Bug 1460929 - starting sssd container using systemctl creates /etc/yp.conf directory
starting sssd container using systemctl creates /etc/yp.conf directory
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd-docker (Show other bugs)
7.3
x86_64 Linux
unspecified Severity low
: rc
: ---
Assigned To: SSSD Maintainers
sssd-qe
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-13 03:40 EDT by Niranjan Mallapadi Raghavender
Modified: 2017-06-28 05:44 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-06-13 03:59:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Niranjan Mallapadi Raghavender 2017-06-13 03:40:57 EDT
Description of problem:
After joining RHEL7 Atomic host to Active Directory using realm and start sssd container creates /etc/yp.conf directory, /etc/yp.conf should be a file and not directory.

Version-Release number of selected component (if applicable):
sssd-docker-7.3-25

How reproducible:


Steps to Reproduce:
1.atomic install rhel7/sssd realm join -v --membership-software=samba CENTAUR.TEST
2.systemctl start sssd
3. ls -l /etc/yp.conf
[root@titan ~]# ls -l /etc/yp.conf/
total 0



Actual results:

[root@titan ~]# ls -l /etc/yp.conf/
total 0
Expected results:
/etc/yp.conf directory should not be created 

Additional info:
Comment 2 Lukas Slebodnik 2017-06-13 03:59:10 EDT
It is not a bug.

Because if docker tries to mount bind non-existing file it will create directory on host. And /etc/yp.conf is created only by ipa-client install and not by adcli/realmd. Therefore the file /etc/yp.conf does not exist after "atomic install rhel7/sssd ..."
Comment 3 Jan Pazdziora 2017-06-13 06:09:37 EDT
OTOH, can't this prevent us from uninstalling the AD-joined setup and intalling ipa-client-install-based one?

Maybe we should touch and create empty files in install.sh that we plan to bind-mount in run.sh, to prevent them from being autocreated of wrong type?
Comment 4 Niranjan Mallapadi Raghavender 2017-06-27 18:56:27 EDT
I have not tested ipa-client-install.  but it does prevent from uninstall realmd ones. 

[root@dione sssd_container]# atomic uninstall -f rhel7/sssd realm leave -v U administrator
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/uninstall.sh realm leave -v U administrator
Initializing configuration context from host ...
Warning: Failed to copy /etc/yp.conf to host. It cannot be a directory
realm: Couldn't find a matching realm
Comment 5 Niranjan Mallapadi Raghavender 2017-06-27 19:02:22 EDT
ot@dione sssd_container]# atomic install rhel7/sssd realm join -v --membership-software=adcli CENTAUR.TEST
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh realm join -v --membership-software=adcli CENTAUR.TEST
Initializing configuration context from host ...
 * Resolving: _ldap._tcp.centaur.test
 * Performing LDAP DSE lookup on: 192.168.122.187
Password for Administrator:  * Performing LDAP DSE lookup on: 192.168.122.27
 * Successfully discovered: CENTAUR.TEST
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --domain CENTAUR.TEST --domain-realm CENTAUR.TEST --domain-controller 192.168.122.187 --login-type user --login-user Administrator --stdin-password
 * Using domain name: CENTAUR.TEST
 * Calculated computer account name from fqdn: DIONE
 * Using domain realm: CENTAUR.TEST
 * Sending netlogon pings to domain controller: cldap://192.168.122.187
 * Received NetLogon info from: srv1.CENTAUR.TEST
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-SN2i2V/krb5.d/adcli-krb5-conf-MVDZUN
 * Authenticated as user: Administrator@CENTAUR.TEST
 * Looked up short domain name: CENTAUR
 * Using fully qualified name: dione.centaur.test
 * Using domain name: CENTAUR.TEST
 * Using computer account name: DIONE
 * Using domain realm: CENTAUR.TEST
 * Calculated computer account name from fqdn: DIONE
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Found computer account for DIONE$ at: CN=DIONE,CN=Computers,DC=CENTAUR,DC=TEST
 * Set computer password
 * Retrieved kvno '4' for computer account in directory: CN=DIONE,CN=Computers,DC=CENTAUR,DC=TEST
 * Modifying computer account: userAccountControl
 * Modifying computer account: operatingSystemVersion, operatingSystemServicePack
 * Modifying computer account: userPrincipalName
 * Discovered which keytab salt to use
 * Added the entries to the keytab: DIONE$@CENTAUR.TEST: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/DIONE@CENTAUR.TEST: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/dione.centaur.test@CENTAUR.TEST: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/DIONE@CENTAUR.TEST: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/dione.centaur.test@CENTAUR.TEST: FILE:/etc/krb5.keytab
 * /usr/bin/systemctl enable sssd.service
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service

