Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1879604

Summary: pkispawn logs files are empty
Product: Red Hat Enterprise Linux 8 Reporter: François Cami <fcami>
Component: ipaAssignee: François Cami <fcami>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 8.3CC: abokovoy, afarley, bugzilla-pkiqe, cheimes, edewata, ksiddiqu, lmiksik, mpolovka, pcech, rcritten, rhcs-maint, tscherf, twoerner
Target Milestone: rcKeywords: Regression, TestCaseProvided
Target Release: 8.3Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.8.7-12 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1879515 Environment:
Last Closed: 2020-11-04 02:51:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description François Cami 2020-09-16 15:42:05 UTC 
+++ This bug was initially created as a clone of Bug #1879515 +++

Description of problem:
When installing a CA instance in IPA, pkispawn no longer logs installation steps and debug logs to /var/log/pki/pki-$subsystem-spawn.$date.log. The log files are empty. The debug logs are important for IPA to understand and debug installation problems.

Version-Release number of selected component (if applicable):
pki-base-10.9.3-1.module+el8.3.0+7928+ce88aa94.noarch
ipa-server-4.8.7-10.module+el8.3.0+7702+ced5f219.x86_64


How reproducible:
always

Steps to Reproduce:
1. dnf -y module enable idm:DL1
2. dnf install ipa-server
3. ipa-server-install

Actual results:
# ls -la /var/log/pki/pki-ca-spawn.20200916083742.log 
-rw-rw-r--. 1 root root 0 Sep 16 08:37 /var/log/pki/pki-ca-spawn.20200916083742.log

Expected results:
The log file contains detailed debug logging of every step.

Additional info:
Comment 1 François Cami 2020-09-16 15:44:29 UTC 
this is due to:
https://github.com/dogtagpki/pki/commit/0102d836f4eac0fcea0adddb4c98d5ea05e4e8f6
and can be worked around on ipa side by adding --debug to the pkispawn invocation.
Comment 6 François Cami 2020-09-16 17:08:16 UTC 
Upstream issue: https://pagure.io/freeipa/issue/8503
PR: https://github.com/freeipa/freeipa/pull/5113

Logs showing the issue (the file only contains the gzip headers): http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/ae7eb046-f838-11ea-8647-fa163e5fd761/test_integration-test_replica_promotion.py-TestSubCAkeyReplication-test_subca_replica/master.ipa.test/var/log/pki/

Proper log with --debug invocation: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/7465d796-f83c-11ea-ae35-fa163e43b58c/test_integration-test_external_ca.py-TestExternalCAProfileScenarios-test_valid_v1_template/master.ipa.test/var/log/pki/
Comment 10 Alexander Bokovoy 2020-09-17 07:40:33 UTC 
Move to assigned state, based on the upstream PR work.
Comment 11 François Cami 2020-09-17 11:49:41 UTC 
Upstream PR:
https://github.com/freeipa/freeipa/pull/5113
is approved and running through upstream gating.
Comment 12 François Cami 2020-09-17 11:50:47 UTC 
It has upstream test coverage:

Expected failure without the fix: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/f2117a58-f871-11ea-9e9e-fa163e2dc507/report.html

self = <ipatests.test_integration.test_commands.TestIPACommand object at 0x7fdcb353db20>

    def test_pkispawn_log_is_present(self):
        """
        This testcase checks if pkispawn logged properly.
        It is a candidate from being moved out of test_commands.
        """
        result = self.master.run_command(
            ["ls", "/var/log/pki/"]
        )
        pkispawnlogfile = None
        for file in result.stdout_text.splitlines():
            if file.startswith("pki-ca-spawn"):
                pkispawnlogfile = file
                break
        assert pkispawnlogfile is not None
        pkispawnlogfile = os.path.sep.join(("/var/log/pki", pkispawnlogfile))
        pkispawnlog = self.master.get_file_contents(
            pkispawnlogfile, encoding='utf-8'
        )
        # Totally arbitrary. pkispawn debug logs tend to be > 10KiB.
>       assert len(pkispawnlog) > 1024
E       AssertionError: assert 0 > 1024
E        +  where 0 = len('')

test_integration/test_commands.py:1318: AssertionError
 -------------------------------Captured log call-------------------------------- 
INFO     ipatests.pytest_ipa.integration.host.Host.master.IPAOpenSSHTransport:transport.py:391 RUN ['ls', '/var/log/pki/']
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd430:transport.py:513 RUN ['ls', '/var/log/pki/']
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd430:transport.py:557 pki-ca-spawn.20200916231608.log
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd430:transport.py:557 pki-tomcat
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd430:transport.py:217 Exit code: 0
INFO     ipatests.pytest_ipa.integration.host.Host.master.IPAOpenSSHTransport:transport.py:436 GET /var/log/pki/pki-ca-spawn.20200916231608.log
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd431:transport.py:513 RUN ['cat', '/var/log/pki/pki-ca-spawn.20200916231608.log']
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd431:transport.py:217 Exit code: 0


Green run with the fix: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/cf98f4e8-f8b1-11ea-8724-fa163e54c0e1/report.html
Comment 14 François Cami 2020-09-17 14:00:11 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/c31bf3d430763ef5b0ef28510995af48dccde287
https://pagure.io/freeipa/c/be7bf98b3b8cb1db9d4baa5548991ac72049ade8
Comment 15 François Cami 2020-09-17 16:45:25 UTC 
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/d1c860e59b5237178066ed963cc2fa50d99cd690
https://pagure.io/freeipa/c/97c6d2d2c2359b8ff5585afa0d2e5f5599cd5048
Comment 20 Michal Polovka 2020-09-24 17:07:32 UTC 
Manual verification:

[root@ip test]# rpm -q ipa-server
ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64

[root@ip test]# cat /etc/os-release 
NAME="Red Hat Enterprise Linux"
VERSION="8.3 (Ootpa)"


[root@ip test]# ipa-server-install --domain dom-$(hostname -f) --realm DOM-$(hostname -f | tr '[:lower:]' '[:upper:]') -a ***** -p ***** -U
...output truncated...
SUCCESS

[root@ip test]# ls /var/log/pki
/var/log/pki/pki-ca-spawn.20200924124514.log  pki-tomcat


[root@ip test]# head /var/log/pki/pki-ca-spawn.20200924124514.log 
2020-09-24 12:45:14 INFO: Connecting to LDAP server at ldap://never.gonna.give.you.up:389
2020-09-24 12:45:14 INFO: Connecting to LDAP server at ldap://never.gonna.let.you.down:389
2020-09-24 12:45:14 DEBUG: Installing Maven dependencies: False
2020-09-24 12:45:14 INFO: BEGIN spawning CA subsystem in pki-tomcat instance
2020-09-24 12:45:14 INFO: Loading instance: pki-tomcat
2020-09-24 12:45:14 INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
2020-09-24 12:45:14 INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
2020-09-24 12:45:14 INFO: Setting up pkiuser group
2020-09-24 12:45:14 INFO: Reusing existing pkiuser group with GID n
2020-09-24 12:45:14 INFO: Setting up pkiuser user


Hereby marking as VERIFIED. Automation exists in test test_pkispawn_log_is_present added in ipatests/test_integration/test_commands.py
Comment 23 errata-xmlrpc 2020-11-04 02:51:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4670
Comment 25 Red Hat Bugzilla 2023-09-15 00:48:16 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days