Bug 1334328
| Summary: | "ipa-client-install --uninstall" command when run on atomic host fails to uninstall client from IPA server. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Nikhil Dehadrai <ndehadra> |
| Component: | sssd-container | Assignee: | SSSD Maintainers <sssd-maint> |
| Status: | CLOSED NOTABUG | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | jhrozek, jpazdziora, lslebodn |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-09-07 10:18:29 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Resetting assignee to new default. (In reply to Nikhil Dehadrai from comment #0) > Description of problem: > "ipa-client-install --uninstall" command when run on atomic host fails to > uninstall client from IPA server. The user is not prompted what correct > command to use to uninstall the ipa client. > > Version-Release number of selected component (if applicable): > Atomic host: 7.2.4 > SSSD-container Image version: rhel7/sssd-7.2-13 > IPA-client version: ipa-client-4.2.0-15.el7_2.15.x86_64 > IPA-Server version: ipa-server-4.2.0-15.el7_2.15.x86_64 > > How reproducible: > Always > > Steps to Reproduce: > 1. Setup IPA server with version 7.2up4. > 2. Setup latest version of Atomic host (in my case 7.2.4) > 3. Make sure resolv.conf contains details of the IPA server. > 4. Configure docker configuration at (/etc/sysconfig/docker) to pull > appropriate docker-sssd image. > #atomic install rhel7/sssd --server auto-hv-01-guest06.testrelm.test > --domain testrelm.test --principal admin --password 'password' --force-join > 5. Login to atomic host run as root and run > #atomic run rhel7/sssd ipa-client-install --uninstall > 6. Now run "atomic uninstall rhel7/sssd" > > Actual results: > 1. After step5, following error message is displayed at the console: > > -bash-4.2# atomic run rhel7/sssd ipa-client-install --uninstall > Unconfigured automount client failed: Command ''ipa-client-automount' > '--uninstall' '--debug'' returned non-zero exit status 1 > Failed to remove file /etc/ipa/nssdb/cert8.db: [Errno 30] Read-only file > system: '/etc/ipa/nssdb/cert8.db' > Please remove /etc/ipa/nssdb/cert8.db manually, as it can cause subsequent > installation to fail. > Failed to remove file /etc/ipa/nssdb/key3.db: [Errno 30] Read-only file > system: '/etc/ipa/nssdb/key3.db' > Please remove /etc/ipa/nssdb/key3.db manually, as it can cause subsequent > installation to fail. > Failed to remove file /etc/ipa/nssdb/secmod.db: [Errno 30] Read-only file > system: '/etc/ipa/nssdb/secmod.db' > Please remove /etc/ipa/nssdb/secmod.db manually, as it can cause subsequent > installation to fail. > Failed to remove file /etc/ipa/nssdb/pwdfile.txt: [Errno 30] Read-only file > system: '/etc/ipa/nssdb/pwdfile.txt' > Please remove /etc/ipa/nssdb/pwdfile.txt manually, as it can cause > subsequent installation to fail. > Failed to remove TESTRELM.TEST IPA CA from /etc/pki/nssdb: Command > ''/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-D' '-n' 'TESTRELM.TEST IPA CA'' > returned non-zero exit status 255 > Failed to start certmonger: Command ''/bin/systemctl' 'start' > 'certmonger.service'' returned non-zero exit status 10 > Traceback (most recent call last): > File "/usr/sbin/ipa-client-install", line 3102, in <module> > sys.exit(main()) > File "/usr/sbin/ipa-client-install", line 3074, in main > return uninstall(options, env) > File "/usr/sbin/ipa-client-install", line 583, in uninstall > certmonger.remove_principal_from_cas() > File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 437, > in remove_principal_from_cas > ca = _find_IPA_ca() > File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 411, > in _find_IPA_ca > cm = _certmonger() > File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 