#3742 Change of: User may not run sudo --> a password is required

Created 10 days ago by pcech
Modified 2 days ago

Issue

Error message changed from:
Sorry, user testuser1 may not run sudo on vm-171-135.
to:
sudo: a password is required

_________ TestSudo.test_sudo_rule_restricted_to_one_hostmask_negative __________

self = <ipatests.test_integration.test_sudo.TestSudo object at 0x7fb1069e5080>

def test_sudo_rule_restricted_to_one_hostmask_negative(self):
result1 = self.list_sudo_commands("testuser1")
assert result1.returncode != 0
> assert "Sorry, user testuser1 may not run sudo on {}.".format(
self.clientname) in result1.stderr_text
E AssertionError: assert 'Sorry, user testuser1 may not run sudo on vm-171-135.' in 'sudo: a password is required\n'
E + where 'Sorry, user testuser1 may not run sudo on vm-171-135.' = <built-in method format of str object at 0x7fb106906bd0>('vm-171-135')
E + where <built-in method format of str object at 0x7fb106906bd0> = 'Sorry, user testuser1 may not run sudo on {}.'.format
E + and 'vm-171-135' = <ipatests.test_integration.test_sudo.TestSudo object at 0x7fb1069e5080>.clientname
E + and 'sudo: a password is required\n' = <pytest_multihost.ssh_command.SSHCommand object at 0x7fb1068d20b8>.stderr_text

test_integration/test_sudo.py:361: AssertionError

It is originaly connected to
https://pagure.io/freeipa/issue/7543

And it could be caused by:
https://pagure.io/SSSD/sssd/issue/3733
https://pagure.io/SSSD/sssd/issue/3558


Are there any logs the test left behind?

I've talked to @fbarreto and he gave me the following instructions on how to reproduce the issue.
Firstly, we'll need the following patch (f27.patch):

[fidencio@machado ~]$ cat ~/Downloads/f27.patch 
diff --git a/ipavagrant/constants.py b/ipavagrant/constants.py
index ff064b2..3f0361c 100644
--- a/ipavagrant/constants.py
+++ b/ipavagrant/constants.py
@@ -24,7 +24,7 @@ AUTO_DOMAIN_LEVEL = -1

 # please keep ABC order of keys
 DEFAULT_CONFIG = dict(
-    box="f26",
+    box="f27",
     ci_config_file="ipa-test-config.yaml",
     domain="ipa.test",
     ipa_ci_ad_admin_name="Administrator",
@@ -132,13 +132,11 @@ box_mapping = {
             "domain.template": "ipa-Fedora-24-x86_64-developer-brq",
         },
     },
-    "f26": {
+    "f27": {
         "libvirt": {
-            "override.vm.box": "f26",
+            "override.vm.box": "f27",
             "override.vm.box_url":
-                "https://download.fedoraproject.org/pub/fedora/linux/releases/"
-                "26/CloudImages/x86_64/images/Fedora-Cloud-Base-Vagrant-26-1.5"
-                ".x86_64.vagrant-libvirt.box",
+                "http://fedora.c3sl.ufpr.br/linux/releases/27/CloudImages/x86_64/images/Fedora-Cloud-Base-Vagrant-27-1.6.x86_64.vagrant-libvirt.box",
         },
         "virtualbox": {
             "override.vm.box": "box-cutter/fedora26",

And then, just follow:

git clone https://github.com/freeipa/ipa-vagrant-tools/
cd ipa-vagrant-tools
git am f27.patch
./ipa-vagrant-ci-topology-create sudo-test --clients 1 --add-package={freeipa-server,freeipa-server-dns,freeipa-tests} --box f27
cd sudo-test;
ls rpms/
# put here the rpms you want to install
vagrant up
vagrant ssh controller
$IPATEST_YAML_CONFIG=/vagrant/ipa-test-config.yaml ipa-run-tests test_integration/test_sudo.py::TestSudo::test_sudo_rule_restricted_to_one_hostmask_negative --verbose --logging-level=DEBUG --pdb

He also mentioned that he's not completely sure we can just run the method. In case it fails, we should run the whole tests' class:

$IPATEST_YAML_CONFIG=/vagrant/ipa-test-config.yaml ipa-run-tests test_integration/test_sudo.py::TestSudo --verbose --logging-level=DEBUG --pdb

@fbarreto, thanks a lot, you saved us some nice amount of time! :-)

Edited 10 days ago by fidencio

The test is failing if you run whole test suite in the vagrant machinery. If you choose just proper test, it pass.

{{
sudo IPATEST_YAML_CONFIG=/vagrant/ipa-test-config.yaml ipa-run-tests test_integration/test_sudo.py::TestSudo --verbose --logging-level=DEBUG --pdb
}}

Okay, I've bisected SSSD and the faulty patch is 47ad077.

Basically, I will leave up to @pbrezina whether he'd prefer to close this one as a dup of #3733 or not (as, although the regression was not introduced by the same patch, it was introduced by the same series).

@pcech, please, I'd like you to confirm that reverting the patch solves the issue.
The easiest way to test is, after cloning the ipa-vagrant-tools and applying the f27 patch, do:

./ipa-vagrant-ci-topology-create sudo-test --clients 1 --add-package={freeipa-server,freeipa-server-dns,freeipa-tests} --box f27
cd sudo-test;
cd rpms/ && koji download-task 27162149 && rm sssd-1.16.1-8.fc27.20180524083617.pcech.src.rpm && cd -
vagrant up
vagrant ssh controller
# download freeipa, build it ... and the run
IPATEST_YAML_CONFIG=/vagrant/ipa-test-config.yaml ipa-run-tests test_integration/test_sudo.py --verbose --logging-level=DEBUG --pdb

I've just tested here following the steps provided and the test passed.

2 days ago

Metadata Update from @fidencio:
- Issue tagged with: regression

Can you point me to the exact test that failed? Or do we have a manual reproducer?

@pbrezina,

test_sudo_rule_restricted_to_one_hostmask_negative is the test failing. However, in order to get a failure there you have to run the whole test suit as per https://pagure.io/SSSD/sssd/issue/3742#comment-513462

@fidencio , good news to everyone! The tests are green with rpms provided by Fabiano.

Edited 2 days ago by pcech

I'll revert the change on Fedora and keep this ticket opened in order to investigate it properly.

As discussed with @pbrezina Today, there may be some issue even on the tests themselves.

2 days ago

Metadata Update from @fidencio:
- Issue assigned to fidencio

Login to comment on this ticket.

cancel