1859177 – Running ipa-server-install fails on machine where libsss_sudo is not installed

Bug 1859177 - Running ipa-server-install fails on machine where libsss_sudo is not installed

Summary: Running ipa-server-install fails on machine where libsss_sudo is not installed

Keywords:
Status:	CLOSED DUPLICATE of bug 1859185
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	freeipa
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	IPA Maintainers
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-07-21 11:52 UTC by Jan Pazdziora (Red Hat)
Modified:	2020-07-21 12:07 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Clones:	1859185 (view as bug list)
Environment:
Last Closed:	2020-07-21 12:07:49 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan Pazdziora (Red Hat) 2020-07-21 11:52:09 UTC

Description of problem:

In environment where libsss_sudo is not installed, like in container but on host alike, ipa-server-install now fails to finish properly.

Version-Release number of selected component (if applicable):

pki-server-10.9.0-0.2.fc33.noarch
freeipa-server-4.8.7-1.fc33.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf remove -y /usr/lib64/libsss_sudo.so
2. dnf install -y --setopt=install_weak_deps=False freeipa-server
3. ipa-server-install -U -r EXAMPLE.TEST -p Secret123 -a Secret123

Actual results:

  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/30]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpag8a3qe6'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nERROR: Exception: CA subsystem did not start after 60s\n  File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 569, in main\n    scriptlet.spawn(deployer)\n  File "/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/configuration.py", line 886, in spawn\n    deployer.instance.wait_for_startup(\n  File "/usr/lib/python3.9/site-packages/pki/server/deployment/pkihelper.py", line 891, in wait_for_startup\n    raise Exception(\'%s subsystem did not start after %ds\' %\n\n')
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Expected results:

  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/30]: configuring certificate server instance
  [2/30]: Add ipa-pki-wait-running
  [3/30]: secure AJP connector
  [4/30]: reindex attributes
  [5/30]: exporting Dogtag certificate store pin
  [6/30]: stopping certificate server instance to update CS.cfg
[...]
The ipa-server-install command was successful

Additional info:

Either whatever component that requires / configures libsss_sudo to be present should hard-require it, or ideally sudo shouldn't be used by the installer.

This is a regression against Fedora 32.

Comment 1 Jan Pazdziora (Red Hat) 2020-07-21 12:07:49 UTC

I put in the wrong traceback (the one from bug 1857043), so I've now filed better bug 1859185.

*** This bug has been marked as a duplicate of bug 1859185 ***

Note You need to log in before you can comment on or make changes to this bug.