Bug 1282504 - Installing pki-server in container reports scriptlet failed, exit status 1
Installing pki-server in container reports scriptlet failed, exit status 1
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
7.2
Unspecified Unspecified
high Severity medium
: rc
: 7.4
Assigned To: Matthew Harmsen
Asha Akkiangady
Marc Muehlfeld
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-16 10:44 EST by Jan Pazdziora
Modified: 2017-08-01 18:46 EDT (History)
8 users (show)

See Also:
Fixed In Version: pki-core-10.4.1-2.el7
Doc Type: Bug Fix
Doc Text:
Installing PKI Server in a container environment no longer displays a warning Previously, when installing the _pki-server_ RPM package in a container environment, the *systemd* daemon was reloaded. As a consequence, a warning was displayed. A patch has been applied to reload the daemon only during an RPM upgrade. As a result, the warning is no longer displayed in the mentioned scenario.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 18:46:01 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
pki-core.spec (93.50 KB, patch)
2016-01-26 10:47 EST, Endi Sukma Dewata
no flags Details | Diff
docker_out.txt (31.22 KB, text/plain)
2017-05-10 03:47 EDT, Geetika Kapoor
no flags Details

  None (edit)
Description Jan Pazdziora 2015-11-16 10:44:32 EST
Description of problem:

When FreeIPA container image is built, yum installation of pki-server reports

  Installing : pki-server-10.2.5-6.el7.noarch                           361/373 
Failed to get D-Bus connection: Operation not permitted
warning: %post(pki-server-10.2.5-6.el7.noarch) scriptlet failed, exit status 1
Non-fatal POSTIN scriptlet failure in rpm package pki-server-10.2.5-6.el7.noarch
  Installing : pki-kra-10.2.5-6.el7.noarch                              362/373 

No such error was shown with RHEL 7.1:

  Installing : pki-server-10.1.2-7.el7.noarch                           366/384 
  Installing : pki-ca-10.1.2-7.el7.noarch                               367/384 

Version-Release number of selected component (if applicable):

pki-server-10.2.5-6.el7.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. Checkout RHEL (7.2) branch of https://github.com/adelton/docker-freeipa
2. Built container image: docker build -t freeipa-server .

Actual results:

  Installing : pki-server-10.2.5-6.el7.noarch                           361/373 
Failed to get D-Bus connection: Operation not permitted
warning: %post(pki-server-10.2.5-6.el7.noarch) scriptlet failed, exit status 1
Non-fatal POSTIN scriptlet failure in rpm package pki-server-10.2.5-6.el7.noarch
  Installing : pki-kra-10.2.5-6.el7.noarch                              362/373 

Expected results:

  Installing : pki-server-10.2.5-6.el7.noarch                           361/373 
  Installing : pki-kra-10.2.5-6.el7.noarch                              362/373 

Additional info:

It seems in RHEL 7.2, systemctl daemon-reload was added via https://fedorahosted.org/pki/ticket/1255 / 7b1d897ba4cf9de1459d2aad37e969ce9a93a05a.

In general (already on RHEL 7.1), it seems strange that the post scriptlet which is only meant for upgrade scenarios is not limited to situations when rpm upgrade actually happened. The whole thing probably should be behind an [ $1 == 1 ] if.
Comment 3 Matthew Harmsen 2016-01-06 20:36:12 EST
Per discussions in the RHEL 7.3 Triage meeting of 01/06/2016: priority medium
Comment 4 Matthew Harmsen 2016-01-06 20:42:28 EST
Upstream ticket:
https://fedorahosted.org/pki/ticket/1722
Comment 5 Jan Pazdziora 2016-01-11 02:19:14 EST
Christian pointed out that I probably wanted to say [ "$1" == "2" ] in comment 0.
Comment 6 Endi Sukma Dewata 2016-01-26 10:47 EST
Created attachment 1118549 [details]
pki-core.spec
Comment 7 Endi Sukma Dewata 2016-01-26 10:49:12 EST
I was not able to test it in Docker so I couldn't reproduce the problem. Could you give it a try? Thanks.
Comment 8 Jan Pazdziora 2016-01-26 11:09:07 EST
(In reply to Endi Sukma Dewata from comment #7)
> I was not able to test it in Docker so I couldn't reproduce the problem.
> Could you give it a try? Thanks.

