980148 – RHEL7 ipa-replica-prepare gpg error

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 980148 - RHEL7 ipa-replica-prepare gpg error

Summary: RHEL7 ipa-replica-prepare gpg error

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-07-01 14:23 UTC by Scott Poore
Modified:	2014-06-18 00:10 UTC (History)
CC List:	3 users (show)
Fixed In Version:	ipa-3.2.2-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 11:44:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Scott Poore 2013-07-01 14:23:47 UTC

Description of problem:

Running ipa-replica-prepare to setup a gpg package file for IPA fails with a gpg error:

[root@rhel7-1 quickinstall]# ipa-replica-prepare -p PASSWORD --ip-address=192.168.122.72 rhel7-2.testrelm.com
Preparing replica for rhel7-2.testrelm.com from rhel7-1.testrelm.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Saving dogtag Directory Server port
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-rhel7-2.testrelm.com.gpg
Command '/usr/bin/gpg --batch --homedir /tmp/tmpjpuyvfipa/ipa-YIoufT/.gnupg --passphrase-fd 0 --yes --no-tty -o /var/lib/ipa/replica-info-rhel7-2.testrelm.com.gpg -c /var/lib/ipa/replica-info-rhel7-2.testrelm.com' returned non-zero exit status 2

Version-Release number of selected component (if applicable):
[root@rhel7-1 ~]# rpm -q ipa-server gnupg2
ipa-server-3.2.1-1.el7.x86_64
gnupg2-2.0.20-1.el7.x86_64


How reproducible:
always

Steps to Reproduce:
1.  Setup RHEL7 IPA master server (with --setup-dns in my tests)
2.  ipa-replica-prepare -p <password> --ip-address=<ip_of_replica> <hostname_of_replica>


Actual results:
Fails with GPG error listed above.


Expected results:
Finishes and adds DNS entries to IPA

Additional info:
I re-ran with --debug and in the output I see more info:

ipa: DEBUG: args=/usr/bin/gpg --batch --homedir /tmp/tmp44UQJjipa/ipa-_y0LHZ/.gnupg --passphrase-fd 0 --y
es --no-tty -o /var/lib/ipa/replica-info-rhel7-2.testrelm.com.gpg -c /var/lib/ipa/replica-info-rhel7-2.te
strelm.com
ipa: DEBUG: Process finished, return code=2
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=gpg: WARNING: unsafe permissions on homedir `/tmp/tmp44UQJjipa/ipa-_y0LHZ/.gnupg'
gpg: keyring `/tmp/tmp44UQJjipa/ipa-_y0LHZ/.gnupg/pubring.gpg' created
gpg: can't connect to the agent: IPC connect call failed
gpg: problem with the agent: No agent running

Comment 1 Scott Poore 2013-07-01 14:34:41 UTC

FYI, I did not see this in F19 and the gnupg2 versions do differ:

[root@f19-1 ~]# rpm -q freeipa-server gnupg2
freeipa-server-3.2.1-1.fc19.x86_64
gnupg2-2.0.19-8.fc19.x86_64

2.0.19-8 in F19 vs 2.0.20-1 in RHEL7.

Comment 3 Rob Crittenden 2013-07-01 18:14:26 UTC

Scott figured out that in F-19 /usr/bin/gpg is provided by the v1 package, gnupg-1.4.13-3.

With gnupg2 the encryption is succeeding but because no agent was found you get a 5 second delay and a return code of 2, which ipa-replica-prepare takes as an error.

We need a way to be able to encrypt a file without requiring an agent. We want to pass in the password via stdin. Tomas, is that possible?

Comment 4 Rob Crittenden 2013-07-08 15:49:28 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3767

Comment 5 Tomas Mraz 2013-07-09 10:36:51 UTC

So actually this works for me when I put the passphrase into the pass file:

exec 3< pass ; gpg2 -c -o foo.gpg --cipher-algo AES --passphrase-fd=3 --batch foo

gpg2 will automatically start the gpg-agent in background when it is not running.

