Attempted FreeIPA installation on Debian unstable using a container which didn't have sudo package installed, pkispawn failed with the following message in pki-ca-spawn.<DATE>.log:
pkispawn
pki-ca-spawn.<DATE>.log
2020-04-08 18:41:55 ERROR: FileNotFoundError: [Errno 2] No such file or directory: 'sudo' File "/usr/lib/python3/dist-packages/pki/server/pkispawn.py", line 562, in main scriptlet.spawn(deployer) File "/usr/lib/python3/dist-packages/pki/server/deployment/scriptlets/configuration.py", line 747, in spawn subsystem.remove_database(force=True) File "/usr/lib/python3/dist-packages/pki/server/subsystem.py", line 932, in remove_database self.run(cmd, as_current_user=as_current_user) File "/usr/lib/python3/dist-packages/pki/server/subsystem.py", line 980, in run subprocess.run(cmd, check=True) File "/usr/lib/python3.8/subprocess.py", line 489, in run with Popen(*popenargs, **kwargs) as process: File "/usr/lib/python3.8/subprocess.py", line 854, in __init__ self._execute_child(args, executable, preexec_fn, close_fds, File "/usr/lib/python3.8/subprocess.py", line 1702, in _execute_child raise child_exception_type(errno_num, err_msg, err_filename)
I think sudo is definitely shouldn't be needed for running as root in a container:
root@ipa:/# id uid=0(root) gid=0(root) groups=0(root),65534(nogroup) root@ipa:/# apt-cache show pki-base |grep Version Version: 10.8.3-2
While spawning, the removal happens as pkiuser and not the current user. This is achieved by using sudo -u in the script...
pkiuser
sudo -u
https://github.com/dogtagpki/pki/blob/master/base/server/python/pki/server/subsystem.py#L943
As ab pointed out in the IRC conversation, sudo -u can be replaced by runuser -u, which is part of util-linux package
runuser -u
util-linux
Metadata Update from @dmoluguw: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None
The issue is fixed via PR: https://github.com/dogtagpki/pki/pull/494
The PR will be merged after 10.9 branching occurs (ie) it will be included in the PKI 10.10+. This issue should stay open until the PR gets merged.
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/3288
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.