Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1859185
Description of problem: In environment where libsss_sudo is not installed, like in container but on host alike, ipa-server-install now fails to finish properly. Version-Release number of selected component (if applicable): pki-server-10.9.0-0.2.fc33.noarch freeipa-server-4.8.7-1.fc33.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. dnf remove -y /usr/lib64/libsss_sudo.so 2. dnf install -y --setopt=install_weak_deps=False freeipa-server 3. ipa-server-install -U -r EXAMPLE.TEST -p Secret123 -a Secret123 Actual results: [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/30]: configuring certificate server instance Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpv72feazp'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nsudo: unable to load /usr/lib64/libsss_sudo.so: /usr/lib64/libsss_sudo.so: cannot open shared object file: No such file or directory\nsudo: unable to initialize SSS source. Is SSSD installed on your machine?\nsudo: unable to load /usr/lib64/libsss_sudo.so: /usr/lib64/libsss_sudo.so: cannot open shared object file: No such file or directory\nsudo: unable to initialize SSS source. Is SSSD installed on your machine?\nERROR: Exception: CA subsystem did not start after 60s\n File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 569, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.9/site-packages/pki/server/ deployment/scriptlets/configuration.py", line 886, in spawn\n deployer.instance.wait_for_startup(\n File "/usr/lib/python3.9/site-packages/pki/server/deployment/pkihelper.py", line 891, in wait_for_startup\n raise Exception(\'%s subsystem did not start after %ds\' %\n\n') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. CA configuration failed. The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Expected results: [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/30]: configuring certificate server instance [2/30]: Add ipa-pki-wait-running [3/30]: secure AJP connector [4/30]: reindex attributes [5/30]: exporting Dogtag certificate store pin [6/30]: stopping certificate server instance to update CS.cfg [...] The ipa-server-install command was successful or maybe [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/30]: configuring certificate server instance Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpag8a3qe6'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nERROR: Exception: CA subsystem did not start after 60s\n File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 569, in main\n scriptlet.spawn(deployer)\n File "/usr/lib/python3.9/site-packages/pki/server/ deployment/scriptlets/configuration.py", line 886, in spawn\n deployer.instance.wait_for_startup(\n File "/usr/lib/python3.9/site-packages/pki/server/deployment/pkihelper.py", line 891, in wait_for_startup\n raise Exception(\'%s subsystem did not start after %ds\' %\n\n') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. CA configuration failed. The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information before the new tomcat for bug 1857043 lands in the mirrors. Additional info: Either whatever component that requires / configures libsss_sudo to be present should hard-require it, or ideally sudo shouldn't be used by the installer. This is a regression against Fedora 32.
Metadata Update from @fcami: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1859185
The dependency on sudo was tracked on Dogtag side at: https://github.com/dogtagpki/pki/issues/3288 It is fixed on Dogtag's side by: https://github.com/dogtagpki/pki/commit/49585867207922479644a03078c29548de02cd03 which should be 10.10+ only.
The above would result in completed installs (e.g. no more ipa-{server,replica}-install failures when sudo is absent) but also in a server with unconfigured sudo. So AI: make FreeIPA depend on libsss_sudo.
Two remarks: - the hard-dependency on libsss_sudo might prevent some valid use-cases (like removing sudo from an IPA container image). Using weak dependencies seems best. - libsss_sudo has "Conflicts: sssd-common < %{version}-%{release}" so there should be no need to specify a version in freeipa.spec.in's Recommends: libsss_sudo line. - it would be wise to extend the dependency to ipa clients. - also, the ipa-client depends (feature-wise) on sudo AND libsss_sudo, so depend on both.
Recommends: libsss_sudo
Metadata Update from @fcami: - Custom field changelog adjusted to The FreeIPA client RPM now has a soft dependency on libsss_sudo.
Metadata Update from @fcami: - Custom field changelog adjusted to The FreeIPA client RPM now has a soft dependency on libsss_sudo and sudo itself. (was: The FreeIPA client RPM now has a soft dependency on libsss_sudo.)
I don't understand why freeipa.spec has to change in order to address a bug in Dogtag related to sudo and sssd libraries. Since it's a regression in Dogtag code, Dogtag should backport their fix.
After further reading and investigation I know think this should be handled by authselect's spec file. If authselect with-sudo breaks when libsss_sudo is missing, then authselect should depend on the package that provides the library.
authselect with-sudo
libsss_sudo
I don't think so. Your example is exactly what Recommends: is supposed to be: authselect can work without sudo and libsss_sudo, but some features are missing without them. See the WeakDependencies documentation.
Additional data and AI: - ipa-{server,replica}-install sudo configuration is hardcoded to True. But this is not an issue, the installer works without sudo. - ipa-server-install depends on ipa-client-install, so any Requires/Recommends added to ipa-client-install will apply to ipa-server-install. - corner case: sudo is installed but not libsss_sudo. This is not desirable. AI: - ensure libsss_sudo is installed if sudo is installed - ipa-client-install should output a warning if sudo not available on this system. - double-check what anaconda does wrt Recommends:
Metadata Update from @abbra: - Issue set to the milestone: FreeIPA 4.8.11
Metadata Update from @fcami: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5176
master:
ipa-4-9:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.