Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1491056
Summary: | [Modular Server] FreeIPA enrolment via kickstart fails | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
Component: | freeipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 27 | CC: | abokovoy, ipa-maint, jcholast, jhrozek, kparal, mkosek, pvoborni, rcritten, robatino, sbose, slaznick, ssorce, stefw, tkrizek |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | AcceptedBlocker | ||
Fixed In Version: | freeipa-4.6.0-3.fc27 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-10-16 22:23:34 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1396702 | ||
Attachments: |
Description
Adam Williamson
2017-09-12 23:21:12 UTC
Proposing as a Beta blocker, per Alpha criterion "It must be possible to join the system to a FreeIPA or Active Directory domain at install time and post-install, and the system must respect the identity, authentication and access control configuration provided by the domain" - kickstart is the only available mechanism for enrolling in a FreeIPA domain at install time, and per this test, it's failing. CC some FreeIPA folks. Created attachment 1325079 [details]
/var/log contents from the client (tar.gz)
Created attachment 1325080 [details]
/var/log contents from the server (.tar.gz) - note other client enrolment tests ran against the same server, IP of failed client is 10.0.2.102
Looks like you're right. The regex is expecting bytes but getting a string. CC'ing Standa as he is more familiar with the Py3 conversion, particularly with this code. I don't think that's the cause of the key bug here, though - from the timestamps and log sequence it looks like the bytes thing happens during the attempt to rollback the failed client enrolment process. i.e. it's really a separate bug during rollback. Unless I'm missing something. I can file it separately if you like. Adam, sorry about this issue. It does not usually happen for the CA certs retrieval to fallback to HTTP so nobody probably ran into this during development, neither did our testing suite, I guess. I created a fix, please, see if it helps: https://patch-diff.githubusercontent.com/raw/freeipa/freeipa/pull/1071.patch Looking into the log on the client, you see that the try to get the CA cert is actually the last thing that was there before the uninstall attempt. Testing is slightly tricky because this is triggered from the installer...thinking about it, it probably does the enrolment from a chroot into the installed system, so just getting the patch into the installed system somehow should be enough. I'll try and work on that tomorrow. Is the fact that it falls back to HTTP on this path a problem in itself? Looks like it turned out to be an IPA issue, changing component to FreeIPA. Hopefully it should not be a problem if it succeeds retrieving the certificate successfully. Fixed upstream master: https://pagure.io/freeipa/c/c4505f080479068db41c1a6ed99945b973cb0134 ipa-4-6: https://pagure.io/freeipa/c/ba4386599331cf81d222687d658f5ce54e923478 freeipa-4.6.0-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-9a6df5d962 +1 Beta Blocker freeipa-4.6.0-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-9a6df5d962 Discussed at 2017-09-14 Beta Go/No-Go meeting, acting as a blocker review meeting: https://meetbot-raw.fedoraproject.org/fedora-meeting-2/2017-09-14/f27-beta-go-no-go-meeting.2017-09-14-17.00.html . Accepted as a blocker per criterion cited in #c1. freeipa-4.6.0-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. This is an accepted blocker, we still need to verify the fix. Works fine in current F27, e.g. https://openqa.fedoraproject.org/tests/158733 . |