Bug 2049167
| Summary: | KRA GetStatus service blocked by IPA proxy | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Florence Blanc-Renaud <frenaud> | |
| Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> | |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 8.6 | CC: | mpolovka, rcritten, rjeffman, ssidhaye, sumenon, tscherf | |
| Target Milestone: | rc | Keywords: | Triaged | |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | idm-DL1-8060020220203151553.92098735 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2049174 (view as bug list) | Environment: | ||
| Last Closed: | 2022-05-10 14:09:17 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2027470, 2049174 | |||
|
Description
Florence Blanc-Renaud
2022-02-01 17:00:14 UTC
Upstream ticket: https://pagure.io/freeipa/issue/9099 Fixed upstream:
master:
f3636c6 ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus
https://pagure.io/freeipa/c/f3636c6afa75d9822a2fd1a535415b09f3fe1867
ipa-4-9:
9bae549 ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus
https://pagure.io/freeipa/c/9bae5492270d8b695999cd82831cbee62b04626b
Note for QE:
there is already an integration test that can be used to verify the fix, in (upstream) test_replica_promotion.py::TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica
Currently the test is failing when running ipa-healthcheck with the following error:
Internal error testing KRA clone. KRA clone problem detected Host: replica1.ipa.test Port: 443
[
{
"source": "pki.server.healthcheck.clones.connectivity_and_data",
"check": "ClonesConnectivyAndDataCheck",
"result": "ERROR",
"uuid": "abd43647-a4d7-4da0-b970-d23538bbb5dd",
"when": "20201115044756Z",
"duration": "5.190928",
"kw": {
"status": "ERROR: pki-tomcat : Internal error testing KRA clone. Host: replica1.ipa.test Port: 443"
}
}
]
With this fix + *a fix in pki*, the test should pass.
The other way to verify this test is to use curl (it doesn't require the pki part of the fix).
Install ipa-server with --setup-kra
Without the fix:
# curl https://`hostname`/kra/admin/kra/getStatus
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
</body></html>
With the fix:
# curl https://`hostname`/kra/admin/kra/getStatus
<?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>1</State><Type>KRA</Type><Status>running</Status><Version>10.10.7-1.fc34</Version></XMLResponse>
Moving back to Assigned as the original pre-verification was incorrect (the relevant test is xfailed). The original problem is still present, verification failed.
# Create a user so that the replica gets a range.
tasks.user_add(self.replicas[0], 'testuser')
tasks.user_del(self.replicas[0], 'testuser')
for srv in (self.master, self.replicas[0]):
returncode, _unused = run_healthcheck(
srv,
failures_only=True
)
> assert returncode == 0
E assert 1 == 0
=========================== short test summary info ============================
FAIL test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion::()::test_ipahealthcheck_hidden_replica
Moving back to ON_QA as the ClonesConnectivyAndDataCheck error is not reported any more. The error is a new issue that will be tracked separately. Marking verified using automation present at test_replica_promotion.py::TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica on RHEL8.6 machine
transport.py 513 DEBUG RUN ['ipa-healthcheck', '--output-type', 'json', '--failures-only']
transport.py 558 DEBUG Unhandler rdtype 256
transport.py 558 DEBUG Unhandler rdtype 256
transport.py 558 DEBUG Unhandler rdtype 256
transport.py 558 DEBUG Unhandler rdtype 256
transport.py 558 DEBUG [
transport.py 558 DEBUG {
transport.py 558 DEBUG "source": "ipahealthcheck.ipa.files",
transport.py 558 DEBUG "check": "IPAFileCheck",
transport.py 558 DEBUG "result": "WARNING",
transport.py 558 DEBUG "uuid": "7fab1315-9dc2-4347-96a0-ab75ec8d1edf",
transport.py 558 DEBUG "when": "20220224104952Z",
transport.py 558 DEBUG "duration": "0.004415",
transport.py 558 DEBUG "kw": {
transport.py 558 DEBUG "key": "_var_log_kadmind.log_mode",
transport.py 558 DEBUG "path": "/var/log/kadmind.log",
transport.py 558 DEBUG "type": "mode",
transport.py 558 DEBUG "expected": "0600",
transport.py 558 DEBUG "got": "0640",
transport.py 558 DEBUG "msg": "Permissions of /var/log/kadmind.log are too permissive: 0640 and should be 0600"
transport.py 558 DEBUG }
transport.py 558 DEBUG }
transport.py 558 DEBUG ]
transport.py 217 DEBUG Exit code: 1
Full test log is available as an attachment to this BZ.
The error observed has been reported at https://bugzilla.redhat.com/show_bug.cgi?id=2058239, however, the original issue is fixed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2022:1884 |