We intend to change the default database format that NSS will use, if an application doesn't specify their preference. (Only on Fedora 28 and later.) The reason is that the old default (dbm) is old legacy code, which doesn't work with concurrent access, and the NSS developers would like to declare dbm as deprecated. The new default (sql) is based on sqlite. While doing some initial tests, Hubert Kario found that freeipa checks that the database files cert8.db (or key3.db, secmod.db) exist. Once bug 1496560 gets implemented, the filenames created by NSS will be cert9.db, key4.db, pkcs11.txt Could you please adjust freeipa to be tolerant for these new filesnames? Would you like to explain why you added a test for specific filenames, maybe this check isn't necessary?
This will be done as part of https://pagure.io/freeipa/issue/7049 These "checks" are for things like file backups, permissions, etc.
Upstream ticket: https://pagure.io/freeipa/issue/7209
FYI, I'd like to make the change to NSS next week.
I believe this is now affecting (and blocking) Rawhide. In recent Rawhide composes, the openQA FreeIPA tests fail during server deployment, with these errors logged from ipa-server-install : Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed: File '/etc/pki/pki-tomcat/alias/cert8.db' is either missing or is NOT a regular file! 2017-11-27T13:23:39Z DEBUG stderr=pkispawn : ERROR ....... File '/etc/pki/pki-tomcat/alias/cert8.db' is either missing or is NOT a regular file! 2017-11-27T13:23:39Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmppefbup0h' returned non-zero exit status 1. 2017-11-27T13:23:39Z CRITICAL See the installation logs and the following files/directories for more information: 2017-11-27T13:23:39Z CRITICAL /var/log/pki/pki-tomcat 2017-11-27T13:23:39Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 147, in spawn_instance ipautil.run(args, nolog=nolog_list) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 523, in run raise CalledProcessError(p.returncode, arg_string, str(output)) subprocess.CalledProcessError: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmppefbup0h' returned non-zero exit status 1. Proposing as an F28 Beta blocker; this is a clear violation of Basic criterion "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried", as 'domain controller' is a release-blocking role.
Discussed during the 2017-12-11 blocker review meeting: [1] The decision to classify this bug as an AcceptedBlocker was made as it violates the following blocker criteria: "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried" [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-12-11/f28-blocker-review.2017-12-11-17.01.txt
*** Bug 1530074 has been marked as a duplicate of this bug. ***
Latest tests fail on https://bugzilla.redhat.com/show_bug.cgi?id=1542600 Not sure if we're past this one now, or if that one happens before this one.
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle. Changing version to '28'.
*now* rawhide is failing on: https://bugzilla.redhat.com/show_bug.cgi?id=1551677 again not sure if that happens before or after this. basically I'm only going to close this once we have at least one compose where ipa-server-install actually *succeeds*.
freeipa-4.6.90.pre1-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2fd7295cb9
dogtag-pki-10.6.0-0.2.fc28, dogtag-pki-theme-10.6.0-0.2.fc28, freeipa-4.6.90.pre1-1.fc28, pki-console-10.6.0-0.2.fc28, pki-core-10.6.0-0.2.fc28, tomcat-8.5.29-1.fc28, tomcatjss-7.3.0-0.2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2fd7295cb9
dogtag-pki-10.6.0-0.2.fc28, dogtag-pki-theme-10.6.0-0.2.fc28, freeipa-4.6.90.pre1-1.fc28, pki-console-10.6.0-0.2.fc28, pki-core-10.6.0-0.2.fc28, tomcat-8.5.29-1.fc28, tomcatjss-7.3.0-0.2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.