Bug 1457876 - ipa-backup fails silently
Summary: ipa-backup fails silently
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-01 12:39 UTC by Thorsten Scherf
Modified: 2018-08-21 12:34 UTC (History)
11 users (show)

Fixed In Version: ipa-4.5.4-9.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 16:42:04 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0918 None None None 2018-04-10 16:43:25 UTC

Description Thorsten Scherf 2017-06-01 12:39:33 UTC
Description of problem:

When ipa-backup is called for the first time, the LDAP database is exported to /var/lib/dirsrv/slapd-<instance>/ldif/<instance>-userRoot.ldif. db2ldif is called for this. The tool runs under the dirsrv user context. When you call ipa-restore, the same ldif file is mangled by RemoveRUVParser(). Since the tool runs under root, also the mangled ldif file is now owned by root. 

When you now call ipa-backup the next time, the db2ldif fails, because the tool does not have permissions to write to the ldif file which is owned by root (instead of dirsrv).


I think this is the problematic code in ldif2db():

  ipautil.backup_file(ldiffile)                                              
        with open(ldiffile, 'wb') as out_file:                                     
            ldif_writer = ldif.LDIFWriter(out_file)                                
            with open(srcldiffile, 'rb') as in_file:                               
                ldif_parser = RemoveRUVParser(in_file, ldif_writer, self.log)   
                ldif_parser.parse()           

Another problem is, that ipa-backup returns with "The ipa-backup command was successful" although the db2ldif failed.

Version-Release number of selected component (if applicable):
ipa-4.4

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 3 Petr Vobornik 2017-06-09 15:51:45 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7010

Comment 4 Martin Bašti 2017-06-15 08:41:26 UTC
Fixed upstream
master:
https://pagure.io/freeipa/c/e8358eaea9ccf05c5c5ac0bf5c970663c611e333

Comment 6 Mohammad Rizwan 2018-01-09 10:28:26 UTC
Version:
ipa-server-4.5.4-7.el7.x86_64
389-ds-base-1.3.7.5-11.el7.x86_64

steps:
1. Install ipa Master
2. $ ipa-backup
3. $ ipa-restore <path-to-backup-directory>
4. $ ls -ldZ /var/lib/dirsrv/slapd-<instance-name>/ldif/
5. $ ls -lZ /var/lib/dirsrv/slapd-<instance-name>/ldif/
6. $  ipa-backup -d


Actual result:

[root@bkr-hv01-guest02 ~]# ls -ldZ /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif
drwxrwx---. dirsrv dirsrv unconfined_u:object_r:dirsrv_var_lib_t:s0 /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif

[root@bkr-hv01-guest02 ~]# ls -lZ /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif
-rw-r--r--. root root unconfined_u:object_r:dirsrv_var_lib_t:s0 TESTRELM-TEST-ipaca.ldif
-rw-r--r--. root root unconfined_u:object_r:dirsrv_var_lib_t:s0 TESTRELM-TEST-userRoot.ldif

[root@bkr-hv01-guest02 ~]# ipa-backup -d
[..]
ipa.ipaserver.install.ipa_backup.Backup: CRITICAL: db2ldif failed: [09/Jan/2018:05:08:46.212938677 -0500] - ERR - slapd_bootstrap_config - %s: %s: %s
 - /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif[09/Jan/2018:05:08:46.320040402 -0500] - WARN - load_config_dse - Config Warning: - nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 4096 (the current process limit). Server will use a setting of 4096.
[09/Jan/2018:05:08:46.407005661 -0500] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
[09/Jan/2018:05:08:46.413888259 -0500] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match
[09/Jan/2018:05:08:46.419228069 -0500] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
[09/Jan/2018:05:08:46.429246592 -0500] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
[09/Jan/2018:05:08:46.438221259 -0500] - NOTICE - ldbm_back_start - found 8010080k physical memory
[09/Jan/2018:05:08:46.438965801 -0500] - NOTICE - ldbm_back_start - found 7372328k available
[09/Jan/2018:05:08:46.439430891 -0500] - NOTICE - ldbm_back_start - cache autosizing: db cache: 200252k
[09/Jan/2018:05:08:46.440042688 -0500] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 196608k
[09/Jan/2018:05:08:46.441733911 -0500] - NOTICE - ldbm_back_start - cache autosizing: userRoot dn cache (3 total): 65536k
[09/Jan/2018:05:08:46.443076469 -0500] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 196608k
[09/Jan/2018:05:08:46.444817426 -0500] - NOTICE - ldbm_back_start - cache autosizing: ipaca dn cache (3 total): 65536k
[09/Jan/2018:05:08:46.445821890 -0500] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 196608k
[09/Jan/2018:05:08:46.447345397 -0500] - NOTICE - ldbm_back_start - cache autosizing: changelog dn cache (3 total): 65536k
[09/Jan/2018:05:08:46.448330677 -0500] - NOTICE - ldbm_back_start - total cache size: 969352806 B; 
[09/Jan/2018:05:08:46.466278396 -0500] - DEBUG - ldbm_usn_init - backend: changelog (global mode)
[09/Jan/2018:05:08:46.467578224 -0500] - DEBUG - ldbm_usn_init - backend: userRoot (global mode)
[09/Jan/2018:05:08:46.468353594 -0500] - DEBUG - ldbm_usn_init - backend: ipaca (global mode)
[09/Jan/2018:05:08:46.476491262 -0500] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=testrelm,dc=test--no CoS Templates found, which should be added before the CoS Definition.
ldiffile: /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif/TESTRELM-TEST-ipaca.ldif
[09/Jan/2018:05:08:46.481779742 -0500] - ERR - ldbm_back_ldbm2ldif - db2ldif: can't open /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif/TESTRELM-TEST-ipaca.ldif: 13 (Permission denied) while running as user "dirsrv"
[09/Jan/2018:05:08:46.483030518 -0500] - INFO - dblayer_pre_close - Waiting for 4 database threads to stop
[09/Jan/2018:05:08:47.468001528 -0500] - INFO - dblayer_pre_close - All database threads now stopped

ipa-backup returns with "The ipa-backup command was successful" although the db2ldif failed

Comment 8 Mohammad Rizwan 2018-01-09 10:31:29 UTC
Based on observation from comment#6, making the bug "FailedQA"

Comment 10 Florence Blanc-Renaud 2018-01-12 15:32:04 UTC
Moving the bug back to ASSIGNED as the backport was missing

Comment 11 Florence Blanc-Renaud 2018-01-12 19:49:37 UTC
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/58f3af38f8a0853b4a74c86e5f6252684f814a26

Comment 18 Mohammad Rizwan 2018-01-25 07:31:00 UTC
version:
ipa-server-4.5.4-9.el7.x86_64
389-ds-base-1.3.7.5-13.el7.x86_64

steps:
1. Install ipa Master
2. $ ipa-backup
3. $ ipa-restore <path-to-backup-directory>
4. $ ls -ldZ /var/lib/dirsrv/slapd-<instance-name>/ldif/
5. $ ls -lZ /var/lib/dirsrv/slapd-<instance-name>/ldif/
6. $  ipa-backup -d

Actual result:
No error has been observed while $ ipa-backup -d ran.

Thus based on above observation, marking bug verified.

Comment 22 errata-xmlrpc 2018-04-10 16:42:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0918


Note You need to log in before you can comment on or make changes to this bug.