#8530 Running ipa-server-install fails on machine where libsss_sudo is not installed
Closed: fixed 3 years ago by rcritten. Opened 3 years ago by fcami.

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1859185

Description of problem:

In environment where libsss_sudo is not installed, like in container but on
host alike, ipa-server-install now fails to finish properly.

Version-Release number of selected component (if applicable):

pki-server-10.9.0-0.2.fc33.noarch
freeipa-server-4.8.7-1.fc33.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf remove -y /usr/lib64/libsss_sudo.so
2. dnf install -y --setopt=install_weak_deps=False freeipa-server
3. ipa-server-install -U -r EXAMPLE.TEST -p Secret123 -a Secret123

Actual results:

  [4/5]: starting ipa-custodia
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/30]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command
['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpv72feazp'] returned non-zero
exit status 1: 'Notice: Trust flag u is set automatically if the private key is
present.\nsudo: unable to load /usr/lib64/libsss_sudo.so:
/usr/lib64/libsss_sudo.so: cannot open shared object file: No such file or
directory\nsudo: unable to initialize SSS source. Is SSSD installed on your
machine?\nsudo: unable to load /usr/lib64/libsss_sudo.so:
/usr/lib64/libsss_sudo.so: cannot open shared object file: No such file or
directory\nsudo: unable to initialize SSS source. Is SSSD installed on your
machine?\nERROR: Exception: CA subsystem did not start after 60s\n  File
"/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 569, in main\n
scriptlet.spawn(deployer)\n  File "/usr/lib/python3.9/site-packages/pki/server/
deployment/scriptlets/configuration.py", line 886, in spawn\n
deployer.instance.wait_for_startup(\n  File
"/usr/lib/python3.9/site-packages/pki/server/deployment/pkihelper.py", line
891, in wait_for_startup\n    raise Exception(\'%s subsystem did not start
after %ds\' %\n\n')
See the installation logs and the following files/directories for more
information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for
more information


Expected results:

  [4/5]: starting ipa-custodia
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/30]: configuring certificate server instance
  [2/30]: Add ipa-pki-wait-running
  [3/30]: secure AJP connector
  [4/30]: reindex attributes
  [5/30]: exporting Dogtag certificate store pin
  [6/30]: stopping certificate server instance to update CS.cfg
[...]
The ipa-server-install command was successful

or maybe

  [4/5]: starting ipa-custodia
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/30]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command
['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpag8a3qe6'] returned non-zero
exit status 1: 'Notice: Trust flag u is set automatically if the private key is
present.\nERROR: Exception: CA subsystem did not start after 60s\n  File
"/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 569, in main\n
scriptlet.spawn(deployer)\n  File "/usr/lib/python3.9/site-packages/pki/server/
deployment/scriptlets/configuration.py", line 886, in spawn\n
deployer.instance.wait_for_startup(\n  File
"/usr/lib/python3.9/site-packages/pki/server/deployment/pkihelper.py", line
891, in wait_for_startup\n    raise Exception(\'%s subsystem did not start
after %ds\' %\n\n')
See the installation logs and the following files/directories for more
information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for
more information

before the new tomcat for bug 1857043 lands in the mirrors.

Additional info:

Either whatever component that requires / configures libsss_sudo to be present
should hard-require it, or ideally sudo shouldn't be used by the installer.

This is a regression against Fedora 32.

Metadata Update from @fcami:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1859185

3 years ago

The dependency on sudo was tracked on Dogtag side at:
https://github.com/dogtagpki/pki/issues/3288
It is fixed on Dogtag's side by:
https://github.com/dogtagpki/pki/commit/49585867207922479644a03078c29548de02cd03
which should be 10.10+ only.

The above would result in completed installs (e.g. no more ipa-{server,replica}-install failures when sudo is absent) but also in a server with unconfigured sudo.
So AI: make FreeIPA depend on libsss_sudo.

Two remarks:
- the hard-dependency on libsss_sudo might prevent some valid use-cases (like removing sudo from an IPA container image). Using weak dependencies seems best.
- libsss_sudo has "Conflicts: sssd-common < %{version}-%{release}" so there should be no need to specify a version in freeipa.spec.in's Recommends: libsss_sudo line.
- it would be wise to extend the dependency to ipa clients.
- also, the ipa-client depends (feature-wise) on sudo AND libsss_sudo, so depend on both.

Metadata Update from @fcami:
- Custom field changelog adjusted to The FreeIPA client RPM now has a soft dependency on libsss_sudo.

3 years ago

Metadata Update from @fcami:
- Custom field changelog adjusted to The FreeIPA client RPM now has a soft dependency on libsss_sudo and sudo itself. (was: The FreeIPA client RPM now has a soft dependency on libsss_sudo.)

3 years ago

I don't understand why freeipa.spec has to change in order to address a bug in Dogtag related to sudo and sssd libraries. Since it's a regression in Dogtag code, Dogtag should backport their fix.

After further reading and investigation I know think this should be handled by authselect's spec file. If authselect with-sudo breaks when libsss_sudo is missing, then authselect should depend on the package that provides the library.

I don't think so. Your example is exactly what Recommends: is supposed to be: authselect can work without sudo and libsss_sudo, but some features are missing without them.
See the WeakDependencies documentation.

Additional data and AI:
- ipa-{server,replica}-install sudo configuration is hardcoded to True. But this is not an issue, the installer works without sudo.
- ipa-server-install depends on ipa-client-install, so any Requires/Recommends added to ipa-client-install will apply to ipa-server-install.
- corner case: sudo is installed but not libsss_sudo. This is not desirable.
AI:
- ensure libsss_sudo is installed if sudo is installed
- ipa-client-install should output a warning if sudo not available on this system.
- double-check what anaconda does wrt Recommends:

Metadata Update from @abbra:
- Issue set to the milestone: FreeIPA 4.8.11

3 years ago

Metadata Update from @fcami:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5176

3 years ago

master:

  • fcfefe0 freeipa.spec: client: depend on libsss_sudo and sudo
  • a912bbb ipa-client-install: output a warning if sudo is not present
  • ed8a9e4 ipatests: tasks: handle uninstalling packages with nodeps
  • 82216bf ipatests: add TestInstallWithoutSudo

ipa-4-9:

  • b590dce ipatests: add TestInstallWithoutSudo
  • 0c2741a ipatests: tasks: handle uninstalling packages with nodeps
  • fe157ca ipa-client-install: output a warning if sudo is not present
  • ee0ba2d freeipa.spec: client: depend on libsss_sudo and sudo

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

master:

  • 87304c7 ipatests: fix nightly_latest_testing_selinux template

master:

  • abaa614 ipa-client-install: output a warning if sudo is not present (2)
  • 1ef54f2 ipatests: check for the "no sudo present" string absence

ipa-4-9:

  • 061e0b6 ipa-client-install: output a warning if sudo is not present (2)
  • 4b91783 ipatests: check for the "no sudo present" string absence

Login to comment on this ticket.

Metadata