 * Successfully enrolled machine in realm
Copying new configuration to host ...
Service sssd.service configured to run SSSD container.
[root@dione sssd_container]# ls -l /etc/yum
yum/         yum.conf     yum.repos.d/
[root@dione sssd_container]# atomic install rhel7/sssd realm join -v --membership-software=adcli CENTAUR.TEST^C
[root@dione sssd_container]# systemctl start sssd
[root@dione sssd_container]# atomic uninstall -f rhel7/sssd realm leave -v U administrator CENTAUR.TEST^C
[root@dione sssd_container]# ls -l /etc/yp.conf/
total 0
[root@dione sssd_container]# #atomic uninstall -f rhel7/sssd realm leave -v -U administrator CENTAUR.TEST
[root@dione sssd_container]# systemctl stop sssd
[root@dione sssd_container]# #atomic uninstall -f rhel7/sssd realm leave -v -U administrator CENTAUR.TEST
[root@dione sssd_container]# atomic uninstall -f rhel7/sssd realm leave -v -U administrator CENTAUR.TEST-
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/uninstall.sh realm leave -v -U administrator CENTAUR.TEST-
Initializing configuration context from host ...
Warning: Failed to copy /etc/yp.conf to host. It cannot be a directory
realm: Couldn't find a matching realm
Comment 6 Lukas Slebodnik 2017-06-28 05:38:16 EDT
(In reply to Niranjan Mallapadi Raghavender from comment #4)
> I have not tested ipa-client-install.  but it does prevent from uninstall
> realmd ones. 
> 
> [root@dione sssd_container]# atomic uninstall -f rhel7/sssd realm leave -v U
> administrator
> docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e
> IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/uninstall.sh realm leave -v U
> administrator
> Initializing configuration context from host ...
> Warning: Failed to copy /etc/yp.conf to host. It cannot be a directory

This warning is not related to realm leave failure.
Because in case of "atomic uninstall" we just print warning and skip importing problematic file/directory to container


> realm: Couldn't find a matching realm

Seems to be a PEBKAC or copy&paste problem.

Different REALM was used for joining machine and leaving machine
"CENTAUR.TEST" != "CENTAUR.TEST-"
Comment 7 Niranjan Mallapadi Raghavender 2017-06-28 05:44:12 EDT
Lukas you are right, it does print warning 


[root@dione repo]# atomic install rhel7/sssd realm join -v CENTAUR.TEST
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh realm join -v CENTAUR.TEST
Initializing configuration context from host ...
 * Resolving: _ldap._tcp.centaur.test
 * Performing LDAP DSE lookup on: 192.168.122.27
Password for Administrator:  * Performing LDAP DSE lookup on: 192.168.122.187
 * Successfully discovered: CENTAUR.TEST
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.SG6S2Y -U Administrator ads join CENTAUR.TEST
Enter Administrator's password:DNS update failed: NT_STATUS_UNSUCCESSFUL

Using short domain name -- CENTAUR
Joined 'DIONE' to dns domain 'CENTAUR.TEST'
DNS Update for dione.centaur.test failed: ERROR_DNS_UPDATE_FAILED
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.SG6S2Y -U Administrator ads keytab create
Enter Administrator's password:
 * /usr/bin/systemctl enable sssd.service
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service

 * Successfully enrolled machine in realm
Copying new configuration to host ...
Service sssd.service configured to run SSSD container.
[root@dione repo]# systemctl start sssd
[root@dione repo]# ls -l /etc/yp.conf/
total 0
[root@dione repo]# atomic uninstall rhel7/sssd realm leave -v CENTAUR.TEST
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/uninstall.sh realm leave -v CENTAUR.TEST
Initializing configuration context from host ...
Warning: Failed to copy /etc/yp.conf to host. It cannot be a directory
 * Removing entries from keytab for realm
 * /usr/sbin/sss_cache --users --groups --netgroups --services --autofs-maps
 * Removing domain configuration from sssd.conf
 * /usr/sbin/authconfig --update --disablesssdauth --nostart
 * /usr/bin/systemctl disable sssd.service
 * Successfully unenrolled machine from realm
Copying new configuration to host ...
Removing /etc/krb5.keytab
Removing /etc/sssd/systemctl-lite-enabled/sssd.service
Removing /etc/yp.conf
Removing /var/lib/sss/pipes/private/sbus-dp_CENTAUR.TEST.69
Removing /var/lib/sss/pipes/private/sbus-monitor
Removing /var/lib/sss/pipes/private/sbus-dp_CENTAUR.TEST.11
Removing /var/lib/sss/pipes/private/sbus-dp_CENTAUR.TEST
Removing /var/lib/sss/pipes/private/pam
Removing /var/lib/sss/mc/passwd
Removing /var/lib/sss/mc/group
Removing /var/lib/sss/mc/initgroups

Note You need to log in before you can comment on or make changes to this bug.