RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1889753 - rebuild of ipa-server-container 7.9
Summary: rebuild of ipa-server-container 7.9
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa-server-container
Version: 7.9
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Tibor Dudlák
QA Contact: Nikhil Dehadrai
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-20 14:12 UTC by Ferdinand bot (Userspace containerization team)
Modified: 2020-11-10 17:45 UTC (History)
1 user (show)

Fixed In Version: ipa-server-container-4.6.8-17
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-10 17:45:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:5064 0 None None None 2020-11-10 17:45:28 UTC

Description Ferdinand bot (Userspace containerization team) 2020-10-20 14:12:43 UTC 
Hello,

this bug has been created by bot Ferdinand
in order to be able to create Errata advisory for batch RHEL-7.9.1-Containers which is due 2020-11-09 (the GA date may change).

With regards,
Ferdinand, member of the bot family,
Userspace Containerization Team, <user-cont>
Comment 8 Nikhil Dehadrai 2020-11-09 15:11:03 UTC 
Tested the bug with following observations:

IPA Container: ipa-server-container-4.6.8.16
SSSD Container: sssd-container-7.9.1.2
ipa-server-4.6.8.5.el7.x86_64
ipa-client-4.6.8.5.el7.x86_64



[root@master cloud-user]# atomic host status
State: idle; auto updates disabled
Deployments:
* ostree://rhel79z:rhel-atomic-host/7/x86_64/standard
                   Version: 7.9.1 (2020-11-04 14:16:00)
                    Commit: 995fc05b902087072cddfd3f761c28a16c78e9f8650231e20fd7fd6ff668b017
              GPGSignature: Valid signature by 567E347AD0044ADE55BA8A5F199E2F91FD431D51



Verified the bug with following scenarios:
A) CVE Scan:


IPA:
———
[root@master cloud-user]# atomic scan --scanner openscap --scan_type cve rhel7/ipa-server
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2020-11-09-05-37-40-377989:/scanin -v /var/lib/atomic/openscap/2020-11-09-05-37-40-377989:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1
Unable to find image 'registry.access.redhat.com/rhel7/openscap:latest' locally
Trying to pull repository registry.access.redhat.com/rhel7/openscap ... 
latest: Pulling from registry.access.redhat.com/rhel7/openscap
d4095a8ffba5: Pulling fs layer
88b5f8ffd297: Pulling fs layer
bcffd804fc23: Pulling fs layer
a43577dfc74d: Pulling fs layer
9e7b2bd1fc41: Pulling fs layer
5e93c01ac090: Pulling fs layer
71d01f627e55: Pulling fs layer
a43577dfc74d: Waiting
9e7b2bd1fc41: Waiting
5e93c01ac090: Waiting
71d01f627e55: Waiting
88b5f8ffd297: Verifying Checksum
88b5f8ffd297: Download complete
a43577dfc74d: Verifying Checksum
a43577dfc74d: Download complete
bcffd804fc23: Verifying Checksum
bcffd804fc23: Download complete
9e7b2bd1fc41: Verifying Checksum
9e7b2bd1fc41: Download complete
5e93c01ac090: Verifying Checksum
5e93c01ac090: Download complete
d4095a8ffba5: Download complete
71d01f627e55: Verifying Checksum
71d01f627e55: Download complete
d4095a8ffba5: Pull complete
88b5f8ffd297: Pull complete
bcffd804fc23: Pull complete
a43577dfc74d: Pull complete
9e7b2bd1fc41: Pull complete
5e93c01ac090: Pull complete
71d01f627e55: Pull complete
Digest: sha256:1f785d7eb357a4166545c4f210583d3633e0c2d8c8cf5d7b4a499c7c6f46106c
Status: Downloaded newer image for registry.access.redhat.com/rhel7/openscap:latest

rhel7/ipa-server (e5ed3f0095bef46)

The following issues were found:

     RHSA-2020:4908: libX11 security update (Important)
     Severity: Important
       RHSA URL: https://access.redhat.com/errata/RHSA-2020:4908
       RHSA ID: RHSA-2020:4908
       Associated CVEs:
           CVE ID: CVE-2020-14363
           CVE URL: https://access.redhat.com/security/cve/CVE-2020-14363

     RHSA-2020:4907: freetype security update (Important)
     Severity: Important
       RHSA URL: https://access.redhat.com/errata/RHSA-2020:4907
       RHSA ID: RHSA-2020:4907
       Associated CVEs:
           CVE ID: CVE-2020-15999
           CVE URL: https://access.redhat.com/security/cve/CVE-2020-15999


Files associated with this scan are in /var/lib/atomic/openscap/2020-11-09-05-37-40-377989.



