Bug 2439482 - freeipa-client %triggerin and %post can fail (rpm scriptlets should never fail, by policy)
Summary: freeipa-client %triggerin and %post can fail (rpm scriptlets should never fai...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: 43
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: IPA Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-02-12 19:38 UTC by Adam Williamson
Modified: 2026-02-23 15:01 UTC (History)
9 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Adam Williamson 2026-02-12 19:38:25 UTC
Current F43 freeipa-client scriptlets fail on some infra hosts:

[ 69/246] Upgrading sssd-common-0:2.12.0-1.fc43.aarch64                                                                          100% |  20.6 MiB/s |   6.3 MiB |  00m00s
>>> Running %triggerin scriptlet: freeipa-client-0:4.13.0-2.fc43.aarch64                                                                                                 
>>> Non-critical error in %triggerin scriptlet: freeipa-client-0:4.13.0-2.fc43.aarch64                                                                                   
>>> Scriptlet output:                                                                                                                                                    
>>> sed: can't read /etc/ssh/ssh_config.d/04-ipa.conf: No such file or directory                                                                                         
>>> sed: can't read /etc/ssh/ssh_config.d/04-ipa.conf: No such file or directory                                                                                         
>>>                                                                                                                                                                      
>>> [RPM] %triggerin(freeipa-client-4.13.0-2.fc43.aarch64) scriptlet failed, exit status 2                                                                               
...
>>> Finished %post scriptlet: freeipa-client-0:4.13.1-1.fc43.aarch64                                                                                                     
>>> Scriptlet output:                                                                                                                                                    
>>> sed: can't read /etc/ssh/ssh_config.d/04-ipa.conf: No such file or directory                                                                                         
>>> sed: can't read /etc/ssh/ssh_config.d/04-ipa.conf: No such file or directory                                                                                         
>>>                                                                                                                                                                      
>>> Running %triggerin scriptlet: freeipa-client-0:4.13.1-1.fc43.aarch64                                                                                                 
>>> Non-critical error in %triggerin scriptlet: freeipa-client-0:4.13.1-1.fc43.aarch64                                                                                   
>>> Scriptlet output:                                                                                                                                                    
>>> sed: can't read /etc/ssh/ssh_config.d/04-ipa.conf: No such file or directory                                                                                         
>>> sed: can't read /etc/ssh/ssh_config.d/04-ipa.conf: No such file or directory                                                                                         
>>>                                                                                                                                                                      
>>> [RPM] %triggerin(freeipa-client-4.13.1-1.fc43.aarch64) scriptlet failed, exit status 2                                                                               

This is against the package policy: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax

"All scriptlets MUST exit with the zero exit status. Because RPM in its default configuration does not execute shell scriptlets with the -e argument to the shell, excluding explicit exit calls (frowned upon with a non-zero argument!), the exit status of the last command in a scriptlet determines its exit status. Most commands in the snippets in this document have a "|| :" appended to them, which is a generic trick to force the zero exit status for those commands whether they worked or not. Usually the most important bit is to apply this to the last command executed in a scriptlet, or to add a separate command such as plain ":" or "exit 0" as the last one in a scriptlet. Note that depending on the case, other error checking/prevention measures may be more appropriate."

The failures in this case don't cause the tranasction to fail immediately (fortunately), but they do cause its overall exit code to be non-zero, which means ansible shows the step as failed.

Comment 1 David Hanina 2026-02-23 14:00:56 UTC
Hi Adam, can you please be more specific on how you managed to get this error, from the logs it looks like you've been using older version and updating to the latest one? We've not managed to reproduce this issue (regardless, this still seems to be a general packaging style issue).

Comment 2 Alexander Bokovoy 2026-02-23 15:01:10 UTC
David, I already fixed this in the current package build.

https://src.fedoraproject.org/rpms/freeipa/c/9b5b1650a6e709dd18aca100dbfbb4f8635e0621?branch=rawhide


Note You need to log in before you can comment on or make changes to this bug.