How did you try to reproduce it? Even plain

   docker run -ti rhel7 yum install -y pki-server

produces

  Installing : velocity-1.7-10.el7.noarch         223/224 
  Installing : pki-server-10.2.5-6.el7.noarch     224/224 
Failed to get D-Bus connection: Operation not permitted
warning: %post(pki-server-10.2.5-6.el7.noarch) scriptlet failed, exit status 1
Non-fatal POSTIN scriptlet failure in rpm package pki-server-10.2.5-6.el7.noarch
rhel-7-server-rpms/7Server/x86_64/productid                                                                           | 1.7 kB  00:00:00     
  Verifying  : libXext-1.3.3-3.el7.x86_64           1/224 
  Verifying  : perl-HTTP-Tiny-0.033-3.el7.noarch    2/224 
  Verifying  : systemd-sysv-219-19.el7.x86_64       3/224 

so the reproducer was fairly straightforward.
Comment 9 Endi Sukma Dewata 2016-01-26 15:59:12 EST
I have not used Docker before, so I'm not sure if this is an environment issue or there is a missing step. I followed this Docker setup instruction:
https://docs.docker.com/engine/installation/rhel/

Then I ran the steps to reproduce in the bug description:

# docker build -t freeipa-server .
Sending build context to Docker daemon 59.39 kB
Step 1 : FROM rhel7
 ---> 6c3a84d798dc
Step 2 : MAINTAINER Jan Pazdziora
 ---> Using cache
 ---> dc8e4818cb3f
Step 3 : RUN mkdir -p /run/lock ; yum install --disablerepo='*' --enablerepo=rhel-7-server-rpms -y ipa-server ipa-server-dns bind bind-dyndb-ldap perl 'perl(Time::HiRes)' && yum clean all
 ---> Running in 263d0e957f01
Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.


Error getting repository data for rhel-7-server-rpms, repository not found
The command '/bin/sh -c mkdir -p /run/lock ; yum install --disablerepo='*' --enablerepo=rhel-7-server-rpms -y ipa-server ipa-server-dns bind bind-dyndb-ldap perl 'perl(Time::HiRes)' && yum clean all' returned a non-zero code: 1

I also tried the command in comment #8:

# docker run -ti rhel7 yum install -y pki-server
Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
There are no enabled repos.
 Run "yum repolist all" to see the repos you have.
 You can enable repos with yum-config-manager --enable <repo>

If you have better step-by-step instructions on how to setup Docker properly please let me know. Thanks.
Comment 10 Jan Pazdziora 2016-01-27 02:39:07 EST
(In reply to Endi Sukma Dewata from comment #9)
> I have not used Docker before, so I'm not sure if this is an environment
> 
> # docker run -ti rhel7 yum install -y pki-server
> Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager
> This system is not registered to Red Hat Subscription Management. You can
> use subscription-manager to register.
> There are no enabled repos.
>  Run "yum repolist all" to see the repos you have.
>  You can enable repos with yum-config-manager --enable <repo>
> 
> If you have better step-by-step instructions on how to setup Docker properly
> please let me know. Thanks.

You need to run it on RHEL system which is subscribed. The docker containers, both in build time and in run time, then inherit the entitlements.
Comment 12 Endi Sukma Dewata 2016-01-27 13:40:55 EST
Thanks for the info, but the system was already subscribed. Even after forcing it to resubscribe I still got the same error. I have tried this on 3 VM's and always got the same error. The hello-world example works though:

$ docker run hello-world
Comment 13 Jan Pazdziora 2016-01-30 11:44:11 EST
(In reply to Endi Sukma Dewata from comment #12)
> Thanks for the info, but the system was already subscribed. Even after
> forcing it to resubscribe I still got the same error. I have tried this on 3
> VM's and always got the same error. The hello-world example works though:
> 
> $ docker run hello-world

Not sure what hello-world is or does but I suspect it does not install new packages so it does not need to be subscribed.

