Bug 1729232 - rebuild of sssd-container 7.6
Summary: rebuild of sssd-container 7.6
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd-container
Version: 7.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: sssd-qe
URL:
Whiteboard:
: 1734120 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-11 16:06 UTC by Ferdinand bot (Userspace containerization team)
Modified: 2019-07-30 14:43 UTC (History)
4 users (show)

Fixed In Version: sssd-container-7.6-28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-29 16:39:49 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:1929 None None None 2019-07-29 16:39:50 UTC

Description Ferdinand bot (Userspace containerization team) 2019-07-11 16:06:54 UTC
Hello,

this bug has been created by bot Ferdinand
in order to be able to create Errata advisory.

With regards,
Ferdinand, member of the bot family,
Userspace Containerization Team, <user-cont@redhat.com>

Comment 3 Nikhil Dehadrai 2019-07-25 16:57:59 UTC
Atomic host Version: 7.6.6 (2019-07-24 08:47:27)
IPA-IMAGE: ipa-server-container-4.6.4-28
SSSD-IMAGE: sssd-container-7.6-28
# atomic run ipadocker rpm -q ipa-server
ipa-server-4.6.4-10.el7_6.6.x86_64
# atomic run sssd rpm -q ipa-client
ipa-client-4.6.4-10.el7_6.6.x86_64


Verified the bug with following scenarios:
A) CVE Scan:

IPA-IMAGE
------------
[root@nikhil-atomic-host-7 ~]# atomic scan --scanner openscap --scan_type cve rhel7/ipa-server
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2019-07-25-14-55-14-754765:/scanin -v /var/lib/atomic/openscap/2019-07-25-14-55-14-754765:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1

rhel7/ipa-server (7a59f8d4e569e6c)

rhel7/ipa-server passed the scan

Files associated with this scan are in /var/lib/atomic/openscap/2019-07-25-14-55-14-754765.


SSSD-IMAGE
-------------
[root@nikhil-atomic-host-7 ~]# atomic scan --scanner openscap --scan_type cve rhel7/sssd
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2019-07-25-14-56-19-990281:/scanin -v /var/lib/atomic/openscap/2019-07-25-14-56-19-990281:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1

rhel7/sssd (18820ca6d4d40a2)

rhel7/sssd passed the scan

Files associated with this scan are in /var/lib/atomic/openscap/2019-07-25-14-56-19-990281.


B) Regressions Tests:
------------------------
1. Verified that IPA-client is installed through sssd-container image against ipa-container IPA server.
2. Verified that IPA commands klist works when ipa-client is configured with sssd-container image.
3. Verified that trust related commands like id and other windows AD user details can be viewed from client machine.
4. verified that ssh works for ipa client setup using sssd-container image.
5. Verified that ipa-user details can be viewed from client machine.
6. Verified that latest version of ipa-client is available with sssd-container image.
7. Verified that IPA-client is un-installed through sssd-container image against RHEL ipa-server.

Comment 5 Madhuri 2019-07-26 09:05:45 UTC
Verified with

[root@trinity ~]# atomic host status
State: idle; auto updates disabled
Deployments:
● ostree://rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
                   Version: 7.6.6 (2019-07-24 08:47:27)
                    Commit: 33bb37a7d207ce653eab70306d18deea7daf444b6b7f7aeadef722f96d7e8e6d
              GPGSignature: Valid signature by 567E347AD0044ADE55BA8A5F199E2F91FD431D51

[root@trinity ~]# docker inspect rhel7/sssd | grep url
                "authoritative-source-url": "registry.access.redhat.com",
                "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/rhel7/sssd/images/7.6-28",
                "authoritative-source-url": "registry.access.redhat.com",
                "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/rhel7/sssd/images/7.6-28",

[root@trinity ~]# atomic scan --scanner openscap --scan_type cve rhel7/sssd
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2019-07-26-08-51-34-722030:/scanin -v /var/lib/atomic/openscap/2019-07-26-08-51-34-722030:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1

rhel7/sssd (18820ca6d4d40a2)

rhel7/sssd passed the scan

Files associated with this scan are in /var/lib/atomic/openscap/2019-07-26-08-51-34-722030.

SSSD as System-Container Sanity Services
========================================

Deny specific ad user login to Atomic host                  Passed
Discover Windows Domain on atomic host using realm cli      Passed
Disjoin Atomic host from AD Domain using realm leave Cli    Passed
Join AD Domain using adcli as membership-software           Passed
Permit specific ad user login to Atomic host                Passed
Query AD users using ID command                             Passed
Realm join with membership software samba                   Passed
Verify sssd selinux label                                   Passed
Verify uninstall container leaves domain                    Passed

SSSD container as Application Container
============================================

Create a sssd application container on Atomic host              Passed
Query AD users using ID command from sssd app container         Passed
Spawn sssd app container using realm join with adcli option     Passed
Verify sssd application container runs as unprivileged          Passed
kinit as AD User from sssd app container should be successfull  Passed

SSSD Container with KCM
========================

Access user secrets using KCM responder URI                 Passed
Create multiple sssd application containers                 Passed
KCM socket should auto start secrets socket                 Passed
Share KCM Credential cache with other containers            Passed
Verify ccname type is KCM in sssd application container     Passed
Verify sssd kcm socket                                      Passed

Comment 8 errata-xmlrpc 2019-07-29 16:39:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:1929

Comment 9 dhodovsk 2019-07-30 14:43:13 UTC
*** Bug 1734120 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.