#7880 ipa-client-install fails with an exception when ran in a container with failure to backup files in sysrestore
Opened 4 months ago by abbra. Modified 4 months ago

When trying to install a client in a container, there seems to be an issue with xattr copying in the code doing backups of files. It looks like the actual problem is in shutil module from the standard Python library but never the less, we should cope with those exceptions.

I'm using F28 container here but you can reproduce it even with F27 or F29.

$ podman run -t -i --hostname f28-client.demo.freeipa.org --rm fedora:28 /bin/bash
[root@f28-client /]# dnf -q -y install freeipa-client
dbus-daemon: no process found
dbus-daemon: no process found
Failed to open connection to "system" message bus: Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory
install-info: No such file or directory for /usr/share/info/libidn.info.gz
warning: /etc/adjtime created as /etc/adjtime.rpmnew
System has not been booted with systemd as init system (PID 1). Can't operate.
System has not been booted with systemd as init system (PID 1). Can't operate.
System has not been booted with systemd as init system (PID 1). Can't operate.
[root@f28-client /]# ipa-client-install --domain demo1.freeipa.org -p admin -w 'REDACTED' --no-ntp
This program will set up FreeIPA client.
Version 4.7.2

Discovery was successful!
Client hostname: f28-client.demo.freeipa.org
Realm: DEMO1.FREEIPA.ORG
DNS Domain: demo1.freeipa.org
IPA Server: ipa.demo1.freeipa.org
BaseDN: dc=demo1,dc=freeipa,dc=org

Continue to configure the system with these values? [no]: yes
Skipping chrony configuration
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=DEMO1.FREEIPA.ORG
    Issuer:      CN=Certificate Authority,O=DEMO1.FREEIPA.ORG
    Valid From:  2018-07-26 13:25:26
    Valid Until: 2038-07-26 13:25:26

    Subject:     CN=DST Root CA X3,O=Digital Signature Trust Co.
    Issuer:      CN=DST Root CA X3,O=Digital Signature Trust Co.
    Valid From:  2000-09-30 21:12:19
    Valid Until: 2021-09-30 14:01:15

    Subject:     CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
    Issuer:      CN=DST Root CA X3,O=Digital Signature Trust Co.
    Valid From:  2016-03-17 16:40:46
    Valid Until: 2021-03-17 16:40:46

Enrolled in IPA realm DEMO1.FREEIPA.ORG
Created /etc/ipa/default.conf
[Errno 13] Permission denied: '/var/lib/ipa-client/sysrestore/940bde17441ff0d0bce71f620148536f15fa9dfefaa2abd76877e028685b23e5-nsswitch.conf'
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

Below is a relevant part of the ipaclient-install.log:

2019-03-12T19:40:11Z DEBUG Backing up system configuration file '/etc/nsswitch.conf'
2019-03-12T19:40:11Z DEBUG   File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute
    return_value = self.run()
  File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 347, in run
    return cfgr.run()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run
    return self.execute()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute
    for rval in self._executor():
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure
    next(executor)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 3791, in main
    install(self)
  File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 2518, in install
    _install(options)
  File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 2778, in _install
    options, client_domain, hostname):
  File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 952, in configure_sssd_conf
    default_value=['files'])
  File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 305, in configure_nsswitch_database
    fstore.backup_file(paths.NSSWITCH_CONF)
  File "/usr/lib/python3.6/site-packages/ipalib/install/sysrestore.py", line 145, in backup_file
    shutil.copy2(path, backup_path)
  File "/usr/lib64/python3.6/shutil.py", line 258, in copy2
    copystat(src, dst, follow_symlinks=follow_symlinks)
  File "/usr/lib64/python3.6/shutil.py", line 225, in copystat
    _copyxattr(src, dst, follow_symlinks=follow)
  File "/usr/lib64/python3.6/shutil.py", line 165, in _copyxattr
    os.setxattr(dst, name, value, follow_symlinks=follow_symlinks)

2019-03-12T19:40:11Z DEBUG The ipa-client-install command failed, exception: PermissionError: [Errno 13] Permission denied: '/var/lib/ipa-client/sysrestore/940bde17441ff0d0bce71f620148536f15
fa9dfefaa2abd76877e028685b23e5-nsswitch.conf'
2019-03-12T19:40:11Z ERROR [Errno 13] Permission denied: '/var/lib/ipa-client/sysrestore/940bde17441ff0d0bce71f620148536f15fa9dfefaa2abd76877e028685b23e5-nsswitch.conf'
2019-03-12T19:40:11Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

After looking at this with @fcami, we think we need to detect whether we run under containerized environment and catch these exceptions, allowing to proceed. For ipa-client-install it should be just fine to not store xattrs when running in a rootless container -- after all, we are not going to set up IPA master this way and restore of the files from sysrestore will not be used for a container instance, it will just be thrown away.

Since we get errno.EACCESS as an exception here, it is indicative of the problem but only if a top of the stacktrace is os.setxattr().

systemd-detect-virt -c -q would return 0 if we are running under containerized environment.

Login to comment on this ticket.

Metadata