Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1579190 - Improve Custodia client and key distribution handling [rhel-7.5.z]
Improve Custodia client and key distribution handling [rhel-7.5.z]
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.4
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: IPA Maintainers
ipa-qe
: ZStream
Depends On: 1577108
Blocks:
  Show dependency treegraph
 
Reported: 2018-05-17 02:56 EDT by Oneata Mircea Teodor
Modified: 2018-07-04 06:42 EDT (History)
10 users (show)

See Also:
Fixed In Version: ipa-4.5.4-10.el7_5.3
Doc Type: Bug Fix
Doc Text:
When an Identity Management (IdM) host is promoted to a replica, IdM uses Custodia to transport secrets, for example Certificate Authority keys. Previously, Custodia uploaded the newly created public keys of the IdM host to the local LDAP server and then connected to one or two remote Custodia instances to check if the keys had been replicated there. Consequently, on a busy LDAP cluster the replica installation sometimes timed out. With this update, Custodia directly uploads its key to a remote IdM master and uses this remote IdM master to request all secrets. As a result, retrieval of secrets no longer depends on timely replication between local and remote LDAP servers.
Story Points: ---
Clone Of: 1577108
Environment:
Last Closed: 2018-06-26 12:49:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:1985 None None None 2018-06-26 12:49 EDT

  None (edit)
Description Oneata Mircea Teodor 2018-05-17 02:56:04 EDT 
This bug has been copied from bug #1577108 and has been proposed to be backported to 7.5 z-stream (EUS).
Comment 5 Nikhil Dehadrai 2018-05-28 07:18:51 EDT 
Version: ipa-server-4.5.4-10.el7_5.2.x86_64

Tested the bug with following observations using the comment#4 as reference:
1. Setup IPA server with CA
2. Setup REPLICA-1 against this IPA in step1, without CA. The setup of REPLICA-1 is successful.
3. Now stop custodia service on REPLICA-1.
4. Setup REPLICA-2 with CA (--setup-ca), and using REPLICA-1 as source. The setup of REPLICA-2 FAILED.

Console:

Replica-1:
------------
[root@auto-hv-01-guest07 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: STOPPED
ntpd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@auto-hv-01-guest07 ~]# systemctl status ipa-custodia
● ipa-custodia.service - IPA Custodia Service
   Loaded: loaded (/usr/lib/systemd/system/ipa-custodia.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

May 28 05:14:11 auto-hv-01-guest07.testrelm.test systemd[1]: Starting IPA Custodia Service...
May 28 05:14:12 auto-hv-01-guest07.testrelm.test ipa-custodia[32580]: 2018-05-28 05:14:12 - server                ...ck
May 28 05:14:12 auto-hv-01-guest07.testrelm.test systemd[1]: Started IPA Custodia Service.
May 28 05:21:57 auto-hv-01-guest07.testrelm.test systemd[1]: Stopping IPA Custodia Service...
May 28 05:21:57 auto-hv-01-guest07.testrelm.test systemd[1]: Stopped IPA Custodia Service.
Hint: Some lines were ellipsized, use -l to show in full.
[root@auto-hv-01-guest07 ~]#



Replica-2:
-------------
[root@auto-hv-01-guest08 ~]# ipa-replica-install -U --setup-ca --setup-dns --forwarder=x.x.x.x --ip-address=x.x.x.x -P admin -w Secret123
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd

Configuring client side components
Discovery was successful!
Client hostname: auto-hv-01-guest08.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: auto-hv-01-guest07.testrelm.test
BaseDN: dc=testrelm,dc=test

continued....

  [27/27]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/9]: stopping directory server
  [2/9]: saving configuration
  [3/9]: disabling listeners
  [4/9]: enabling DS global lock
  [5/9]: starting directory server
  [6/9]: upgrading server
  [7/9]: stopping directory server
  [8/9]: restoring configuration
  [9/9]: starting directory server
Done.
Restarting the KDC
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    503 Server Error: Service Unavailable
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
[root@auto-hv-01-guest08 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful



ipa-replica-install-log ( REPLICA-2)
---------------------------------------
2018-05-28T09:30:49Z DEBUG   [9/9]: starting directory server
2018-05-28T09:30:49Z DEBUG Starting external process
2018-05-28T09:30:49Z DEBUG args=/bin/systemctl start dirsrv@TESTRELM-TEST.service
2018-05-28T09:30:53Z DEBUG Process finished, return code=0
2018-05-28T09:30:53Z DEBUG stdout=
2018-05-28T09:30:53Z DEBUG stderr=
2018-05-28T09:30:53Z DEBUG Created connection context.ldap2_139880832010256
2018-05-28T09:30:53Z DEBUG   duration: 4 seconds
2018-05-28T09:30:53Z DEBUG Done.
2018-05-28T09:30:53Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2018-05-28T09:30:53Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state'
2018-05-28T09:30:53Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2018-05-28T09:30:53Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state'
2018-05-28T09:30:53Z DEBUG Restarting the KDC
2018-05-28T09:30:53Z DEBUG Starting external process
2018-05-28T09:30:53Z DEBUG args=/bin/systemctl restart krb5kdc.service
2018-05-28T09:30:53Z DEBUG Process finished, return code=0
2018-05-28T09:30:53Z DEBUG stdout=
2018-05-28T09:30:53Z DEBUG stderr=
2018-05-28T09:30:53Z DEBUG Starting external process
2018-05-28T09:30:53Z DEBUG args=/bin/systemctl is-active krb5kdc.service
2018-05-28T09:30:54Z DEBUG Process finished, return code=0
2018-05-28T09:30:54Z DEBUG stdout=active

