Bug 1735179 - Failed to install freeIPA server on rawhide
Summary: Failed to install freeIPA server on rawhide
Keywords:
Status: CLOSED DUPLICATE of bug 1734789
Alias: None
Product: Fedora
Classification: Fedora
Component: pki-core
Version: 31
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Matthew Harmsen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-31 18:56 UTC by Lukas Slebodnik
Modified: 2019-10-31 19:59 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-02 17:54:42 UTC
Type: Bug


Attachments (Terms of Use)

Description Lukas Slebodnik 2019-07-31 18:56:21 UTC
Description of problem:
SSIA

Version-Release number of selected component (if applicable):
sh$ rpm -q freeipa-server pki-ca tomcat nss
freeipa-server-4.8.0-2.fc31.x86_64
pki-ca-10.7.0-2.fc31.noarch
tomcat-9.0.21-2.fc31.noarch
nss-3.44.1-2.fc31.x86_64

How reproducible:
deterministic

Steps to Reproduce:
1. dnf isntall -y freeipa-server
2. /usr/sbin/ipa-server-install --hostname=kvm-01-guest05.testrelm.test -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123

Actual results:
//snip
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/10]: adding kerberos container to the directory
  [2/10]: configuring KDC
  [3/10]: initialize kerberos container
  [4/10]: adding default ACIs
  [5/10]: creating a keytab for the directory
  [6/10]: creating a keytab for the machine
  [7/10]: adding the password extension to the directory
  [8/10]: creating anonymous principal
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
  [1/5]: Making sure custodia container exists
  [2/5]: Generating ipa-custodia config file
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/30]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp1utityua'] returned non-zero exit status 1: '')
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Expected results:
freeIPA server installed without any problem.

Comment 2 Lukas Slebodnik 2019-07-31 19:04:15 UTC
The directory /var/lib/pki/pki-tomcat/ was created with wrong SELinux context therefore
all subdirectories had wrong SELinux file context as well which caused bunch of AVCs

But installation failed even in permissive mode.

Comment 3 Lukas Slebodnik 2019-07-31 19:05:54 UTC
most of logs are empty

sh# ls -lR /var/log/pki/
/var/log/pki/:
total 100
-rw-rw-r--. 1 root    root    97074 Jul 31 20:47 pki-ca-spawn.20190731204752.log
-rw-r--r--. 1 root    root     1137 Jul 31 20:44 pki-server-upgrade-10.7.0.log
drwxrwx---. 3 pkiuser pkiuser   187 Jul 31 20:47 pki-tomcat

/var/log/pki/pki-tomcat:
total 4
drwxrwx---. 4 pkiuser pkiuser  40 Jul 31 20:47 ca
-rw-r--r--. 1 pkiuser pkiuser   0 Jul 31 20:47 catalina.2019-07-31.log
-rw-r--r--. 1 pkiuser pkiuser   0 Jul 31 20:47 host-manager.2019-07-31.log
-rw-r--r--. 1 pkiuser pkiuser   0 Jul 31 20:47 localhost.2019-07-31.log
-rw-r--r--. 1 pkiuser pkiuser 196 Jul 31 20:48 localhost_access_log.2019-07-31.txt
-rw-r--r--. 1 pkiuser pkiuser   0 Jul 31 20:47 manager.2019-07-31.log

/var/log/pki/pki-tomcat/ca:
total 0
drwxrwx---. 2 pkiuser pkiuser 6 Jul 31 20:47 archive
drwxrwx---. 2 pkiuser pkiuser 6 Jul 31 20:47 signedAudit

/var/log/pki/pki-tomcat/ca/archive:
total 0

/var/log/pki/pki-tomcat/ca/signedAudit:
total 0


sh# cat /var/log/pki/pki-server-upgrade-10.7.0.log 
Upgrading PKI server configuration at Wed 31 Jul 2019 08:44:42 PM CEST.
Traceback (most recent call last):
  File "/usr/lib64/python3.7/runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "/usr/lib64/python3.7/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/usr/lib/python3.7/site-packages/pki/server/cli/upgrade.py", line 208, in <module>
    main(sys.argv)
  File "/usr/lib/python3.7/site-packages/pki/server/cli/upgrade.py", line 199, in main
    upgrader.upgrade()
  File "/usr/lib/python3.7/site-packages/pki/upgrade.py", line 619, in upgrade
    versions = self.versions()
  File "/usr/lib/python3.7/site-packages/pki/upgrade.py", line 429, in versions
    current_version = self.get_current_version()
  File "/usr/lib/python3.7/site-packages/pki/server/upgrade.py", line 301, in get_current_version
    for subsystem in self.subsystems(instance):
  File "/usr/lib/python3.7/site-packages/pki/server/upgrade.py", line 235, in subsystems
    for subsystemName in os.listdir(registry_dir):
FileNotFoundError: [Errno 2] No such file or directory: '/etc/sysconfig/pki/tomcat/pki-tomcat'

sh# ls -l /etc/sysconfig/pki/tomcat/pki-tomcat
total 4
drwxrwx---. 2 pkiuser pkiuser   47 Jul 31 20:47 ca
-rw-rw----. 1 pkiuser pkiuser 1187 Jul 31 20:47 pki-tomcat

Comment 4 Alexander Bokovoy 2019-07-31 19:18:48 UTC
Moving to Dogtag to investigate.

