1732981 – When nuxwdog is enabled pkidaemon status shows instances as stopped.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1732981 - When nuxwdog is enabled pkidaemon status shows instances as stopped.

Summary: When nuxwdog is enabled pkidaemon status shows instances as stopped.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	8.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	RHCS Maintainers
QA Contact:	PKI QE
Docs Contact:
URL:
Whiteboard:
Depends On:	1487418
Blocks:
TreeView+	depends on / blocked

Reported:	2019-07-24 21:23 UTC by Matthew Harmsen
Modified:	2020-11-04 03:15 UTC (History)
CC List:	5 users (show)
Fixed In Version:	pki-core-10.6-8030020200806183337.5ff1562f
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1487418
Environment:
Last Closed:	2020-11-04 03:15:07 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Comment 1 Dinesh Prasanth 2020-02-24 15:42:10 UTC

`pkidaemon status` has been deprecated in favor of `pki-server status`[1]. Do we need
to still fix this bug?

[1] https://github.com/dogtagpki/pki/commit/179537224f5180eebb3efa7438970d06d494cd83

Comment 2 Endi Sukma Dewata 2020-02-24 15:56:53 UTC

I think we don't need to fix "pkidaemon status" itself, but we need to make sure
that "pki-server status" shows the correct information when nuxwdog/keyring is
used before closing this ticket.

Comment 3 Matthew Harmsen 2020-05-08 15:49:15 UTC

per comments 1 & 2:  QE will basically verify this bug; adding to https://projects.engineering.redhat.com/browse/RHCS-1139

Comment 5 Dinesh Prasanth 2020-07-22 18:00:55 UTC

Fixed via PR: https://github.com/dogtagpki/pki/pull/491

Commit information:
===================
commit 08370498e120b5f2d880b4fe78cf19a488e8b8eb (HEAD -> master, origin/master, origin/HEAD)
Author: Dinesh Prasanth M K <dmoluguw>
Date:   Tue Jul 21 17:39:50 2020 -0400

    Fix pki-server status CLI to accept nuxwdog enabled service
    
    This patch fixes pki-server to pick up the right systemd unit file
    name if the nuxwdog is enabled on the PKI server.
    
    Signed-off-by: Dinesh Prasanth M K <dmoluguw>

commit 75fed9db697d2e51137cd8cd60d8402a123b4bca
Author: Dinesh Prasanth M K <dmoluguw>
Date:   Tue Jul 21 16:35:37 2020 -0400

    Print the SD name when executing pki-server status
    
    Signed-off-by: Dinesh Prasanth M K <dmoluguw>

Test Procedure:
===============
1. Install CA (and other subsystems as needed)
2. run pkidaemon status <instance>
3. run pki-server status <instance>

Test 1: Compare the outputs of #2 and #3. Make sure #3 captures all output from #2
Test 2: Enable Nuxwdog and rerun test #1

Documentation:
==============

Cause: 
pkidaemon was hard-coded to get status of PKI servers that DON'T use nuxwdog

Consequence: 
There was no CLI to report status of PKI servers that use nuxwdog

Fix: 
`pkidaemon` is deprecated in favor of `pki-server status` since PKI version 10.7.2..
This bug fix ensures that all the content of `pkidaemon` CLI is reported via
`pki-server status`. The new CLI also captures status of PKI servers that use nuxwdog

Result: 
`pki-server status` reports ALL the status report that pkidaemon show and also can handle
scenarios where PKI servers use nuxwdog

Moving the BZ to POST

Comment 9 shalini 2020-08-10 13:58:12 UTC

>>> Verified on below builds:
[root@pki1 ~]# rpm -qa | grep pki
python3-pki-10.9.1-1.module+el8.3.0+7594+3661a26e.noarch
pki-tools-10.9.1-1.module+el8.3.0+7594+3661a26e.x86_64
pki-ca-10.9.1-1.module+el8.3.0+7594+3661a26e.noarch
pki-tks-10.9.1-1.module+el8pki+7595+528e2489.noarch
pki-base-10.9.1-1.module+el8.3.0+7594+3661a26e.noarch
pki-servlet-4.0-api-9.0.30-1.module+el8.3.0+6730+8f9c6254.noarch
pki-base-java-10.9.1-1.module+el8.3.0+7594+3661a26e.noarch
pki-servlet-engine-9.0.30-1.module+el8.3.0+6730+8f9c6254.noarch
pki-server-10.9.1-1.module+el8.3.0+7594+3661a26e.noarch
pki-kra-10.9.1-1.module+el8.3.0+7594+3661a26e.noarch
pki-tps-10.9.1-1.module+el8pki+7595+528e2489.x86_64
pki-ocsp-10.9.1-1.module+el8pki+7595+528e2489.noarch
pki-symkey-10.9.1-1.module+el8.3.0+7594+3661a26e.x86_64