137, > in __init__ > services.knownservices.certmonger.start() > File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line > 298, in start > capture_output=capture_output) > File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 373, in > run > raise CalledProcessError(p.returncode, arg_string, stdout) > subprocess.CalledProcessError: Command ''/bin/systemctl' 'start' > 'certmonger.service'' returned non-zero exit status 10 > I cannot reproduce such error and all arguments passed to atomic run are ignored. -bash-4.2# atomic run rhel7/sssd ipasfdasd asdasd docker run -d --restart=always --privileged --net=host --name sssd -e NAME=sssd -e IMAGE=rhel7/sssd -v /etc/ipa/:/etc/ipa/:ro -v /etc/krb5.conf:/etc/krb5.conf:ro -v /etc/krb5.conf.d/:/etc/krb5.conf.d/ -v /etc/krb5.keytab:/etc/krb5.keytab:ro -v /etc/nsswitch.conf:/etc/nsswitch.conf:ro -v /etc/openldap/:/etc/openldap/:ro -v /etc/pam.d/:/etc/pam.d/:ro -v /etc/passwd:/etc/passwd.host:ro -v /etc/pki/nssdb/:/etc/pki/nssdb/:ro -v /etc/ssh/:/etc/ssh/:ro -v /etc/sssd/:/etc/sssd/:ro -v /etc/systemd/system/sssd.service.d:/etc/systemd/system/sssd.service.d:ro -v /etc/sysconfig/authconfig:/etc/sysconfig/authconfig:ro -v /etc/sysconfig/network:/etc/sysconfig/network:ro -v /etc/sysconfig/sssd:/etc/sysconfig/sssd:ro -v /etc/yp.conf:/etc/yp.conf:ro -v /var/cache/realmd/:/var/cache/realmd/ -v /var/lib/authconfig/last/:/var/lib/authconfig/last/:ro -v /var/lib/ipa-client/sysrestore/:/var/lib/ipa-client/sysrestore/:ro -v /var/lib/samba/:/var/lib/samba/ -v /var/lib/sss/:/var/lib/sss/ -v /var/log/sssd/:/var/log/sssd/ -v /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket rhel7/sssd /bin/run.sh ipasfdasd asdasd This container uses privileged security switches: INFO: --net=host Processes in this container can listen to ports (and possibly rawip traffic) on the host's network. INFO: --privileged This container runs without separation and should be considered the same as root on your system. For more information on these switches and their security implications, consult the manpage for 'docker run'. 3adb911d3adf362bea273f122ddf8f5b90582aa52abe8f0c76136d1caa39bd35 > 2. After step6, Client is successfully uninstalled and unenrolled from IPA > server. > > > Expected results: > The user should be prompted to use command "atomic uninstall $IMAGE" instead > when he/she tries to execute "atomic run $IMAGE ipa-client-install > --uninstall" > We could print warning that arguments passed to atomic run are ignored but the 2nd invocation atomic run behaves differently because "sssd" container is already created. The warning would not be printed. This is how atomic run works. Closing based on previous comment. If you think we should log warning for "initial" atomic run then feel free to reopen. |
Description of problem: "ipa-client-install --uninstall" command when run on atomic host fails to uninstall client from IPA server. The user is not prompted what correct command to use to uninstall the ipa client. Version-Release number of selected component (if applicable): Atomic host: 7.2.4 SSSD-container Image version: rhel7/sssd-7.2-13 IPA-client version: ipa-client-4.2.0-15.el7_2.15.x86_64 IPA-Server version: ipa-server-4.2.0-15.el7_2.15.x86_64 How reproducible: Always Steps to Reproduce: 1. Setup IPA server with version 7.2up4. 2. Setup latest version of Atomic host (in my case 7.2.4) 3. Make sure resolv.conf contains details of the IPA server. 