1866811 – gssapi packages missing on upgrade

Bug 1866811 - gssapi packages missing on upgrade

Summary: gssapi packages missing on upgrade

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-appliance
Classification:	oVirt
Component:	General
Sub Component:
Version:	---
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	high
Target Milestone:	ovirt-4.4.2
Target Release:	4.4.2
Assignee:	Yedidyah Bar David
QA Contact:	Pavol Brilla
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1867038
TreeView+	depends on / blocked

Reported:	2020-08-06 12:55 UTC by Yedidyah Bar David
Modified:	2020-09-22 10:31 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ovirt-engine-appliance-4.4-20200826172858.1.el8
Doc Type:	Bug Fix
Doc Text:	Cause: mod_auth_gssapi package was not included in oVirt Appliance Consequence: Upgrade from 4.3 to 4.4 failed while restoring SSO configuration requiring the gssapi module for processing "GssapiCredStore keytab:/etc/httpd/http.keytab" directive. Fix: mod_auth_gssapi has been added to oVirt appliance Result: Upgrade from 4.3 to 4.4 is now possible even with SSO configuration included.
Clone Of:
Clones:	1867038 (view as bug list)
Environment:
Last Closed:	2020-09-22 10:31:27 UTC
oVirt Team:	Integration
Embargoed:
Flags:	sbonazzo: ovirt-4.4? mtessun: planning_ack+ sbonazzo: devel_ack+ lleistne: testing_ack+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	5305591	None	None	None	2020-08-07 16:17:32 UTC
oVirt gerrit	110693	master	MERGED	kickstart: add mod_auth_gssapi	2020-11-26 12:09:11 UTC
oVirt gerrit	110697	ovirt-4.4	MERGED	kickstart: add mod_auth_gssapi	2020-11-26 12:09:12 UTC
oVirt gerrit	110698	master	MERGED	kickstart: add recommended packages	2020-11-26 12:09:36 UTC
oVirt gerrit	110955	ovirt-4.4	MERGED	kickstart: add recommended packages	2020-11-26 12:09:12 UTC

Description Yedidyah Bar David 2020-08-06 12:55:51 UTC

Description of problem:

Our documentation says [1] to install mod_auth_gssapi for configuring single-sign-on.

Since recently, engine-backup also backs up the configuration file that the documentation says to create, to include (also) the command:

GssapiCredStore keytab:/etc/httpd/http.keytab

On upgrade from a system that followed this, engine-setup fails when starting httpd, and httpd log complains about this command (GssapiCredStore), because the module is missing.

We should IMO include in the appliance all the packages we document to install, even optionally. For this specific case, the list is:

ovirt-engine-extension-aaa-misc ovirt-engine-extension-aaa-ldap mod_auth_gssapi mod_session

We should probably review all documentation for similar cases.

[1] https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html/administration_guide/configuring_ldap_and_kerberos_for_single_sign-on

Version-Release number of selected component (if applicable):
4.4

How reproducible:
Always

Steps to Reproduce:
1. Setup 4.3 hosted-engine
2. Follow docs (above [1]) to configure single-sign-on
3. Upgrade to 4.4

Actual results:
Fails
hosted-engine log has:

2020-08-06 15:22:07,968+0300 INFO otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:109 TASK [ovirt.engine-setup : Run engine-setup with answerfile]
2020-08-06 15:23:18,434+0300 DEBUG otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:103 {'msg': 'non-zero return code', 'cmd': ['engine-setup', '--accept-defaults', '--config-append=/root/ovirt-engine-answers'], 'stdout': "[ INFO  ] Stage: Initializing\n[ INFO  ] Stage: Environment setup\n

... (all in a single line. Perhaps we should also try to split it in the log...)

