Bug 2332433 - IPA Client Fails to Install/Initialize on Fedora Atomic Because of Missing Directories
Summary: IPA Client Fails to Install/Initialize on Fedora Atomic Because of Missing Di...
Keywords:
Status: ASSIGNED
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: 41
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: IPA Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-12-14 23:39 UTC by Alex Botelho
Modified: 2024-12-19 22:44 UTC (History)
9 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:


Attachments (Terms of Use)
tmpfiles config that seems to fix the missing directories error (218 bytes, text/plain)
2024-12-14 23:40 UTC, Alex Botelho
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github ublue-os bluefin issues 2028 0 None open "SSSD binaries missing capabilities" like in Bazzite issue #1818 2024-12-14 23:39:29 UTC
Red Hat Issue Tracker FREEIPA-11841 0 None None None 2024-12-14 23:40:04 UTC

Description Alex Botelho 2024-12-14 23:39:30 UTC
Description of problem: FreeIPA client cannot be initialized/installed on a custom SilverBlue image (with freeipa-client installed) with ```ipa-client-install``` because directories are missing.

How reproducible:
Every time.

Steps to Reproduce:
1. On a vanilla SilverBlue image use the following Containerfile:
```
FROM quay.io/fedora-ostree-desktops/silverblue:41

RUN dnf install freeipa-client --assumeyes
```

2. Build a custom image: ```sudo podman build -t freeipa-bootc -f Containerfile```

3. Switch SilverBlue to the custom image: ```sudo bootc switch --transport containers-storage localhost/freeipa-bootc```

4. Run ```ipa-client-install --mkhomedir``` and complete a regular FreeIPA client install.

Actual results:
```
[Errno 2] No such file or directory: '/var/lib/ipa-client/sysrestore/sysrestore.state'
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
```

Creating /var/lib/ipa-client by hand leads to ```certmonger.service``` failing, complaining about ```/var/lib/certmonger``` and other files missing.

Expected results:
Successful IPA client initialization/install.

Additional info, possible fix:
I added the below ```system-tmpfiles``` configuration to ```/etc/tmpfiles.d```:
```
d /var/lib/certmonger 0755 root root
d /var/lib/certmonger/cas
d /var/lib/certmonger/local
d /var/lib/certmonger/requests
d /var/lib/ipa-client 0755 root root
d /var/lib/ipa-client/pki
d /var/lib/ipa-client/sysrestore
```
Although obviously the package(s) would include it in ```/usr/lib/tmpfiles.d``` instead.

Logging into the system fails regardless, but that seems unrelated, and I will file a separate bug for that.

I also added a link to the Bluefin (Fedora uBlue image) issue I filed which is related.

Comment 1 Alex Botelho 2024-12-14 23:40:45 UTC
Created attachment 2062510 [details]
tmpfiles config that seems to fix the missing directories error

Comment 2 Alexander Bokovoy 2024-12-15 08:22:20 UTC
Thanks for the report. We are planning to work on bootc integration early 2025. This is not the only problem to solve, unfortunately.

I mentioned some of these issues in my Flock to Fedora talk this year https://cfp.fedoraproject.org/flock-2024/talk/Q8MNVM/. We have been blocked so far by a number of issues in rpm-ostree and bootc around SELinux policy and handling of xattrs in the derived images. The latter issue was recently resolved (and, for example, SSSD started to work properly in a fully setup environment), so there is some progress. 

Using tmpfiles needs to be limited to specific packages. FreeIPA should not own tmpfiles for certmonger, for example, so that part cannot be merged to FreeIPA.

We also need to properly handle client upgrades to be run in a systemd unit at deployment side rather than during the package upgrade. I have opened https://pagure.io/freeipa/issue/9684 for that and will intend to handle tmpfiles there as well but this will come in 2025.

Moving the state to assigned to indicate it is in plans to work on this bug.

Comment 3 Alex Botelho 2024-12-19 01:45:13 UTC
Thanks for your time Alex! I've opened a merge request with Bluefin to remove freeipa-client and sssd-ipa from their image for now. I will try and keep an eye on progress for all of this and have Bluefin add it back in once it works.

YouTube seems uninterested in buffering that video at the moment for some reason. I will definitely have a look at a later time.

Cheers!


Note You need to log in before you can comment on or make changes to this bug.