Comment 5 Dinesh Prasanth 2019-07-31 23:42:23 UTC
Our CI test matrix [1] includes rawhide (allowed to fail) and it failed to catch the error that you were seeing. Can you post the versions of the various components that you have installed on your system?

The only difference between [1] and your setup would be that our CI uses the laster PKI-10.7.2 packages while we have only 10.7.0 released on Fedora. We will be releasing the latest PKI 10.7.2 next week. :) 

You can probably grab the latest RPMS from our official COPR repo[2] 

[1] https://travis-ci.org/dogtagpki/pki/jobs/565175183
[2] https://copr.fedorainfracloud.org/coprs/g/pki/master/builds/

PS1: The overall job failed because of IPA testcases.
PS2: we recently branch 10.8. So, you might find some 10.8 builds too in COPR. :)

Comment 6 Lukas Slebodnik 2019-08-01 07:45:20 UTC
(In reply to Dinesh Prasanth from comment #5)
> Our CI test matrix [1] includes rawhide (allowed to fail) and it failed to
> catch the error that you were seeing. Can you post the versions of the
> various components that you have installed on your system?
> 

I already provided them in the description of this bug.
If something is missing let me know which package are you interested in.

Comment 7 Dinesh Prasanth 2019-08-01 14:47:27 UTC
(In reply to Lukas Slebodnik from comment #6)
> (In reply to Dinesh Prasanth from comment #5)
> > Our CI test matrix [1] includes rawhide (allowed to fail) and it failed to
> > catch the error that you were seeing. Can you post the versions of the
> > various components that you have installed on your system?
> > 
> 
> I already provided them in the description of this bug.

~facepalm~ Sorry about that. I looked at this BZ around midnight, when i was in a zombie state. :)

> If something is missing let me know which package are you interested in.

Sure. We will be releasing the latest PKI 10.7.2 early next week. I'll keep you posted. Thanks for the report! :)

Comment 8 Lukas Slebodnik 2019-08-01 17:49:01 UTC
I tried package from copr repo and SELinux issues are not fixed.
The directory /var/lib/pki/pki-tomcat/ was created with wrong SELinux file context and therefore
all files inside has wrong label as well.

sh# rpm -q pki-ca
pki-ca-10.8.0-0.1.20190731195605.c5d8e6e2.fc31.noarch

sh# grep -i selinux /var/log/pki/pki-ca-spawn.20190801132146.log 
                         'selinux_setup\n'
                       'selinux_setup\n'
INFO    : selinux        SELinux disabled

sh# getenforce 
Enforcing

sh# ls -lZd /var/lib/pki/pki-tomcat/
drwxrwx---. 5 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0 131 Aug  1 13:21 /var/lib/pki/pki-tomcat/

sh# ls -lZ /var/lib/pki/pki-tomcat/
total 0
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0  25 Aug  1 13:21 alias -> /etc/pki/pki-tomcat/alias
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0  21 Aug  1 13:21 bin -> /usr/share/tomcat/bin
drwxrwx---. 5 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0 104 Aug  1 13:21 ca
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0  28 Aug  1 13:21 common -> /usr/share/pki/server/common
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0  19 Aug  1 13:21 conf -> /etc/pki/pki-tomcat
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0  25 Aug  1 13:21 lib -> /usr/share/pki/server/lib
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0  23 Aug  1 13:21 logs -> /var/log/pki/pki-tomcat
lrwxrwxrwx. 1 root    root    unconfined_u:object_r:var_lib_t:s0  16 Aug  1 13:21 pki-tomcat -> /usr/sbin/tomcat
drwxrwx---. 2 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0   6 Aug  1 13:21 temp
drwxrwx---. 3 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0  22 Aug  1 13:21 work

sh# matchpathcon /var/lib/pki/pki-tomcat/*
/var/lib/pki/pki-tomcat/alias   system_u:object_r:pki_tomcat_var_lib_t:s0
/var/lib/pki/pki-tomcat/bin     system_u:object_r:pki_tomcat_var_lib_t:s0
/var/lib/pki/pki-tomcat/ca      system_u:object_r:pki_tomcat_var_lib_t:s0
/var/lib/pki/pki-tomcat/common  system_u:object_r:pki_tomcat_var_lib_t:s0
/var/lib/pki/pki-tomcat/conf    system_u:object_r:pki_tomcat_var_lib_t:s0
/var/lib/pki/pki-tomcat/lib     system_u:object_r:pki_tomcat_var_lib_t:s0
/var/lib/pki/pki-tomcat/logs    system_u:object_r:pki_tomcat_var_lib_t:s0
/var/lib/pki/pki-tomcat/pki-tomcat      system_u:object_r:pki_tomcat_var_lib_t:s0
/var/lib/pki/pki-tomcat/temp    system_u:object_r:pki_tomcat_var_lib_t:s0
/var/lib/pki/pki-tomcat/work    system_u:object_r:pki_tomcat_var_lib_t:s0

