Hide Forgot
Description of problem: improve the way IPA detects PKI services, do not rely on files or directories, try to rely on the Dogtag tools or interfaces, example: use pki-server subsystem-find from base/server/python/pki/server/cli/subsystem.py class SubsystemFindCLI(pki.cli.CLI): pki-server subsystem-find ----------------- 2 entries matched ----------------- Subsystem ID: ca Instance ID: pki-tomcat Enabled: True Subsystem ID: kra Instance ID: pki-tomcat Enabled: True instead of /usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py def is_installed(self): """ Determine if subsystem instance has been installed. Returns True/False """ return os.path.exists(os.path.join( paths.VAR_LIB_PKI_TOMCAT_DIR, self.subsystem.lower())) this directory path testing return an incorrect true status because for example, there is no "ipa-kra-install --uninstall" ( removed in 2018 / bz 1454444 ): ipa-kra-install --uninstall ERROR: Standalone KRA uninstallation was removed in IPA 4.5 as it had never worked properly and only caused issues. real world scenario example: there is a RHEL-7 IPA replica deployed that system is updated from RHEL-7.8 to RHEL-7.9 the update fails in IPA, leading to failing "ipactl restart", then to some serious other problems: in this case, there was no PKI KRA subsystem configured listed from ldapsearch -o ldif-wrap=no -LLLxD cn=directory\ manager -W -b "ou=Security Domain,o=ipaca" nor from a ipa config-show --all and no ipara listed from ldapsearch -o ldif-wrap=no -LLLxD cn=directory\ manager -W -b o=ipaca '(|(uid=ipara)(uid=ipakra))' but we till had a directory /var/lib/pki/pki-tomcat/kra/ so the test in /usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py incorrectly returned a true status in is_installed(self) that all lead to a LDAP error on no ipakra user entry, then to a failed IPA update, then to a failed ipactl start, and a bad situation. Version-Release number of selected component (if applicable): RHEL-7 RHEL-8 How reproducible: Steps to Reproduce: 1. IPA with CA, NO KRA 2. add a /var/lib/pki/pki-tomcat/kra/ directory 3. try to run the ipa console for api.Updater[fix_kra_people_entry]() Actual results: 2020-11-03T17:27:14Z DEBUG Executing upgrade plugin: fix_kra_people_entry ... 2020-11-03T17:27:14Z ERROR Upgrade failed with no such entry 2020-11-03T17:27:14Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 274, in __upgrade self.modified = (ld.update(self.files) or self.modified) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 966, in update self._run_updates(all_updates) ... File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/fix_kra_people_entry.py", line 35, in execute entry = self.api.Backend.ldap2.get_entry(krainstance.KRA_AGENT_DN) then I realize there is no KRA agent LDAP entry uid=ipakra,ou=people,o=kra,o=ipaca because that RHEL IPA system has no KRA installed (but has a CA) so why the failure in fix_kra_people_entry.py if there is no KRA ?? the IPA update uses "plug-ins" to update various elements, listed from /usr/share/ipa/updates/90-post_upgrade_plugins.update and one of them is /usr/lib/python2.7/site-packages/ipaserver/install/plugins/fix_kra_people_entry.py which calls /usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py which calls a function is_installed() the problem is is_installed() simply check for a directory path to decide a PKI subsystem is installed and configured, which is not a sufficient way to detect the availability of a service. Expected results: yes Additional info:
Notes for triage: looks like an easy fix. The "pki-server subsystem-show kra" command could be used. If the KRA is configured, the output looks like: # pki-server subsystem-show kra Subsystem ID: kra Instance ID: pki-tomcat Enabled: True If the KRA hasn't been configured, the output looks like: # pki-server subsystem-show kra ERROR: ERROR: No kra subsystem in instance pki-tomcat. (return code = 1) If the server doesn't have PKI configured at all (no CA, no KRA), the output is: # pki-server subsystem-show kra ERROR: Invalid instance pki-tomcat. (return code 1) Notes: - pki-server does not require the services to be up. The command can be used even during an upgrade when some of the services are stopped. - The command /usr/sbin/pki-server is delivered in the package pki-server. freeipa-server indirectly requires pki-server pkg through pki-ca and pki-kra packages, meaning that the command is always installed on a freeipa server.
Upstream ticket: https://pagure.io/freeipa/issue/8596
Fixed upstream master: https://pagure.io/freeipa/c/930453b65ea17e190a46208763d366739646264b https://pagure.io/freeipa/c/526686ec1c6f0fa018c4ffd61ef091783a48163f
Test case provided upstream in test_integration/test_upgrade.py::TestUpgrade::test_kra_detection
ipa-4-8: af830c0 Improve PKI subsystem detection 7d47e37 ipatests: add test for PKI subsystem detection ipa-4-9: cf30cc3 Improve PKI subsystem detection 24f6a36 ipatests: add test for PKI subsystem detection
Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/137c4567e3b266c7318f3ac7228b65daa3863825 https://pagure.io/freeipa/c/8367ede02b0a7881f4785ff7d2c90a7d2ee54c4c
Test fixed: Fixed upstream master: https://pagure.io/freeipa/c/6e0634bd72f60295b86a1561adf94f14d6948009
Test Fixed upstream ipa-4-8: https://pagure.io/freeipa/c/35be9259bf4d00fe9423819273d482f590a94cd6 ipa-4-9: https://pagure.io/freeipa/c/0db289695c8225cad5c17c6a5846ff0a373c3ce6
Test Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/46a4e93da1034d596fa58ab4d1c4d0ac637ecebc
Verified based on following details. IPA Version: ============= 2021-02-10T07:12:25+0000 TASK [List installed IPA packages version] ************************************* 2021-02-10T07:12:26+0000 ok: [master.testrelm.test] => (item=ipa-server) => 2021-02-10T07:12:26+0000 msg: 2021-02-10T07:12:26+0000 - arch: x86_64 2021-02-10T07:12:26+0000 epoch: null 2021-02-10T07:12:26+0000 name: ipa-server 2021-02-10T07:12:26+0000 release: 5.el7_9.4 2021-02-10T07:12:26+0000 source: rpm 2021-02-10T07:12:26+0000 version: 4.6.8 snip from test-result log: ========================== test "test_kra_detection" is executed successfully. ============================= test session starts ============================== platform linux2 -- Python 2.7.5, pytest-3.10.1, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python2 cachedir: .pytest_cache metadata: {'Python': '2.7.5', 'Platform': 'Linux-3.10.0-1160.17.1.el7.x86_64-x86_64-with-redhat-7.9-Maipo', 'Packages': {'py': '1.10.0', 'pytest': '3.10.1', 'pluggy': '0.13.1'}, 'Plugins': {u'html': u'1.22.1', u'multihost': u'1.1', u'sourceorder': u'0.5', u'metadata': u'1.11.0'}} rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: plugins: metadata-1.11.0, html-1.22.1, multihost-1.1, sourceorder-0.5 collecting ... collected 3 items test_integration/test_upgrade.py::TestUpgrade::test_invoke_upgrader PASSED [ 33%] test_integration/test_upgrade.py::TestUpgrade::test_double_encoded_cacert PASSED [ 66%] test_integration/test_upgrade.py::TestUpgrade::test_kra_detection PASSED [100%] ---------------- generated xml file: /home/cloud-user/junit.xml ---------------- ----------- generated html file: file:///home/cloud-user/report.html ----------- ========================== 3 passed in 618.53 seconds ==========================