Matthew Harmsen 2014-11-26 20:32:25 UTC 
*** Bug 1168127 has been marked as a duplicate of this bug. ***
Comment 13 Kaleem 2014-11-27 07:28:46 UTC 
IPA server install is now successful with build pki-ca-10.1.2-7.el7.noarch

[root@dhcp207-1 ~]# rpm -q ipa-server pki-ca
ipa-server-4.1.0-10.el7.x86_64
pki-ca-10.1.2-7.el7.noarch
[root@dhcp207-1 ~]#

[root@dhcp207-1 ~]# ipa-server-install --setup-dns --forwarder=10.65.201.89 --hostname=`hostname` -r TESTRELM.TEST -n testrelm.test -p xxxxxxxx -P xxxxxxxx -a xxxxxxxx -U

...
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
..
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/38]: creating directory server user
...
....
  [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/27]: creating certificate server user
..
  [27/27]: Configure HTTP to proxy connections
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv): Estimated time 10 seconds
  [1/3]: configuring ssl for ds instance
..
  [3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
  [1/10]: adding sasl mappings to the directory
...
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd): Estimated time 1 minute
  [1/15]: setting mod_nss port to 443
...
  [15/15]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting Directory server to apply updates
  [1/2]: stopping directory server
  [2/2]: starting directory server
Done.
Restarting the directory server
Restarting the KDC
Restarting the certificate server
Configuring DNS (named)
  [1/12]: generating rndc key file
...
  [12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting named

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
Comment 14 Roshni 2014-12-04 14:58:14 UTC 
TPS tests passed
Comment 16 errata-xmlrpc 2015-03-05 08:19:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0346.html
Note You need to log in before you can comment on or make changes to this bug.