[root@pki1 ~]# rpm -qa | grep jss
jss-4.7.2-1.module+el8.3.0+7594+3661a26e.x86_64
tomcatjss-7.5.0-1.module+el8.3.0+7355+c59bcbd9.noarch



>>> Following is the observation [dmoluguw: Please provide your inputs]:
    1. pkidaemon status shows instance as stopped after enabling nuxwdog
    2. pki-server status shows status as running and active but does not show the nuxwdog enable true as pkidaemon status shows in RHEL79 https://bugzilla.redhat.com/show_bug.cgi?id=1487418#c13


>>> Following are the logs [Nuxwdog is enabled for topology-02-CA]:


> systemctl stop pki-tomcatd

> pki-server instance-nuxwdog-enable topology-02-CA
--------------------------------------------
Nuxwdog enabled for instance topology-02-CA.
--------------------------------------------

> pki-server status topology-02-CA
  Instance ID: topology-02-CA
  Active: False
  Unsecure Port: 20080
  Secure Port: 20443
  Tomcat Port: 20005

  CA Subsystem:
    Type:                Root CA (Security Domain)
    SD Name:             topology-02_Foobarmaster.org
    SD Registration URL: https://pki1.example.com:20443
    Enabled:             True
    Unsecure URL:        http://pki1.example.com:20080/ca/ee/ca
    Secure Agent URL:    https://pki1.example.com:20443/ca/agent/ca
    Secure EE URL:       https://pki1.example.com:20443/ca/ee/ca
    Secure Admin URL:    https://pki1.example.com:20443/ca/services
    PKI Console URL:     https://pki1.example.com:20443/ca

> pkidaemon status topology-02-CA
WARNING: pkidaemon status has been deprecated. Use pki-server status instead.
Status for topology-02-CA: topology-02-CA is stopped


> systemctl start pki-tomcatd-nuxwdog@topology-02-CA
[topology-02-CA] Please provide the password for internal: ************
[topology-02-CA] Please provide the password for internaldb: **********
[topology-02-CA] Please provide the password for replicationdb: ************


>  systemctl | grep pki
pki-tomcatd-nuxwdog                        loaded active running   PKI Tomcat Server topology-02-CA Started by Nuxwdog                          
pki-tomcatd                               loaded active running   PKI Tomcat Server topology-02-KRA                                            
pki-tomcatd                              loaded active running   PKI Tomcat Server topology-02-OCSP                                           
pki-tomcatd                               loaded active running   PKI Tomcat Server topology-02-TKS                                            
pki-tomcatd                               loaded active running   PKI Tomcat Server topology-02-TPS                                            
system-pki\x2dtomcatd.slice                                       loaded active active    system-pki\x2dtomcatd.slice                                                  
system-pki\x2dtomcatd\x2dnuxwdog.slice                            loaded active active    system-pki\x2dtomcatd\x2dnuxwdog.slice                                       


>   systemctl status pki-tomcatd-nuxwdog
● pki-tomcatd-nuxwdog - PKI Tomcat Server topology-02-CA Started by Nuxwdog
   Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd-nuxwdog@.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-08-10 17:49:08 IST; 1h 20min ago
  Process: 38490 ExecStartPost=/usr/bin/setfacl -x u:pkiuser /run/systemd/ask-password (code=exited, status=0/SUCCESS)
  Process: 38400 ExecStartPre=/usr/bin/pkidaemon start topology-02-CA (code=exited, status=0/SUCCESS)
  Process: 38371 ExecStartPre=/usr/sbin/pki-server migrate topology-02-CA (code=exited, status=0/SUCCESS)
  Process: 38368 ExecStartPre=/usr/sbin/pki-server upgrade topology-02-CA (code=exited, status=0/SUCCESS)
  Process: 38340 ExecStartPre=/usr/bin/pki-server-nuxwdog (code=exited, status=0/SUCCESS)
  Process: 38338 ExecStartPre=/usr/bin/setfacl -m u:pkiuser:wx /run/systemd/ask-password (code=exited, status=0/SUCCESS)
 Main PID: 38489 (java)
    Tasks: 91 (limit: 23665)
   Memory: 176.0M
   CGroup: /system.slice/system-pki\x2dtomcatd\x2dnuxwdog.slice/pki-tomcatd-nuxwdog
           └─38489 /usr/lib/jvm/jre-openjdk/bin/java -Dcom.redhat.fips=false -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-launcher.jar:/usr/lib/jvm/java/>