SSSD:
———
[root@client cloud-user]# atomic scan --scanner openscap --scan_type cve rhel7/sssd
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2020-11-09-05-37-53-025271:/scanin -v /var/lib/atomic/openscap/2020-11-09-05-37-53-025271:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1
Unable to find image 'registry.access.redhat.com/rhel7/openscap:latest' locally
Trying to pull repository registry.access.redhat.com/rhel7/openscap ... 
latest: Pulling from registry.access.redhat.com/rhel7/openscap
d4095a8ffba5: Pulling fs layer
88b5f8ffd297: Pulling fs layer
bcffd804fc23: Pulling fs layer
a43577dfc74d: Pulling fs layer
9e7b2bd1fc41: Pulling fs layer
5e93c01ac090: Pulling fs layer
71d01f627e55: Pulling fs layer
9e7b2bd1fc41: Waiting
5e93c01ac090: Waiting
71d01f627e55: Waiting
a43577dfc74d: Waiting
88b5f8ffd297: Verifying Checksum
88b5f8ffd297: Download complete
a43577dfc74d: Verifying Checksum
a43577dfc74d: Download complete
bcffd804fc23: Verifying Checksum
bcffd804fc23: Download complete
d4095a8ffba5: Verifying Checksum
d4095a8ffba5: Download complete
d4095a8ffba5: Pull complete
88b5f8ffd297: Pull complete
9e7b2bd1fc41: Verifying Checksum
9e7b2bd1fc41: Download complete
5e93c01ac090: Verifying Checksum
5e93c01ac090: Download complete
71d01f627e55: Verifying Checksum
71d01f627e55: Download complete
bcffd804fc23: Pull complete
a43577dfc74d: Pull complete
9e7b2bd1fc41: Pull complete
5e93c01ac090: Pull complete
71d01f627e55: Pull complete
Digest: sha256:1f785d7eb357a4166545c4f210583d3633e0c2d8c8cf5d7b4a499c7c6f46106c
Status: Downloaded newer image for registry.access.redhat.com/rhel7/openscap:latest

rhel7/sssd (89f6477f26cd89d)

rhel7/sssd passed the scan

Files associated with this scan are in /var/lib/atomic/openscap/2020-11-09-05-37-53-025271.


B) Regressions Tests:
------------------------
1. Verified that IPA-server is installed through ipa-container image.
2. Verified that IPA-replica is installed through ipa-container image.
3. Verified that klist command works both on ipa-server/ipa-replica configured through ipa-container image.
4. Verified that 2-way trust can be setup with windows AD with IPA-server configured through ipa-container image.
5. Verified that IPA-client(type1) configured with sssd-container image can be setup against this IPA-server.
6. Verified that IPA-client(type2) configured with sssd-container image can be setup against this IPA-server.
7. Verified that RHEL(rpm) IPA-client can be setup against this IPA-server.
8. Verified that RHEL(rpm) IPA-Replica can be setup against this IPA-server configured using ipa-container image.
9. Verified that sudo rules work for IPA-server installed through ipa-container image.
10. Verified that latest version of ipa-server is available with ipa-container image.
11. Verified that IPA-server is accessible when it is installed through ipa-docker image.
12. Verified that command ipa-adtrust-install is successful.
13. Verified that ipa-kra-install is successful.
14. Verified that ipa-vault-add, ipa vault-archive and ipa-retrieve run successfully.
15. Verified that SUBCA setup run successfully.
16. Verified that IPA-server/IPA-replica can be uninstalled.

Thus on the basis of above observations, changing status to VERIFIED
Comment 10 errata-xmlrpc 2020-11-10 17:45:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Enterprise Linux 7.9.1 ipa-server Container Image Update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5064
Note You need to log in before you can comment on or make changes to this bug.