I suggest you contact Red Hat support about subscribed RHEL 7 system not providing the subscriptions to the docker containers (for build purposes) because that is something that really should be working.
Comment 14 Jan Pazdziora 2016-02-08 12:18:05 EST
Were you able to get the entitlements in docker build/docker run working, inheriting from the RHEL 7 host entitlements?
Comment 15 Endi Sukma Dewata 2016-06-10 18:25:59 EDT
This will be investigated further in Dogtag 10.4 timeframe (i.e. RHEL 7.4).
Comment 17 Jan Pazdziora 2016-08-01 07:09:37 EDT
Comment on attachment 1118549 [details]
pki-core.spec

Can you show the .spec as patch?
Comment 19 Endi Sukma Dewata 2017-03-30 15:47:34 EDT
Matt,

Please replace the "systemctl daemon-reload" line in the spec file with the following code as suggested in comment #5:

# Reload systemd daemons on upgrade only
if [ "$1" == "2" ]
then
    systemctl daemon-reload
fi

Thanks.
Comment 20 Matthew Harmsen 2017-04-03 19:29:14 EDT
Checked into 'DOGTAG_10_4_RHEL_BRANCH':

* ab164f2bf8b725a331efebdaea4fb8f9767fdc6f
Comment 22 Geetika Kapoor 2017-05-10 03:45:55 EDT
Test Steps:
==========

1. Install docker.
2. Run the below mentioned command:

Step1 :
=====

docker run -ti rhel7 yum-config-manager --save --setopt=rhel-7-server-tus-rpms.skip_if_unavailable=true;yum install -y pki-server

Loaded plugins: ovl, product-id
============================================================ main ============================================================
[main]
alwaysprompt = True
assumeno = False
assumeyes = False
autocheck_running_kernel = True
autosavets = True
bandwidth = 0
bugtracker_url = https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&version=rawhide&component=yum
cache = 0
cachedir = /var/cache/yum/x86_64/7Server
check_config_file_age = True
clean_requirements_on_remove = False
color = auto
color_list_available_downgrade = dim,cyan
color_list_available_install = normal
color_list_available_reinstall = bold,underline,green
color_list_available_running_kernel = bold,underline
color_list_available_upgrade = bold,blue
color_list_installed_extra = bold,red
color_list_installed_newer = bold,yellow
color_list_installed_older = bold
color_list_installed_reinstall = normal
color_list_installed_running_kernel = bold,underline
color_search_match = bold
color_update_installed = normal
color_update_local = bold
color_update_remote = normal
commands = 
debuglevel = 2
deltarpm = 2
deltarpm_metadata_percentage = 100
deltarpm_percentage = 75
depsolve_loop_limit = 100
disable_includes = 
diskspacecheck = True
distroverpkg = system-release(releasever),
   redhat-release
downloaddir = 
downloadonly = 
enable_group_conditionals = True
enabled = True
enablegroups = True
errorlevel = 2
exactarch = True
exactarchlist = 
exclude = 
exit_on_lock = False
failovermethod = priority
fssnap_abort_on_errors = any
fssnap_automatic_keep = 1
fssnap_automatic_post = False
fssnap_automatic_pre = False
fssnap_devices = !*/swap,
   !*/lv_swap
fssnap_percentage = 100
ftp_disable_epsv = False
gaftonmode = False
gpgcheck = True
group_command = objects
group_package_types = mandatory,
   default
groupremove_leaf_only = False
history_list_view = single-user-commands
history_record = True
history_record_packages = yum,
   rpm
http_caching = all
installonly_limit = 3
installonlypkgs = kernel,
   kernel-bigmem,
   installonlypkg(kernel-module),
   installonlypkg(vm),
   kernel-enterprise,
   kernel-smp,
   kernel-debug,
   kernel-unsupported,
   kernel-source,
   kernel-devel,
   kernel-PAE,
   kernel-PAE-debug
installroot = /
ip_resolve = 
keepalive = True
keepcache = False
kernelpkgnames = kernel,
   kernel-smp,
   kernel-enterprise,
   kernel-bigmem,
   kernel-BOOT,
   kernel-PAE,
   kernel-PAE-debug
loadts_ignoremissing = False
loadts_ignorenewrpm = False
loadts_ignorerpm = False
localpkg_gpgcheck = False
logfile = /var/log/yum.log
max_connections = 0
mddownloadpolicy = sqlite
mdpolicy = group:small
metadata_expire = 21600
metadata_expire_filter = read-only:present
minrate = 0
mirrorlist_expire = 86400
multilib_policy = best
obsoletes = True
override_install_langs = en_US
overwrite_groups = False
password = 
persistdir = /var/lib/yum
pluginconfpath = /etc/yum/pluginconf.d
pluginpath = /usr/share/yum-plugins,
   /usr/lib/yum-plugins
plugins = True
progess_obj = 
protected_multilib = True
protected_packages = yum,
   systemd
proxy = False
proxy_password = 
proxy_username = 
query_install_excludes = False
recent = 7
recheck_installed_requires = True
remove_leaf_only = False
repo_gpgcheck = False
repopkgsremove_leaf_only = False
reposdir = /etc/yum/repos.d,
   /etc/yum.repos.d
reset_nice = True
retries = 10
rpm_check_debug = True
rpmverbosity = info
showdupesfromrepos = False
skip_broken = False
skip_missing_names_on_install = True
skip_missing_names_on_update = True
ssl_check_cert_permissions = True
sslcacert = 
sslclientcert = 
sslclientkey = 
sslverify = True
syslog_device = /dev/log
syslog_facility = LOG_USER
syslog_ident = 
throttle = 0
timeout = 30.0
tolerant = True
tsflags = nodocs
ui_repoid_vars = releasever,
   basearch
upgrade_group_objects_upgrade = True
upgrade_requirements_on_install = False
username = 
usr_w_check = True