Aug 10 17:49:08 pki1.example.com systemd[1]: pki-tomcatd-nuxwdog: Found left-over process 38365 (sleep) in control group while starting unit. Ignoring.
Aug 10 17:49:08 pki1.example.com systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
Aug 10 17:49:08 pki1.example.com systemd[1]: Started PKI Tomcat Server topology-02-CA Started by Nuxwdog.
Aug 10 17:49:08 pki1.example.com server[38489]: Java virtual machine used: /usr/lib/jvm/jre-openjdk/bin/java
Aug 10 17:49:08 pki1.example.com server[38489]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-launcher.jar:/usr/lib/jvm/java/lib/tools.jar
Aug 10 17:49:08 pki1.example.com server[38489]: main class used: org.apache.catalina.startup.Bootstrap
Aug 10 17:49:08 pki1.example.com server[38489]: flags used: -Dcom.redhat.fips=false
Aug 10 17:49:08 pki1.example.com server[38489]: options used: -Dcatalina.base=/var/lib/pki/topology-02-CA -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/topology-02-CA/temp -Djava.util.logging.confi>
Aug 10 17:49:08 pki1.example.com server[38489]: arguments used: start
Aug 10 17:49:10 pki1.example.com server[38489]: WARNING: Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1.1]]


>   pkidaemon status topology-02-CA
WARNING: pkidaemon status has been deprecated. Use pki-server status instead.
Status for topology-02-CA: topology-02-CA is stopped



>   pki-server status topology-02-CA
  Instance ID: topology-02-CA
  Active: True
  Unsecure Port: 20080
  Secure Port: 20443
  Tomcat Port: 20005

  CA Subsystem:
    Type:                Root CA (Security Domain)
    SD Name:             topology-02_Foobarmaster.org
    SD Registration URL: https://pki1.example.com:20443
    Enabled:             True
    Unsecure URL:        http://pki1.example.com:20080/ca/ee/ca
    Secure Agent URL:    https://pki1.example.com:20443/ca/agent/ca
    Secure EE URL:       https://pki1.example.com:20443/ca/ee/ca
    Secure Admin URL:    https://pki1.example.com:20443/ca/services
    PKI Console URL:     https://pki1.example.com:20443/ca



>>> tail -5 /etc/sysconfig/topology-02-CA
TOMCAT_USER="pkiuser"
TOMCAT_SECURITY="true"

# Use Nuxwdog to start server
USE_NUXWDOG="true"

Comment 10 Dinesh Prasanth 2020-08-10 15:53:16 UTC

> >>> Following is the observation [dmoluguw: Please provide your inputs]:
>     1. pkidaemon status shows instance as stopped after enabling nuxwdog

pkidaemon is deprecated (See the WARNING when you execute). Whatever you
observe seems to be the right behavior


>     2. pki-server status shows status as running and active but does not
> show the nuxwdog enable true as pkidaemon status shows in RHEL79
> https://bugzilla.redhat.com/show_bug.cgi?id=1487418#c13

Good catch. I have fixed it via PR: https://github.com/dogtagpki/pki/pull/515
This is not a blocker and does not alter the way of how the product operates.
So, I'm inclined to ignore this for the purpose of verification of this BZ.
If you are OK with it, the above PR will be delivered in PKI 10.10 (RHEL8.4)

Comment 11 shalini 2020-08-12 09:15:39 UTC


> pki-server status shows the status of instance even when nuxwdog is enabled. It is not a major issue/ blocker, if it is not showing the status of nuxwdog (enable/disable). We can take this in RHEL8.4.
> pkidaemon status is still breaking but it is deprecated so I am marking this BZ verified on the basis of https://bugzilla.redhat.com/show_bug.cgi?id=1732981#c10.

Comment 15 errata-xmlrpc 2020-11-04 03:15:07 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4847

Note You need to log in before you can comment on or make changes to this bug.