Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 842374

Summary: Can't run ipa-server-install in %post section of kickstart file
Product: Red Hat Enterprise Linux 6 Reporter: Anthony Green <green>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED UPSTREAM QA Contact: Namita Soman <nsoman>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.3CC: dpal, jgalipea, mkosek
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-04 20:24:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ipaserver-install log file
none
kickstart file
none
/var/log contents none

Description Anthony Green 2012-07-23 15:52:09 UTC 
Created attachment 599821 [details]
ipaserver-install log file

Description of problem:
I am trying to run ipa-server-install in the %post section of a kickstart file.  It does not work.  However, once the system reboots, I am able to log in as root and run it, no problem.


Version-Release number of selected component (if applicable):
ipa-server-2.2.0-16.el6.x86_64


How reproducible:
Always

Steps to Reproduce:
1. See attached kickstart file.  I mount the RHEL6.3 ISO at /mnt and run...

virt-install \
    --disk /path/to/rhel6.3/dvd.iso,device=cdrom \
    --name ipa.atgreen.org --ram 1024 \
    --disk /var/lib/libvirt/images/ipa.atgreen.org.img,size=8 \
    --network network:10_0,model=virtio \
    --network network:default,model=virtio \
    -l /mnt \
    -x "ks=file:/ipa.ks" \
    --initrd-inject=ipa.ks \
    --noreboot --force


2.
3.
  
Actual results:
See attached log file.

Expected results:
It should work.

Additional info:
Comment 1 Anthony Green 2012-07-23 15:53:12 UTC 
Created attachment 599822 [details]
kickstart file
Comment 2 Rob Crittenden 2012-07-23 15:57:27 UTC 
Can you attach the 389-ds-base log for the IPA Instance?
Comment 4 Anthony Green 2012-07-23 16:29:47 UTC 
Created attachment 599831 [details]
/var/log contents
Comment 5 Anthony Green 2012-07-23 16:31:05 UTC 
(In reply to comment #2)
> Can you attach the 389-ds-base log for the IPA Instance?

I don't see anything that looks lik that, so I just attached all of /var/log.
Comment 6 Rob Crittenden 2012-07-23 17:56:12 UTC 
The problem is that the IPA 389-ds isn't getting set up properly:

[23/Jul/2012:11:33:08 -0400] - import userRoot: Could not open LDIF file "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)

The result is entire basedn is missing which is why nothing can be loaded into it.

I don't see any AVCs so it may simply be a file permission problem. Why this isn't seen when installing afterward is unclear.
Comment 7 Anthony Green 2012-07-23 18:17:05 UTC 
(In reply to comment #6)
> The problem is that the IPA 389-ds isn't getting set up properly:
> 
> [23/Jul/2012:11:33:08 -0400] - import userRoot: Could not open LDIF file
> "/var/lib/dirsrv/boot.ldif", errno 13 (Permission denied)
> 
> The result is entire basedn is missing which is why nothing can be loaded
> into it.
> 
> I don't see any AVCs so it may simply be a file permission problem. Why this
> isn't seen when installing afterward is unclear.

/var/lib/dirsrv/boot.ldif doesn't exist.  Where does it come from?
Comment 8 Rob Crittenden 2012-07-23 18:24:40 UTC 
It is created by the IPA installer.

During install it should be created mode 0440, owned by the 389-ds user.

Can you see if you have a dirsrv user entry when the %post fails (and you haven't run the installer manually)?

kickstart %post is run after install but before boot, right?

I wonder if it is adding the dirsrv user to the target system but not the running one.
Comment 9 Rob Crittenden 2012-07-24 13:28:46 UTC 
In IRC it was reported that applying this patch fixes it: http://www.redhat.com/archives/freeipa-devel/2012-March/msg00267.html

This is fixed in upstream master: 874a298b073997ec6b1e5a119210c7f0975aed18

Anthony, can you confirm this?
Comment 10 Anthony Green 2012-07-24 13:47:12 UTC 
(In reply to comment #9)
> In IRC it was reported that applying this patch fixes it:
> http://www.redhat.com/archives/freeipa-devel/2012-March/msg00267.html
> 
> This is fixed in upstream master: 874a298b073997ec6b1e5a119210c7f0975aed18
> 
> Anthony, can you confirm this?

Yes, that fixes it.  

My work-around is to apply the patch in the kickstart %post section like so:


%post --log=/root/post_install_1.log

# Fix IPA.  See  https://bugzilla.redhat.com/show_bug.cgi?id=842374 
# and  http://www.redhat.com/archives/freeipa-devel/2012-March/msg00267.html
cat > /root/ipa-fix.patch <<IPAFIX
--- /usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py.orig       2012-05-26 22:12:20.000000000 -0400
+++ /usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py    2012-07-23 14:11:27.608844877 -0400
@@ -333,6 +333,8 @@
                 root_logger.critical("failed to add user %s" % e)
 
     def __create_instance(self):
+        pent = pwd.getpwnam(DS_USER)
+
         self.backup_state("serverid", self.serverid)
         self.fstore.backup_file("/etc/sysconfig/dirsrv")
 
@@ -347,6 +349,7 @@
 
         # Must be readable for dirsrv
         os.chmod(target_fname, 0440)
+        os.chown(target_fname, pent.pw_uid, pent.pw_gid)
 
         inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict)
         root_logger.debug("writing inf template")
IPAFIX
(cd /; patch -p0 < /root/ipa-fix.patch)
Comment 11 Dmitri Pal 2012-08-06 21:11:47 UTC 
If it is already fixed in current version please close the bug.
Comment 12 Jenny Severance 2012-08-10 15:07:45 UTC 
CLosing bug fixed in current release
Comment 13 Rob Crittenden 2012-08-10 15:09:31 UTC 
This is not fixed in IPA 2.2. It will be fixed in IPA 3.0