Comment 9 Lukas Slebodnik 2019-08-02 07:45:46 UTC
The same problem is with the directory /etc/pki/pki-tomcat/

sh-5.0# ls -ldZ /etc/pki/pki-tomcat/
drwxrwx---. 5 pkiuser pkiuser system_u:object_r:usr_t:s0 4096 Aug  1 19:04 /etc/pki/pki-tomcat/
sh-5.0# matchpathcon /etc/pki/pki-tomcat/
/etc/pki/pki-tomcat     system_u:object_r:pki_tomcat_etc_rw_t:s0
sh-5.0# 
sh-5.0# 
sh-5.0# ls -ldZ /etc/pki/pki-tomcat/*
drwxrwx---. 2 pkiuser pkiuser unconfined_u:object_r:usr_t:s0   100 Aug  1 19:05 /etc/pki/pki-tomcat/alias
drwxrwx---. 2 pkiuser pkiuser unconfined_u:object_r:usr_t:s0  4096 Aug  1 19:05 /etc/pki/pki-tomcat/ca
drwxrwx---. 3 pkiuser pkiuser system_u:object_r:usr_t:s0        23 Aug  1 18:56 /etc/pki/pki-tomcat/Catalina
-rw-rw----. 1 pkiuser pkiuser system_u:object_r:usr_t:s0     21458 Aug  1 19:04 /etc/pki/pki-tomcat/catalina.policy
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:usr_t:s0    46 Aug  1 19:03 /etc/pki/pki-tomcat/catalina.properties -> /usr/share/pki/server/conf/catalina.properties
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:usr_t:s0    39 Aug  1 19:03 /etc/pki/pki-tomcat/ciphers.info -> /usr/share/pki/server/conf/ciphers.info
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:usr_t:s0    34 Aug  1 19:03 /etc/pki/pki-tomcat/context.xml -> /usr/share/tomcat/conf/context.xml
-rw-rw----. 1 pkiuser pkiuser system_u:object_r:usr_t:s0       292 May  6 18:27 /etc/pki/pki-tomcat/custom.policy
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:usr_t:s0    45 Aug  1 19:03 /etc/pki/pki-tomcat/logging.properties -> /usr/share/pki/server/conf/logging.properties
-rw-rw----. 1 pkiuser pkiuser unconfined_u:object_r:usr_t:s0    98 Aug  1 19:03 /etc/pki/pki-tomcat/password.conf
-rw-rw----. 1 pkiuser pkiuser system_u:object_r:usr_t:s0      7996 Aug  1 19:04 /etc/pki/pki-tomcat/pki.policy
-rw-rw----. 1 pkiuser pkiuser system_u:object_r:usr_t:s0      1622 May  6 18:27 /etc/pki/pki-tomcat/schema-authority.ldif
-rw-rw----. 1 pkiuser pkiuser system_u:object_r:usr_t:s0       495 May  6 18:27 /etc/pki/pki-tomcat/schema-certProfile.ldif
-rw-rw----. 1 pkiuser pkiuser unconfined_u:object_r:usr_t:s0    24 Aug  1 19:04 /etc/pki/pki-tomcat/serverCertNick.conf
-rw-rw----. 1 pkiuser pkiuser system_u:object_r:usr_t:s0     11340 Aug  1 19:04 /etc/pki/pki-tomcat/server.xml
-rw-rw----. 1 pkiuser pkiuser system_u:object_r:usr_t:s0      1895 Aug  1 19:03 /etc/pki/pki-tomcat/tomcat.conf
-rw-rw----. 1 pkiuser pkiuser system_u:object_r:usr_t:s0      2473 May  6 18:27 /etc/pki/pki-tomcat/tomcat-users.xml
-rw-rw----. 1 pkiuser pkiuser system_u:object_r:usr_t:s0       108 May  6 18:27 /etc/pki/pki-tomcat/usn.ldif
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:usr_t:s0    30 Aug  1 19:03 /etc/pki/pki-tomcat/web.xml -> /usr/share/tomcat/conf/web.xml
sh-5.0# matchpathcon /etc/pki/pki-tomcat/*
/etc/pki/pki-tomcat/alias       system_u:object_r:pki_tomcat_cert_t:s0
/etc/pki/pki-tomcat/ca  system_u:object_r:pki_tomcat_cert_t:s0
/etc/pki/pki-tomcat/Catalina    system_u:object_r:pki_tomcat_etc_rw_t:s0
/etc/pki/pki-tomcat/catalina.policy     system_u:object_r:pki_tomcat_etc_rw_t:s0
/etc/pki/pki-tomcat/catalina.properties system_u:object_r:pki_tomcat_etc_rw_t:s0
/etc/pki/pki-tomcat/ciphers.info        system_u:object_r:pki_tomcat_etc_rw_t:s0
/etc/pki/pki-tomcat/context.xml system_u:object_r:pki_tomcat_etc_rw_t:s0
/etc/pki/pki-tomcat/custom.policy       system_u:object_r:pki_tomcat_etc_rw_t:s0
/etc/pki/pki-tomcat/logging.properties  system_u:object_r:pki_tomcat_etc_rw_t:s0
/etc/pki/pki-tomcat/password.conf       system_u:object_r:pki_tomcat_etc_rw_t:s0
/etc/pki/pki-tomcat/pki.policy  system_u:object_r:pki_tomcat_etc_rw_t:s0
/etc/pki/pki-tomcat/schema-authority.ldif       system_u:object_r:pki_tomcat_etc_rw_t:s0
/etc/pki/pki-tomcat/schema-certProfile.ldif     system_u:object_r:pki_tomcat_etc_rw_t:s0
/etc/pki/pki-tomcat/serverCertNick.conf system_u:object_r:pki_tomcat_etc_rw_t:s0
/etc/pki/pki-tomcat/server.xml  system_u:object_r:pki_tomcat_etc_rw_t:s0
/etc/pki/pki-tomcat/tomcat.conf system_u:object_r:pki_tomcat_etc_rw_t:s0
/etc/pki/pki-tomcat/tomcat-users.xml    system_u:object_r:pki_tomcat_etc_rw_t:s0
/etc/pki/pki-tomcat/usn.ldif    system_u:object_r:pki_tomcat_etc_rw_t:s0
/etc/pki/pki-tomcat/web.xml     system_u:object_r:pki_tomcat_etc_rw_t:s0

