Bug 980148 - RHEL7 ipa-replica-prepare gpg error
RHEL7 ipa-replica-prepare gpg error
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.0
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: Martin Kosek
Namita Soman
: TestBlocker
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-01 10:23 EDT by Scott Poore
Modified: 2014-06-17 20:10 EDT (History)
3 users (show)

See Also:
Fixed In Version: ipa-3.2.2-1.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 07:44:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Scott Poore 2013-07-01 10:23:47 EDT
Description of problem:

Running ipa-replica-prepare to setup a gpg package file for IPA fails with a gpg error:

[root@rhel7-1 quickinstall]# ipa-replica-prepare -p PASSWORD --ip-address=192.168.122.72 rhel7-2.testrelm.com
Preparing replica for rhel7-2.testrelm.com from rhel7-1.testrelm.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Saving dogtag Directory Server port
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-rhel7-2.testrelm.com.gpg
Command '/usr/bin/gpg --batch --homedir /tmp/tmpjpuyvfipa/ipa-YIoufT/.gnupg --passphrase-fd 0 --yes --no-tty -o /var/lib/ipa/replica-info-rhel7-2.testrelm.com.gpg -c /var/lib/ipa/replica-info-rhel7-2.testrelm.com' returned non-zero exit status 2

Version-Release number of selected component (if applicable):
[root@rhel7-1 ~]# rpm -q ipa-server gnupg2
ipa-server-3.2.1-1.el7.x86_64
gnupg2-2.0.20-1.el7.x86_64


How reproducible:
always

Steps to Reproduce:
1.  Setup RHEL7 IPA master server (with --setup-dns in my tests)
2.  ipa-replica-prepare -p <password> --ip-address=<ip_of_replica> <hostname_of_replica>


Actual results:
Fails with GPG error listed above.


Expected results:
Finishes and adds DNS entries to IPA

Additional info:
I re-ran with --debug and in the output I see more info:

ipa: DEBUG: args=/usr/bin/gpg --batch --homedir /tmp/tmp44UQJjipa/ipa-_y0LHZ/.gnupg --passphrase-fd 0 --y
es --no-tty -o /var/lib/ipa/replica-info-rhel7-2.testrelm.com.gpg -c /var/lib/ipa/replica-info-rhel7-2.te
strelm.com
ipa: DEBUG: Process finished, return code=2
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=gpg: WARNING: unsafe permissions on homedir `/tmp/tmp44UQJjipa/ipa-_y0LHZ/.gnupg'
gpg: keyring `/tmp/tmp44UQJjipa/ipa-_y0LHZ/.gnupg/pubring.gpg' created
gpg: can't connect to the agent: IPC connect call failed
gpg: problem with the agent: No agent running
Comment 1 Scott Poore 2013-07-01 10:34:41 EDT
FYI, I did not see this in F19 and the gnupg2 versions do differ:

[root@f19-1 ~]# rpm -q freeipa-server gnupg2
freeipa-server-3.2.1-1.fc19.x86_64
gnupg2-2.0.19-8.fc19.x86_64

2.0.19-8 in F19 vs 2.0.20-1 in RHEL7.
Comment 3 Rob Crittenden 2013-07-01 14:14:26 EDT
Scott figured out that in F-19 /usr/bin/gpg is provided by the v1 package, gnupg-1.4.13-3.

With gnupg2 the encryption is succeeding but because no agent was found you get a 5 second delay and a return code of 2, which ipa-replica-prepare takes as an error.

We need a way to be able to encrypt a file without requiring an agent. We want to pass in the password via stdin. Tomas, is that possible?
Comment 4 Rob Crittenden 2013-07-08 11:49:28 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3767
Comment 5 Tomas Mraz 2013-07-09 06:36:51 EDT
So actually this works for me when I put the passphrase into the pass file:

exec 3< pass ; gpg2 -c -o foo.gpg --cipher-algo AES --passphrase-fd=3 --batch foo

gpg2 will automatically start the gpg-agent in background when it is not running.

So there must be something else in play.
Comment 6 Rob Crittenden 2013-07-09 17:09:07 EDT
(In reply to Tomas Mraz from comment #5)
> So actually this works for me when I put the passphrase into the pass file:
> 
> exec 3< pass ; gpg2 -c -o foo.gpg --cipher-algo AES --passphrase-fd=3
> --batch foo
> 
> gpg2 will automatically start the gpg-agent in background when it is not
> running.
> 
> So there must be something else in play.

The problem occurs when the --homedir option is used:

# echo secret > foo
# echo pass | gpg2 -c -o foo.gpg --passphrase-fd=0 --batch foo
# echo $?
0
# rm -f foo.gpg
# mkdir /tmp/abc123
# echo pass | gpg2 -c -o foo.gpg --passphrase-fd=0 --homedir=/tmp/abc123 --batch foo
gpg: WARNING: unsafe permissions on homedir `/tmp/abc123'
gpg: can't connect to the agent: IPC connect call failed
gpg: problem with the agent: No agent running
# echo $?
2
Comment 7 Tomas Mraz 2013-07-09 17:39:18 EDT
Either you can run the agent before the gpg2 or you can fix the homedir permissions so the agent can be spawned by gpg2.
Comment 8 Rob Crittenden 2013-07-09 18:04:19 EDT
And what permissions might those be? I tried 0700 and it still fails in the same way.

We don't want an agent.

I should note that this does result in a correctly encrypted file, we just have a several second delay and a non-zero error code.

We also end up with a running agent a the end of this. Though re-running the command again still fails because it can't contact the agent.
Comment 9 Tomas Mraz 2013-07-09 18:24:09 EDT
Unfortunately it is not possible to run gpg2 without agent if it requires any kind of passphrase.

Maybe the permissions on parent directory (/tmp) is the problem.
Comment 13 Scott Poore 2013-09-09 11:24:17 EDT
Verified.

Version ::

ipa-server-3.3.1-2.el7.x86_64

Automated Test Results:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: BZ980148 - ipa-replica-prepare gpg error
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'ipa-replica-prepare -p Secret123 --ip-address=192.168.144.1              bz980148.testrelm.com > /tmp/tmpout.replicaBugCheck_bz980148 2>&1' (Expected 0, got 0)
Preparing replica for bz980148.testrelm.com from rhel7-1.testrelm.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Saving dogtag Directory Server port
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-bz980148.testrelm.com.gpg
Adding DNS records for bz980148.testrelm.com
Using reverse zone 144.168.192.in-addr.arpa.
The ipa-replica-prepare command was successful
:: [   PASS   ] :: Running 'cat /tmp/tmpout.replicaBugCheck_bz980148' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmpout.replicaBugCheck_bz980148' should not contain 'returned non-zero exit status 2' 
:: [   PASS   ] :: File '/tmp/tmpout.replicaBugCheck_bz980148' should not contain 'Command.*/usr/bin/gpg.*batch' 
:: [   PASS   ] :: BZ980148 not found 
:: [ 10:23:10 ] ::  Now cleaning up test data
--------------------------------------------
Deleted DNS zone "144.168.192.in-addr.arpa."
--------------------------------------------
:: [   PASS   ] :: Running 'ipa dnszone-del 144.168.192.in-addr.arpa.' (Expected 0, got 0)
-------------------------
Deleted record "bz980148"
-------------------------
:: [   PASS   ] :: Running 'ipa dnsrecord-del testrelm.com bz980148 --del-all' (Expected 0, got 0)
Comment 14 Ludek Smid 2014-06-13 07:44:27 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.