Bug 980148
| Summary: | RHEL7 ipa-replica-prepare gpg error | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> |
| Component: | ipa | Assignee: | Martin Kosek <mkosek> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Namita Soman <nsoman> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 | CC: | jgalipea, rcritten, tmraz |
| Target Milestone: | rc | Keywords: | TestBlocker |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-3.2.2-1.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 11:44:27 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Scott Poore
2013-07-01 14:23:47 UTC
FYI, I did not see this in F19 and the gnupg2 versions do differ: [root@f19-1 ~]# rpm -q freeipa-server gnupg2 freeipa-server-3.2.1-1.fc19.x86_64 gnupg2-2.0.19-8.fc19.x86_64 2.0.19-8 in F19 vs 2.0.20-1 in RHEL7. Scott figured out that in F-19 /usr/bin/gpg is provided by the v1 package, gnupg-1.4.13-3. With gnupg2 the encryption is succeeding but because no agent was found you get a 5 second delay and a return code of 2, which ipa-replica-prepare takes as an error. We need a way to be able to encrypt a file without requiring an agent. We want to pass in the password via stdin. Tomas, is that possible? Upstream ticket: https://fedorahosted.org/freeipa/ticket/3767 So actually this works for me when I put the passphrase into the pass file: exec 3< pass ; gpg2 -c -o foo.gpg --cipher-algo AES --passphrase-fd=3 --batch foo gpg2 will automatically start the gpg-agent in background when it is not running. So there must be something else in play. (In reply to Tomas Mraz from comment #5) > So actually this works for me when I put the passphrase into the pass file: > > exec 3< pass ; gpg2 -c -o foo.gpg --cipher-algo AES --passphrase-fd=3 > --batch foo > > gpg2 will automatically start the gpg-agent in background when it is not > running. > > So there must be something else in play. The problem occurs when the --homedir option is used: # echo secret > foo # echo pass | gpg2 -c -o foo.gpg --passphrase-fd=0 --batch foo # echo $? 0 # rm -f foo.gpg # mkdir /tmp/abc123 # echo pass | gpg2 -c -o foo.gpg --passphrase-fd=0 --homedir=/tmp/abc123 --batch foo gpg: WARNING: unsafe permissions on homedir `/tmp/abc123' gpg: can't connect to the agent: IPC connect call failed gpg: problem with the agent: No agent running # echo $? 2 Either you can run the agent before the gpg2 or you can fix the homedir permissions so the agent can be spawned by gpg2. And what permissions might those be? I tried 0700 and it still fails in the same way. We don't want an agent. I should note that this does result in a correctly encrypted file, we just have a several second delay and a non-zero error code. We also end up with a running agent a the end of this. Though re-running the command again still fails because it can't contact the agent. Unfortunately it is not possible to run gpg2 without agent if it requires any kind of passphrase. Maybe the permissions on parent directory (/tmp) is the problem. Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/b5d008ed5a2ec074bf28ca5835785ee3160d6a9d ipa-3-2: https://fedorahosted.org/freeipa/changeset/aac1c2da1629634469034bbcb58ed52aa46a556c Verified. Version :: ipa-server-3.3.1-2.el7.x86_64 Automated Test Results: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: BZ980148 - ipa-replica-prepare gpg error :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'ipa-replica-prepare -p Secret123 --ip-address=192.168.144.1 bz980148.testrelm.com > /tmp/tmpout.replicaBugCheck_bz980148 2>&1' (Expected 0, got 0) Preparing replica for bz980148.testrelm.com from rhel7-1.testrelm.com Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Saving dogtag Directory Server port Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-bz980148.testrelm.com.gpg Adding DNS records for bz980148.testrelm.com Using reverse zone 144.168.192.in-addr.arpa. The ipa-replica-prepare command was successful :: [ PASS ] :: Running 'cat /tmp/tmpout.replicaBugCheck_bz980148' (Expected 0, got 0) :: [ PASS ] :: File '/tmp/tmpout.replicaBugCheck_bz980148' should not contain 'returned non-zero exit status 2' :: [ PASS ] :: File '/tmp/tmpout.replicaBugCheck_bz980148' should not contain 'Command.*/usr/bin/gpg.*batch' :: [ PASS ] :: BZ980148 not found :: [ 10:23:10 ] :: Now cleaning up test data -------------------------------------------- Deleted DNS zone "144.168.192.in-addr.arpa." -------------------------------------------- :: [ PASS ] :: Running 'ipa dnszone-del 144.168.192.in-addr.arpa.' (Expected 0, got 0) ------------------------- Deleted record "bz980148" ------------------------- :: [ PASS ] :: Running 'ipa dnsrecord-del testrelm.com bz980148 --del-all' (Expected 0, got 0) This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |