1729232 – rebuild of sssd-container 7.6

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1729232 - rebuild of sssd-container 7.6

Summary: rebuild of sssd-container 7.6

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd-container
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	SSSD Maintainers
QA Contact:	sssd-qe
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1734120 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-07-11 16:06 UTC by Ferdinand bot (Userspace containerization team)
Modified:	2019-07-30 14:43 UTC (History)
CC List:	4 users (show)
Fixed In Version:	sssd-container-7.6-28
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-07-29 16:39:49 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:1929	0	None	None	None	2019-07-29 16:39:50 UTC

Description Ferdinand bot (Userspace containerization team) 2019-07-11 16:06:54 UTC

Hello,

this bug has been created by bot Ferdinand
in order to be able to create Errata advisory.

With regards,
Ferdinand, member of the bot family,
Userspace Containerization Team, <user-cont>

Comment 3 Nikhil Dehadrai 2019-07-25 16:57:59 UTC

Atomic host Version: 7.6.6 (2019-07-24 08:47:27)
IPA-IMAGE: ipa-server-container-4.6.4-28
SSSD-IMAGE: sssd-container-7.6-28
# atomic run ipadocker rpm -q ipa-server
ipa-server-4.6.4-10.el7_6.6.x86_64
# atomic run sssd rpm -q ipa-client
ipa-client-4.6.4-10.el7_6.6.x86_64


Verified the bug with following scenarios:
A) CVE Scan:

IPA-IMAGE
------------
[root@nikhil-atomic-host-7 ~]# atomic scan --scanner openscap --scan_type cve rhel7/ipa-server
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2019-07-25-14-55-14-754765:/scanin -v /var/lib/atomic/openscap/2019-07-25-14-55-14-754765:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1

rhel7/ipa-server (7a59f8d4e569e6c)

rhel7/ipa-server passed the scan

Files associated with this scan are in /var/lib/atomic/openscap/2019-07-25-14-55-14-754765.


SSSD-IMAGE
-------------
[root@nikhil-atomic-host-7 ~]# atomic scan --scanner openscap --scan_type cve rhel7/sssd
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2019-07-25-14-56-19-990281:/scanin -v /var/lib/atomic/openscap/2019-07-25-14-56-19-990281:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1

rhel7/sssd (18820ca6d4d40a2)

rhel7/sssd passed the scan

Files associated with this scan are in /var/lib/atomic/openscap/2019-07-25-14-56-19-990281.


B) Regressions Tests:
------------------------
1. Verified that IPA-client is installed through sssd-container image against ipa-container IPA server.
2. Verified that IPA commands klist works when ipa-client is configured with sssd-container image.
3. Verified that trust related commands like id and other windows AD user details can be viewed from client machine.
4. verified that ssh works for ipa client setup using sssd-container image.
5. Verified that ipa-user details can be viewed from client machine.
6. Verified that latest version of ipa-client is available with sssd-container image.
7. Verified that IPA-client is un-installed through sssd-container image against RHEL ipa-server.

Comment 5 Madhuri 2019-07-26 09:05:45 UTC

Verified with

[root@trinity ~]# atomic host status
State: idle; auto updates disabled
Deployments:
● ostree://rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
                   Version: 7.6.6 (2019-07-24 08:47:27)
                    Commit: 33bb37a7d207ce653eab70306d18deea7daf444b6b7f7aeadef722f96d7e8e6d
              GPGSignature: Valid signature by 567E347AD0044ADE55BA8A5F199E2F91FD431D51

[root@trinity ~]# docker inspect rhel7/sssd | grep url
                "authoritative-source-url": "registry.access.redhat.com",
                "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/rhel7/sssd/images/7.6-28",
                "authoritative-source-url": "registry.access.redhat.com",
                "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/rhel7/sssd/images/7.6-28",

[root@trinity ~]# atomic scan --scanner openscap --scan_type cve rhel7/sssd
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2019-07-26-08-51-34-722030:/scanin -v /var/lib/atomic/openscap/2019-07-26-08-51-34-722030:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1

rhel7/sssd (18820ca6d4d40a2)

rhel7/sssd passed the scan

Files associated with this scan are in /var/lib/atomic/openscap/2019-07-26-08-51-34-722030.

SSSD as System-Container Sanity Services
========================================

Deny specific ad user login to Atomic host                  Passed
Discover Windows Domain on atomic host using realm cli      Passed
Disjoin Atomic host from AD Domain using realm leave Cli    Passed
Join AD Domain using adcli as membership-software           Passed
Permit specific ad user login to Atomic host                Passed
Query AD users using ID command                             Passed
Realm join with membership software samba                   Passed
Verify sssd selinux label                                   Passed
Verify uninstall container leaves domain                    Passed

SSSD container as Application Container
============================================

Create a sssd application container on Atomic host              Passed
Query AD users using ID command from sssd app container         Passed
Spawn sssd app container using realm join with adcli option     Passed
Verify sssd application container runs as unprivileged          Passed
kinit as AD User from sssd app container should be successfull  Passed

SSSD Container with KCM
========================

Access user secrets using KCM responder URI                 Passed
Create multiple sssd application containers                 Passed
KCM socket should auto start secrets socket                 Passed
Share KCM Credential cache with other containers            Passed
Verify ccname type is KCM in sssd application container     Passed
Verify sssd kcm socket                                      Passed

Comment 8 errata-xmlrpc 2019-07-29 16:39:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:1929

Comment 9 dhodovsk 2019-07-30 14:43:13 UTC

*** Bug 1734120 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.