Comment 10 Lukas Slebodnik 2019-08-02 17:54:01 UTC
The SElinux related problems are caused by wrong detection of enabled SELinux in
/usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/selinux_setup.py

# PKI Deployment Selinux Setup Scriptlet
class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):

    suffix = "(/.*)?"

    def restore_context(self, mdict):
        selinux.restorecon(mdict['pki_instance_path'], True)
        selinux.restorecon(config.PKI_DEPLOYMENT_LOG_ROOT, True)
        selinux.restorecon(mdict['pki_instance_log_path'], True)
        selinux.restorecon(mdict['pki_instance_configuration_path'], True)

    def spawn(self, deployer):

        if config.str2bool(deployer.mdict['pki_skip_installation']):
            logger.info('Skipping SELinux setup')
            return

        if not selinux.is_selinux_enabled() or seobject is None:
            logger.info('SELinux disabled')
            return

It fails because of bug in python-setools

 python3 -c 'import seobject'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python3.7/site-packages/seobject.py", line 33, in <module>
    import sepolicy
  File "/usr/lib/python3.7/site-packages/sepolicy/__init__.py", line 7, in <module>
    import setools
  File "/usr/lib64/python3.7/site-packages/setools/__init__.py", line 31, in <module>
    from . import policyrep
  File "/usr/lib64/python3.7/site-packages/setools/policyrep/__init__.py", line 26, in <module>
    from .bounds import BoundsRuletype
  File "/usr/lib64/python3.7/site-packages/setools/policyrep/bounds.py", line 22, in <module>
    from .qpol import qpol_typebounds_t
ImportError: cannot import name 'qpol_typebounds_t' from 'setools.policyrep.qpol' (/usr/lib64/python3.7/site-packages/setools/policyrep/qpol.py)

Comment 11 Lukas Slebodnik 2019-08-02 17:54:42 UTC

*** This bug has been marked as a duplicate of bug 1734789 ***

Comment 12 Dinesh Prasanth 2019-08-02 23:12:52 UTC
thank you for the confirmation, Lukas! Glad that it worked out! :)

Comment 13 Lukas Slebodnik 2019-08-03 09:33:35 UTC
(In reply to Dinesh Prasanth from comment #12)
> thank you for the confirmation, Lukas! Glad that it worked out! :)

I a have no idea what do you mean here I could not confirm any of your suggestions.
Because version of dogtag was unrelated and dogtag team did not even try
to investigate SELinux bug.

no need to say thank you very much Lukas for your time :-)


Note You need to log in before you can comment on or make changes to this bug.