Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1859177 - Running ipa-server-install fails on machine where libsss_sudo is not installed
Summary: Running ipa-server-install fails on machine where libsss_sudo is not installed
Keywords:
Status: CLOSED DUPLICATE of bug 1859185
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: IPA Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-21 11:52 UTC by Jan Pazdziora
Modified: 2020-07-21 12:07 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1859185 (view as bug list)
Environment:
Last Closed: 2020-07-21 12:07:49 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Jan Pazdziora 2020-07-21 11:52:09 UTC 
Description of problem:

In environment where libsss_sudo is not installed, like in container but on host alike, ipa-server-install now fails to finish properly.

Version-Release number of selected component (if applicable):

pki-server-10.9.0-0.2.fc33.noarch
freeipa-server-4.8.7-1.fc33.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf remove -y /usr/lib64/libsss_sudo.so
2. dnf install -y --setopt=install_weak_deps=False freeipa-server
3. ipa-server-install -U -r EXAMPLE.TEST -p Secret123 -a Secret123

Actual results:

  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/30]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpag8a3qe6'] returned non-zero exit status 1: 'Notice: Trust flag u is set automatically if the private key is present.\nERROR: Exception: CA subsystem did not start after 60s\n  File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 569, in main\n    scriptlet.spawn(deployer)\n  File "/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/configuration.py", line 886, in spawn\n    deployer.instance.wait_for_startup(\n  File "/usr/lib/python3.9/site-packages/pki/server/deployment/pkihelper.py", line 891, in wait_for_startup\n    raise Exception(\'%s subsystem did not start after %ds\' %\n\n')
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Expected results:

  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/30]: configuring certificate server instance
  [2/30]: Add ipa-pki-wait-running
  [3/30]: secure AJP connector
  [4/30]: reindex attributes
  [5/30]: exporting Dogtag certificate store pin
  [6/30]: stopping certificate server instance to update CS.cfg
[...]
The ipa-server-install command was successful

Additional info:

Either whatever component that requires / configures libsss_sudo to be present should hard-require it, or ideally sudo shouldn't be used by the installer.

This is a regression against Fedora 32.
Comment 1 Jan Pazdziora 2020-07-21 12:07:49 UTC 
I put in the wrong traceback (the one from bug 1857043), so I've now filed better bug 1859185.

*** This bug has been marked as a duplicate of bug 1859185 ***
Note You need to log in before you can comment on or make changes to this bug.