Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1895197
Description of problem: improve the way IPA detects PKI services, do not rely on files or directories, try to rely on the Dogtag tools or interfaces, example: use pki-server subsystem-find from base/server/python/pki/server/cli/subsystem.py class SubsystemFindCLI(pki.cli.CLI): pki-server subsystem-find ----------------- 2 entries matched ----------------- Subsystem ID: ca Instance ID: pki-tomcat Enabled: True Subsystem ID: kra Instance ID: pki-tomcat Enabled: True instead of /usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py def is_installed(self): """ Determine if subsystem instance has been installed. Returns True/False """ return os.path.exists(os.path.join( paths.VAR_LIB_PKI_TOMCAT_DIR, self.subsystem.lower())) this directory path testing return an incorrect true status because for example, there is no "ipa-kra-install --uninstall" ( removed in 2018 / bz 1454444 ): ipa-kra-install --uninstall ERROR: Standalone KRA uninstallation was removed in IPA 4.5 as it had never worked properly and only caused issues. real world scenario example: there is a RHEL-7 IPA replica deployed that system is updated from RHEL-7.8 to RHEL-7.9 the update fails in IPA, leading to failing "ipactl restart", then to some serious other problems: in this case, there was no PKI KRA subsystem configured listed from ldapsearch -o ldif-wrap=no -LLLxD cn=directory\ manager -W -b "ou=Security Domain,o=ipaca" nor from a ipa config-show --all and no ipara listed from ldapsearch -o ldif-wrap=no -LLLxD cn=directory\ manager -W -b o=ipaca '(|(uid=ipara)(uid=ipakra))' but we till had a directory /var/lib/pki/pki-tomcat/kra/ so the test in /usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py incorrectly returned a true status in is_installed(self) that all lead to a LDAP error on no ipakra user entry, then to a failed IPA update, then to a failed ipactl start, and a bad situation. Version-Release number of selected component (if applicable): RHEL-7 RHEL-8 How reproducible: Steps to Reproduce: 1. IPA with CA, NO KRA 2. add a /var/lib/pki/pki-tomcat/kra/ directory 3. try to run the ipa console for api.Updater[fix_kra_people_entry]() Actual results: 2020-11-03T17:27:14Z DEBUG Executing upgrade plugin: fix_kra_people_entry ... 2020-11-03T17:27:14Z ERROR Upgrade failed with no such entry 2020-11-03T17:27:14Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 274, in __upgrade self.modified = (ld.update(self.files) or self.modified) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 966, in update self._run_updates(all_updates) ... File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/fix_kra_peop le_entry.py", line 35, in execute entry = self.api.Backend.ldap2.get_entry(krainstance.KRA_AGENT_DN) then I realize there is no KRA agent LDAP entry uid=ipakra,ou=people,o=kra,o=ipaca because that RHEL IPA system has no KRA installed (but has a CA) so why the failure in fix_kra_people_entry.py if there is no KRA ?? the IPA update uses "plug-ins" to update various elements, listed from /usr/share/ipa/updates/90-post_upgrade_plugins.update and one of them is /usr/lib/python2.7/site-packages/ipaserver/install/plugins/fix_kra_people_entry .py which calls /usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py which calls a function is_installed() the problem is is_installed() simply check for a directory path to decide a PKI subsystem is installed and configured, which is not a sufficient way to detect the availability of a service. Expected results: yes Additional info:
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1895197
Metadata Update from @frenaud: - Issue assigned to frenaud
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5290
master:
ipa-4-8:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-9:
ipa-4-6:
Login to comment on this ticket.