Bug 739604 - ipa-server-install :: failing to configure CA :: restorecon returning 1 when changing context
Summary: ipa-server-install :: failing to configure CA :: restorecon returning 1 when ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: Unspecified
OS: Unspecified
urgent
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks: 743047
TreeView+ depends on / blocked
 
Reported: 2011-09-19 15:47 UTC by Jenny Galipeau
Modified: 2011-12-06 18:31 UTC (History)
3 users (show)

Fixed In Version: ipa-2.1.1-3.el6
Doc Type: Bug Fix
Doc Text:
Do not document
Clone Of:
Environment:
Last Closed: 2011-12-06 18:31:53 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Jenny Galipeau 2011-09-19 15:47:31 UTC
Description of problem:
IPA server is now failing to install as restorecon returns 1 when changing context and IPA is expecting 0 for success.

Unexpected error - see ipaserver-install.log for details:
 Command '/sbin/restorecon /var/lib/pki-ca/publish' returned non-zero exit status 1


ipa-server-install.log

<snip>

2011-09-19 11:36:41,937 DEBUG stderr=
2011-09-19 11:36:42,002 DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -f XXXXXXXX -A -t CT,C,C -n TESTRELM IPA CA -a -i /tmp/tmpo5puqh
2011-09-19 11:36:42,003 DEBUG stdout=
2011-09-19 11:36:42,004 DEBUG stderr=
2011-09-19 11:36:42,005 DEBUG   duration: 0 seconds
2011-09-19 11:36:42,006 DEBUG   [8/17]: fixing RA database permissions
2011-09-19 11:36:42,008 DEBUG   duration: 0 seconds
2011-09-19 11:36:42,009 DEBUG   [9/17]: setting up signing cert profile
2011-09-19 11:36:42,012 DEBUG   duration: 0 seconds
2011-09-19 11:36:42,013 DEBUG   [10/17]: set up CRL publishing
2011-09-19 11:36:44,042 DEBUG args=/sbin/restorecon /var/lib/pki-ca/publish
2011-09-19 11:36:44,043 DEBUG stdout=
2011-09-19 11:36:44,044 DEBUG stderr=
2011-09-19 11:36:44,067 DEBUG Command '/sbin/restorecon /var/lib/pki-ca/publish' returned non-zero exit status 1
  File "/usr/sbin/ipa-server-install", line 1068, in <module>
    sys.exit(main())

  File "/usr/sbin/ipa-server-install", line 871, in main
    subject_base=options.subject)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 544, in configure_instance
    self.start_creation("Configuring certificate server", 210)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 276, in start_creation
    method()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 1047, in __enable_crl_publish
    ipautil.run(["/sbin/restorecon", publishdir])

  File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 242, in run
    raise CalledProcessError(p.returncode, args)


</snip>


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Martin Kosek 2011-09-19 15:58:03 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1816

Comment 2 Rob Crittenden 2011-09-19 15:58:58 UTC
This isn't a regression in IPA code.

Dan Walsh tells me that restorecon returns 1 when it changes a context. Not
sure if this is something new or if something else changed.

Comment 4 Daniel Walsh 2011-09-19 16:08:17 UTC
You should probably just ignore the status output from restorecon.

Comment 8 Jenny Galipeau 2011-09-21 14:26:41 UTC
fix verified :

<snip>

2011-09-21 10:07:43,622 DEBUG   [9/17]: setting up signing cert profile
2011-09-21 10:07:43,623 DEBUG   duration: 0 seconds
2011-09-21 10:07:43,623 DEBUG   [10/17]: set up CRL publishing
2011-09-21 10:07:43,759 DEBUG args=/sbin/restorecon /var/lib/pki-ca/publish
2011-09-21 10:07:43,759 DEBUG stdout=
2011-09-21 10:07:43,759 DEBUG stderr=
2011-09-21 10:07:43,759 DEBUG   duration: 0 seconds
2011-09-21 10:07:43,759 DEBUG   [11/17]: set certificate subject base
2011-09-21 10:07:43,761 DEBUG   duration: 0 seconds

</snip>

version:

ipa-server-2.1.1-3.el6.x86_64

Comment 10 Martin Kosek 2011-11-01 09:37:18 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document

Comment 11 errata-xmlrpc 2011-12-06 18:31:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html


Note You need to log in before you can comment on or make changes to this bug.