So there must be something else in play.

Comment 6 Rob Crittenden 2013-07-09 21:09:07 UTC

(In reply to Tomas Mraz from comment #5)
> So actually this works for me when I put the passphrase into the pass file:
> 
> exec 3< pass ; gpg2 -c -o foo.gpg --cipher-algo AES --passphrase-fd=3
> --batch foo
> 
> gpg2 will automatically start the gpg-agent in background when it is not
> running.
> 
> So there must be something else in play.

The problem occurs when the --homedir option is used:

# echo secret > foo
# echo pass | gpg2 -c -o foo.gpg --passphrase-fd=0 --batch foo
# echo $?
0
# rm -f foo.gpg
# mkdir /tmp/abc123
# echo pass | gpg2 -c -o foo.gpg --passphrase-fd=0 --homedir=/tmp/abc123 --batch foo
gpg: WARNING: unsafe permissions on homedir `/tmp/abc123'
gpg: can't connect to the agent: IPC connect call failed
gpg: problem with the agent: No agent running
# echo $?
2

Comment 7 Tomas Mraz 2013-07-09 21:39:18 UTC

Either you can run the agent before the gpg2 or you can fix the homedir permissions so the agent can be spawned by gpg2.

Comment 8 Rob Crittenden 2013-07-09 22:04:19 UTC

And what permissions might those be? I tried 0700 and it still fails in the same way.

We don't want an agent.

I should note that this does result in a correctly encrypted file, we just have a several second delay and a non-zero error code.

We also end up with a running agent a the end of this. Though re-running the command again still fails because it can't contact the agent.

Comment 9 Tomas Mraz 2013-07-09 22:24:09 UTC

Unfortunately it is not possible to run gpg2 without agent if it requires any kind of passphrase.

Maybe the permissions on parent directory (/tmp) is the problem.

Comment 10 Martin Kosek 2013-07-17 14:19:27 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/b5d008ed5a2ec074bf28ca5835785ee3160d6a9d
ipa-3-2: https://fedorahosted.org/freeipa/changeset/aac1c2da1629634469034bbcb58ed52aa46a556c

Comment 13 Scott Poore 2013-09-09 15:24:17 UTC

Verified.

Version ::

ipa-server-3.3.1-2.el7.x86_64

Automated Test Results:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: BZ980148 - ipa-replica-prepare gpg error
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'ipa-replica-prepare -p Secret123 --ip-address=192.168.144.1              bz980148.testrelm.com > /tmp/tmpout.replicaBugCheck_bz980148 2>&1' (Expected 0, got 0)
Preparing replica for bz980148.testrelm.com from rhel7-1.testrelm.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Saving dogtag Directory Server port
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-bz980148.testrelm.com.gpg
Adding DNS records for bz980148.testrelm.com
Using reverse zone 144.168.192.in-addr.arpa.
The ipa-replica-prepare command was successful
:: [   PASS   ] :: Running 'cat /tmp/tmpout.replicaBugCheck_bz980148' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmpout.replicaBugCheck_bz980148' should not contain 'returned non-zero exit status 2' 
:: [   PASS   ] :: File '/tmp/tmpout.replicaBugCheck_bz980148' should not contain 'Command.*/usr/bin/gpg.*batch' 
:: [   PASS   ] :: BZ980148 not found 
:: [ 10:23:10 ] ::  Now cleaning up test data
--------------------------------------------
Deleted DNS zone "144.168.192.in-addr.arpa."
--------------------------------------------
:: [   PASS   ] :: Running 'ipa dnszone-del 144.168.192.in-addr.arpa.' (Expected 0, got 0)
-------------------------
Deleted record "bz980148"
-------------------------
:: [   PASS   ] :: Running 'ipa dnsrecord-del testrelm.com bz980148 --del-all' (Expected 0, got 0)

Comment 14 Ludek Smid 2014-06-13 11:44:27 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.