2018-05-28T09:30:54Z DEBUG stderr=
2018-05-28T09:30:54Z INFO Waiting up to 300 seconds to see our keys appear on host: auto-hv-01-guest07.testrelm.test
2018-05-28T09:30:54Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 368, in run
    self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 392, in execute
    for _nothing in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure
    next(executor)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
    for _nothing in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 617, in main
    replica_install(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 399, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1515, in install
    custodia.import_dm_password(config.master_host_name)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 187, in import_dm_password
    cli.fetch_key('dm/DMHash')
  File "/usr/lib/python2.7/site-packages/ipaserver/secrets/client.py", line 101, in fetch_key
    r.raise_for_status()
  File "/usr/lib/python2.7/site-packages/requests/models.py", line 834, in raise_for_status
    raise HTTPError(http_error_msg, response=self)

2018-05-28T09:30:54Z DEBUG The ipa-replica-install command failed, exception: HTTPError: 503 Server Error: Service Unavailable
2018-05-28T09:30:54Z ERROR 503 Server Error: Service Unavailable
2018-05-28T09:30:54Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information


Thus marking the status of bug to 'ASSIGNED'
Comment 6 Rob Crittenden 2018-06-05 13:31:02 EDT 
We would need to see the Apache error log to see why it threw a 503.
Comment 8 Rob Crittenden 2018-06-06 11:19:21 EDT 
Hmm, can you look in the access logs on both the master and replica for the 503 and see if there is anything in the Apache error or dogtag debug at the same time?
Comment 14 Rob Crittenden 2018-06-11 10:45:15 EDT 
ipa-4-5:

    d3c09a6 Use one Custodia peer to retrieve all secrets
Comment 18 Nikhil Dehadrai 2018-06-12 11:20:38 EDT 
Version: ipa-server-4.5.4-10.el7_5.3.x86_64

Tested the bug with following observations using the comment#4 as reference:
1. Setup IPA server with CA
2. Setup REPLICA-1 against this IPA in step1, without CA. The setup of REPLICA-1 is successful.
3. Now stop custodia service on REPLICA-1.
4. Setup REPLICA-2 with CA (--setup-ca), and using REPLICA-1 as source. The setup of REPLICA-2 is successful.

Thus the issue mentioned in above comment#5 is no more observed.

Setup: (Line Topology)
-------------------------

MASTER ------> REPLICA-1 ----------> Replica-2


Console-log:
------------------

MASTER:
-------------
[root@ipaqavmb ~]# rpm -q ipa-server
ipa-server-4.5.4-10.el7_5.3.x86_64
[root@ipaqavmb ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@ipaqavmb ~]# tail -1 /var/log/ipaserver-install.log 
2018-06-12T13:13:13Z INFO The ipa-server-install command was successful
[root@ipaqavmb ~]# kinit admin
Password for admin@TESTRELM.TEST: 
[root@ipaqavmb ~]#


REPLICA-1:
-------------
[root@bkr-hv01-guest17 ~]# ipa-replica-install -U --setup-dns --forwarder=x.x.x.x --ip-address=x.x.x.x -P admin -w Secret123

Configuring client side components
Discovery was successful!
Client hostname: bkr-hv01-guest17.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: ipaqavmb.testrelm.test
BaseDN: dc=testrelm,dc=test

[root@bkr-hv01-guest17 ~]# tail -1 /var/log/ipareplica-install.log 
2018-06-12T14:21:31Z INFO The ipa-replica-install command was successful
[root@bkr-hv01-guest17 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: STOPPED
ntpd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@bkr-hv01-guest17 ~]# kinit admin
Password for admin@TESTRELM.TEST: 
[root@bkr-hv01-guest17 ~]# rpm -q ipa-server
ipa-server-4.5.4-10.el7_5.3.x86_64
[root@bkr-hv01-guest17 ~]#



REPLICA-2:
---------------------
[root@ipaqavmc ~]# ipa-replica-install -U --setup-ca --setup-dns --forwarder=x.x.x.x --ip-address=x.x.x.x -P admin -w Secret123
Configuring client side components
Discovery was successful!
Client hostname: ipaqavmc.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: bkr-hv01-guest17.testrelm.test
BaseDN: dc=testrelm,dc=test



[root@ipaqavmc ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@ipaqavmc ~]# kinit admin
Password for admin@TESTRELM.TEST: 
[root@ipaqavmc ~]# ipa-replica-manage list
ipaqavmc.testrelm.test: master
ipaqavmb.testrelm.test: master
bkr-hv01-guest17.testrelm.test: master
[root@ipaqavmc ~]# tail -1 /var/log/ipareplica-install.log 
2018-06-12T14:57:20Z INFO The ipa-replica-install command was successful
[root@ipaqavmc ~]# 


Thus on the basis of above observations and comment#17, marking the status of bug to 'VERIFIED'.
Comment 24 errata-xmlrpc 2018-06-26 12:49:05 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1985
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.