[ ERROR ] Failed to execute stage 'Closing up': Failed to start service 'httpd'\n

Expected results:
Succeeds

Additional info:

A workaround is probably (still verifying) to create a file e.g. /usr/share/ansible/roles/ovirt.hosted_engine_setup/hooks/enginevm_before_engine_setup/install-gssapi.yml with content:

- name: Install mod_auth_gssapi
  package:
      name: mod_auth_gssapi
      state: present

Comment 1 Sandro Bonazzola 2020-08-07 09:33:39 UTC

If I understood correctly, the only required package to make upgrade succeed in this case is mod_auth_gssapi.
Pushed https://gerrit.ovirt.org/110693 adding it to appliance.

Since our documentation suggest also
- ovirt-engine-extension-aaa-misc
- ovirt-engine-extension-aaa-ldap (added explicitly despite it's already included by ovirt-engine-extension-aaa-ldap-setup we already require there)
- mod_session

I pushed https://gerrit.ovirt.org/110698 separately.
I tend to agree we should have them in.
Size increase is minimal and shouldn't cause issues if not utilized.
Martin any objection?


> We should probably review all documentation for similar cases.

Can you handle didi?

Comment 2 Martin Perina 2020-08-07 09:37:26 UTC

(In reply to Sandro Bonazzola from comment #1)
> If I understood correctly, the only required package to make upgrade succeed
> in this case is mod_auth_gssapi.
> Pushed https://gerrit.ovirt.org/110693 adding it to appliance.
> 
> Since our documentation suggest also
> - ovirt-engine-extension-aaa-misc
> - ovirt-engine-extension-aaa-ldap (added explicitly despite it's already
> included by ovirt-engine-extension-aaa-ldap-setup we already require there)
> - mod_session
> 
> I pushed https://gerrit.ovirt.org/110698 separately.
> I tend to agree we should have them in.
> Size increase is minimal and shouldn't cause issues if not utilized.
> Martin any objection?
> 

Artur, any other package needed for Keycloak/RHSSO integration?

> 
> > We should probably review all documentation for similar cases.
> 
> Can you handle didi?

Eli Marcus is working on Keycloak/RHSSO integration in BZ1658698

Comment 3 Artur Socha 2020-08-07 10:46:00 UTC

For keycloak integration we need mod_auth_openidc. For centos8 this is available as module.

dnf module enable mod_auth_openidc:2.3 -y
dnf install mod_auth_openidc

Comment 4 Artur Socha 2020-08-07 10:47:07 UTC

(In reply to Artur Socha from comment #3)
> For keycloak integration we need mod_auth_openidc. For centos8 this is
> available as module.
> 
> dnf module enable mod_auth_openidc:2.3 -y
> dnf install mod_auth_openidc

ovirt-engine-extension-aaa-misc is required as well.

Comment 5 Marina Kalinin 2020-08-07 16:17:32 UTC

Can someone please confirm the workaround in this KCS? https://access.redhat.com/solutions/5305591.

Comment 7 Sandro Bonazzola 2020-08-10 12:29:33 UTC

(In reply to Artur Socha from comment #4)
> (In reply to Artur Socha from comment #3)
> > For keycloak integration we need mod_auth_openidc. For centos8 this is
> > available as module.
> > 
> > dnf module enable mod_auth_openidc:2.3 -y
> > dnf install mod_auth_openidc
> 
> ovirt-engine-extension-aaa-misc is required as well.

Are these needed if we restore a database from an engine which was using them? Will engine die if they'renot in? Or can they be re-added in a second step?

Comment 8 Artur Socha 2020-08-10 12:42:46 UTC

They all can be added later. Without those packages user will not be able to login but the engine's service will be up and running.

Comment 9 Artur Socha 2020-08-10 12:45:00 UTC

(In reply to Artur Socha from comment #8)
> They all can be added later. Without those packages user will not be able to
> login but the engine's service will be up and running.

One more thing that has just come to my mind.  In case of re-adding ovirt-engine-extension-aaa-misc  engine's restart will be needed.
Similarly when mod_auth_openidc is installed httpd must be restarted.

Comment 10 Michal Skrivanek 2020-08-26 18:40:59 UTC

any patch missing? If not please move to MODIFIED

Note You need to log in before you can comment on or make changes to this bug.