Checksum type 'md5' disabled
Loaded plugins: product-id, search-disabled-repos, subscription-manager
Repository RHDS10 is listed more than once in the configuration
Resolving Dependencies
--> Running transaction check
---> Package pki-server.noarch 0:10.4.1-3.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================
 Package                        Arch                       Version                          Repository                   Size
==============================================================================================================================
Installing:
 pki-server                     noarch                     10.4.1-3.el7                     RHEL7.4                     2.8 M

Transaction Summary
==============================================================================================================================
Install  1 Package

Total download size: 2.8 M
Installed size: 4.4 M
Downloading packages:
pki-server-10.4.1-3.el7.noarch.rpm                                                                     | 2.8 MB  00:00:01     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : pki-server-10.4.1-3.el7.noarch                                                                             1/1 
  Verifying  : pki-server-10.4.1-3.el7.noarch                                                                             1/1 

Installed:
  pki-server.noarch 0:10.4.1-3.el7                                                                                            

Complete!

Step 2:
=======

rpm -qa pki-server
pki-server-10.4.1-3.el7.noarch

Step 3:
======

git clone https://github.com/freeipa/freeipa-container.git

In this step, we try to do docker build -t freeipa-server .

Results are posted in attachment "docker_out.txt"


Note : Jan,please have a look.Do you think any other test case also i need to cover.

Thanks
Geetika
Comment 23 Geetika Kapoor 2017-05-10 03:47 EDT
Created attachment 1277544 [details]
docker_out.txt
Comment 24 Jan Pazdziora 2017-05-10 05:06:14 EDT
(In reply to Geetika Kapoor from comment #22)
> 
> Note : Jan,please have a look.Do you think any other test case also i need
> to cover.

I think this is sufficient.
Comment 27 errata-xmlrpc 2017-08-01 18:46:01 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110

Note You need to log in before you can comment on or make changes to this bug.