4. Configure docker configuration at (/etc/sysconfig/docker) to pull appropriate docker-sssd image. #atomic install rhel7/sssd --server auto-hv-01-guest06.testrelm.test --domain testrelm.test --principal admin --password 'password' --force-join 5. Login to atomic host run as root and run #atomic run rhel7/sssd ipa-client-install --uninstall 6. Now run "atomic uninstall rhel7/sssd" Actual results: 1. After step5, following error message is displayed at the console: -bash-4.2# atomic run rhel7/sssd ipa-client-install --uninstall Unconfigured automount client failed: Command ''ipa-client-automount' '--uninstall' '--debug'' returned non-zero exit status 1 Failed to remove file /etc/ipa/nssdb/cert8.db: [Errno 30] Read-only file system: '/etc/ipa/nssdb/cert8.db' Please remove /etc/ipa/nssdb/cert8.db manually, as it can cause subsequent installation to fail. Failed to remove file /etc/ipa/nssdb/key3.db: [Errno 30] Read-only file system: '/etc/ipa/nssdb/key3.db' Please remove /etc/ipa/nssdb/key3.db manually, as it can cause subsequent installation to fail. Failed to remove file /etc/ipa/nssdb/secmod.db: [Errno 30] Read-only file system: '/etc/ipa/nssdb/secmod.db' Please remove /etc/ipa/nssdb/secmod.db manually, as it can cause subsequent installation to fail. Failed to remove file /etc/ipa/nssdb/pwdfile.txt: [Errno 30] Read-only file system: '/etc/ipa/nssdb/pwdfile.txt' Please remove /etc/ipa/nssdb/pwdfile.txt manually, as it can cause subsequent installation to fail. Failed to remove TESTRELM.TEST IPA CA from /etc/pki/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-D' '-n' 'TESTRELM.TEST IPA CA'' returned non-zero exit status 255 Failed to start certmonger: Command ''/bin/systemctl' 'start' 'certmonger.service'' returned non-zero exit status 10 Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 3102, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 3074, in main return uninstall(options, env) File "/usr/sbin/ipa-client-install", line 583, in uninstall certmonger.remove_principal_from_cas() File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 437, in remove_principal_from_cas ca = _find_IPA_ca() File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 411, in _find_IPA_ca cm = _certmonger() File "/usr/lib/python2.7/site-packages/ipapython/certmonger.py", line 137, in __init__ services.knownservices.certmonger.start() File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 298, in start capture_output=capture_output) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 373, in run raise CalledProcessError(p.returncode, arg_string, stdout) subprocess.CalledProcessError: Command ''/bin/systemctl' 'start' 'certmonger.service'' returned non-zero exit status 10 2. After step6, Client is successfully uninstalled and unenrolled from IPA server. Expected results: The user should be prompted to use command "atomic uninstall $IMAGE" instead when he/she tries to execute "atomic run $IMAGE ipa-client-install --uninstall" Additional info: -bash-4.2# tail -f /var/log/sssd/uninstall/ipaclient-uninstall.log 2016-05-09T09:16:45Z DEBUG stdout= 2016-05-09T09:16:45Z DEBUG stderr=No service definition found for [--full.service]. 2016-05-09T09:16:45Z INFO nslcd daemon is not installed, skip configuration 2016-05-09T09:16:45Z DEBUG Starting external process 2016-05-09T09:16:45Z DEBUG args='/bin/systemctl' 'is-active' 'sshd.service' 2016-05-09T09:16:45Z DEBUG Process finished, return code=3 2016-05-09T09:16:45Z DEBUG stdout= 2016-05-09T09:16:45Z DEBUG stderr= 2016-05-09T09:16:45Z INFO Client uninstall complete. -bash-4.2# atomic install rhel7/sssd --server auto-hv-01-guest06.testrelm.test --domain testrelm.test --principal admin --password 'Secret123' --force-join docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh --server auto-hv-01-guest06.testrelm.test --domain testrelm.test --principal admin --password Secret123 --force-join IPA client is already configured on this system. Run atomic uninstall $IMAGE first.