Bug 2234711
| Summary: | ipa should require krb5 1.18.2-25 or newer [rhel-8] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Jan Pazdziora (Red Hat) <jpazdziora> |
| Component: | ipa | Assignee: | Rafael Jeffman <rjeffman> |
| Status: | CLOSED ERRATA | QA Contact: | Michal Polovka <mpolovka> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | CentOS Stream | CC: | abokovoy, amore, bstinson, frenaud, jpazdziora, jrische, jwboyer, mpolovka, pvauter, rcritten, rjeffman, shdunne, tscherf |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.9.12-8.module+el8.9.0+19821+643911d0 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-11-14 15:32:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Deadline: | 2023-09-04 | ||
|
Description
Jan Pazdziora (Red Hat)
2023-08-25 08:22:06 UTC
We saw something very similar on AlmaLinux earlier: https://bugs.almalinux.org/view.php?id=411 The effect on FreeIPA is this: take CentOS 8 Stream. If you don't have it, start with RHEL 8 and turn it into CentOS 8 Stream with dnf install -y http://mirror.centos.org/centos/8-stream/BaseOS/$(uname -m)/os/Packages/centos-stream-repos-8-6.el8.noarch.rpm http://mirror.centos.org/centos/8-stream/BaseOS/$(uname -m)/os/Packages/centos-gpg-keys-8-6.el8.noarch.rpm rpm -e redhat-release-eula rmdir /usr/share/redhat-release sed -i 's/^/# /' /etc/yum/protected.d/redhat-release.conf dnf swap -y redhat-release centos-stream-release Remove any RHEL repos that might be configured in /etc/yum.repos.d. yum upgrade -y yum -y module enable idm:DL1 yum install -y --setopt=install_weak_deps=False ipa-server ipa-server-install -U -r EXAMPLE.TEST -n example.test -p Secret123 -a Secret123 That will fail with [42/43]: configuring directory to start on boot [43/43]: restarting directory server Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/10]: adding kerberos container to the directory [2/10]: configuring KDC [3/10]: initialize kerberos container [error] RuntimeError: Failed to initialize kerberos container Failed to initialize kerberos container The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Maybe the issue is also in the ipa packages that they rely on some newer krb5* packages and should have a versioned dependency to force their installation (or fail during installation)? 1.18.2-25.el8 is there: http://mirror.centos.org/centos/8-stream/BaseOS/x86_64/os/Packages/krb5-server-1.18.2-25.el8.x86_64.rpm I cannot reproduce your behavior: $ podman run --rm -ti quay.io/centos/centos:stream8 /bin/bash [root@222a4c047e39 /]# rpm -qa|grep krb5 krb5-libs-1.18.2-25.el8.x86_64 [root@222a4c047e39 /]# dnf -y install krb5-server Failed to set locale, defaulting to C.UTF-8 CentOS Stream 8 - AppStream 11 MB/s | 33 MB 00:02 CentOS Stream 8 - BaseOS 11 MB/s | 44 MB 00:03 CentOS Stream 8 - Extras 59 kB/s | 18 kB 00:00 CentOS Stream 8 - Extras common packages 23 kB/s | 6.8 kB 00:00 Dependencies resolved. ======================================================================================================================================================================================================================================= Package Architecture Version Repository Size ======================================================================================================================================================================================================================================= Installing: krb5-server x86_64 1.18.2-25.el8 baseos 1.1 M Installing dependencies: libev x86_64 4.24-6.el8 appstream 52 k libkadm5 x86_64 1.18.2-25.el8 baseos 188 k libss x86_64 1.45.6-5.el8 baseos 54 k libverto-libev x86_64 0.3.2-2.el8 appstream 16 k logrotate x86_64 3.14.0-6.el8 baseos 86 k words noarch 3.0-28.el8 baseos 1.4 M Transaction Summary ======================================================================================================================================================================================================================================= Install 7 Packages Total download size: 2.8 M Installed size: 6.7 M Downloading Packages: CentOS Stream 8 - AppStream 206% [=================================================================================================================================(1/7): libverto-libev-0.3.2-2.el8.x86_64.rpm 624 kB/s | 16 kB 00:00 (2/7): libev-4.24-6.el8.x86_64.rpm 1.0 MB/s | 52 kB 00:00 (3/7): libss-1.45.6-5.el8.x86_64.rpm 357 kB/s | 54 kB 00:00 (4/7): libkadm5-1.18.2-25.el8.x86_64.rpm 850 kB/s | 188 kB 00:00 (5/7): logrotate-3.14.0-6.el8.x86_64.rpm 446 kB/s | 86 kB 00:00 (6/7): krb5-server-1.18.2-25.el8.x86_64.rpm 2.3 MB/s | 1.1 MB 00:00 (7/7): words-3.0-28.el8.noarch.rpm 2.5 MB/s | 1.4 MB 00:00 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 2.4 MB/s | 2.8 MB 00:01 CentOS Stream 8 - AppStream 1.6 MB/s | 1.6 kB 00:00 Importing GPG key 0x8483C65D: Userid : "CentOS (CentOS Official Signing Key) <security>" Fingerprint: 99DB 70FA E1D7 CE22 7FB6 4882 05B5 55B3 8483 C65D From : /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial Key imported successfully Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : words-3.0-28.el8.noarch 1/7 Running scriptlet: logrotate-3.14.0-6.el8.x86_64 2/7 Installing : logrotate-3.14.0-6.el8.x86_64 2/7 Installing : libss-1.45.6-5.el8.x86_64 3/7 Running scriptlet: libss-1.45.6-5.el8.x86_64 3/7 Installing : libkadm5-1.18.2-25.el8.x86_64 4/7 Installing : libev-4.24-6.el8.x86_64 5/7 Installing : libverto-libev-0.3.2-2.el8.x86_64 6/7 Installing : krb5-server-1.18.2-25.el8.x86_64 7/7 Running scriptlet: krb5-server-1.18.2-25.el8.x86_64 7/7 System has not been booted with systemd as init system (PID 1). Can't operate. Failed to connect to bus: Host is down Verifying : libev-4.24-6.el8.x86_64 1/7 Verifying : libverto-libev-0.3.2-2.el8.x86_64 2/7 Verifying : krb5-server-1.18.2-25.el8.x86_64 3/7 Verifying : libkadm5-1.18.2-25.el8.x86_64 4/7 Verifying : libss-1.45.6-5.el8.x86_64 5/7 Verifying : logrotate-3.14.0-6.el8.x86_64 6/7 Verifying : words-3.0-28.el8.noarch 7/7 Installed: krb5-server-1.18.2-25.el8.x86_64 libev-4.24-6.el8.x86_64 libkadm5-1.18.2-25.el8.x86_64 libss-1.45.6-5.el8.x86_64 libverto-libev-0.3.2-2.el8.x86_64 logrotate-3.14.0-6.el8.x86_64 words-3.0-28.el8.noarch Complete! [root@222a4c047e39 /]# This is probably a side-effect of using CentOS mirrors. If some of them aren't fully synced up, they might have incomplete data and you get to use what is available at the install time. I cannot reproduce this in my case, even when attempting to install IPA packages from the modular stream. You are right that some mirrors have the latest version and some don't. I thought it was a general "build not pushed to repos" because I consistently got the same faulty behaviour on GitHub Actions runners, from internal Red Hat network, as well as from my home machine. Running tail -f /var/log/dnf.librepo.log & I can see that at least http://centos2.hti.pl/8-stream/BaseOS/x86_64/os/repodata/ and http://centos.anexia.at/centos/8-stream/BaseOS/x86_64/os/repodata/ have repomd.xml from July 10, so over a month and half old. Would you know the best place to report infrastructure issues ... CentOS mirrors advertizing mirrors with ancient content? I filed https://pagure.io/centos-infra/issue/1248 now. Was that krb5-*-1.18.2-22.el8 faulty in some way, or does FreeIPA (any of its component) now require a newer version? It seems for some reason we only get the list of stale mirrors for BaseOS, but for AppStream we get the fresh mirrors. So we are getting latest FreeIPA bits but old Kerberos. If FreeIPA requires some specific newer version, should it version-require it? Pre-verified manually using RHEL8.9 machine with test compose enabled with ipa-4.9.12-8.module+el8.9.0+19821+643911d0
ipa.spec
67 %global krb5_version 1.18.2-25
68 %global krb5_kdb_version 8.0
245 BuildRequires: krb5-kdb-version = %{krb5_kdb_version}
246 BuildRequires: krb5-kdb-devel-version = %{krb5_kdb_version}
247 BuildRequires: krb5-devel >= %{krb5_version}
431 Requires(post): krb5-server >= %{krb5_version}
661 Requires: krb5-workstation >= %{krb5_version}
Specfile update to reflect required change, marking as pre-verified: tested.
Verified manually with nightly compose and package ipa-4.9.12-8.module+el8.9.0+19821+643911d0.src.rpm
Relevant content of ipa.spec:
67 %global krb5_version 1.18.2-25
68 %global krb5_kdb_version 8.0
245 BuildRequires: krb5-kdb-version = %{krb5_kdb_version}
246 BuildRequires: krb5-kdb-devel-version = %{krb5_kdb_version}
247 BuildRequires: krb5-devel >= %{krb5_version}
431 Requires(post): krb5-server >= %{krb5_version}
432 Requires(post): krb5-server >= %{krb5_base_version}
661 Requires: krb5-workstation >= %{krb5_version}
662 # Support pkinit with client install
663 Requires: krb5-pkinit-openssl >= %{krb5_version}
Spec file updated, marking as Verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:6977 |