URL: https://github.com/freeipa/freeipa/pull/1170
Author: tomaskrizek
Title: #1170: Increase dbus client timeouts during CA install
Action: opened
PR body:
"""
See original PR: #1078
---
When running on memory-constrained systems, the `ipa-server-install`
program often fails during the "Configuring certificate server
(pki-tomcatd)" stage in FreeIPA 4.5 and 4.6.
The memory-intensive dogtag service causes swapping on low-memory
systems right after start-up, and especially new certificate
operations requested via certmonger can exceed the dbus client default
25 second timeout.
This patch changes dbus client timeouts for some such operations to
120 seconds (from the default 25 seconds, IIRC).
See more discussion in FreeIPA PR #1078 [1] and FreeIPA container
issue #157 [2]. Upstream ticket at [3].
[1]: https://github.com/freeipa/freeipa/pull/1078
[2]: https://github.com/freeipa/freeipa-container/issues/157
[3]: https://pagure.io/freeipa/issue/7213
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1170/head:pr1170
git checkout pr1170
The FreeIPA team would like to announce FreeIPA 4.5.4 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora 25 and 26 will be available in the official COPR repository
https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-5/ .
== Highlights in 4.5.4 ==
=== Enhancements ===
=== Known Issues ===
=== Bug fixes ===
FreeIPA 4.5.4 is a stabilization release for the features delivered as a
part of 4.5.0.
There are more than 30 bug-fixes details of which can be seen in
the list of resolved tickets below.
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing
list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahos…)
or #freeipa channel on Freenode.
== Resolved tickets ==
* 7179 In case full PKINIT configuration is failing during
server/replica install the error message should be more meaningful.
* 7175 [Backport 7143 to ipa-4-5] "unknown command 'undefined'" error
when changing user's password via the web UI
* 7173 Switch from externally-signed to self-signed CA fails
* 7172 Enterprise principals should be able to trigger a refresh of the
trusted domain data in the KDC
* 7146 ipa_otptoken_import.py fails to parse the correct suite defined
under the AlrgorithmParameters
* 7144 pkinit-status command fails after an upgrade from a pre-4.5 IPA
* 7141 Updating from RHEL 7.3 fails with Server-Cert not found
(ipa-server-upgrade)
* 7127 sssd.conf not updated after promoting client to promotion
* 7126 FreeIPA/IdM installations which were upgraded from versions with
389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and thus
startup of Web UI fails
* 7125 ipa-server-upgrade failes with "This entry already exists"
* 7123 External CA renewal fails when IPA CA subject DN does not match
"CN=Certificate Authority, {subject-base}"
* 7120 Unable to set ca renewal master on replica
* 7116 dnssec: fix localhsm.py with openhsm >= 2.2.0
* 7112 user-show command fails when sizelimit is configured to number <=
number of entity which is user member of
* 7108 ipa-backup broken because of cyclic import
* 7106 TypeError in renew_ca_cert prevents from swiching back to
self-signed CA
* 7086 [ipatests] - add caless to cafull tests
* 7083 failed ipa-server-upgrade , time out from dogtag services ,
custodia errors
* 7074 IPA shouldn't allow objectclass if not all in lower case
* 7066 WebUI: All columns of user in group table are clickable
* 7035 ipa-otptoken-import - XML file is missing PBKDF2 parameters!
* 7017 NULL LDAP context in call to ldap_search_ext_s during search in
cn=ad,cn=trusts,dc=example,dc=com
* 6999 ipa command throws backtrace instead of showing help with wrong
syntax
* 6979 Suggest user to install libyubikey package instead of traceback
* 6952 Suggest CA installation command in KRA installation warning
* 6622 [tests] ipatests.util.unlock_principal_password does not respect
configured ldap_uri
* 6605 make lint + make modifies PO files in place
* 6592 [tracker] SELinux policy tracker for 4.5
* 6582 Web UI: Change "Host Based" and "Role Based" to "Host-Based" and
"Role-Based"
* 6447 [WebUI] Remove offline version of WebUI
* 6261 Replace ERROR: cannot connect to
'http://localhost:8888/ipa/json': [Errno 111] Connection refused with
'IPA is not configured on this system'
* 6176 Updating of dns system records rapidly slowdown uninstallation
== Detailed changelog since 4.5.3 ==
=== Alexander Bokovoy (2) ===
* Make sure upgrade also checks for IPv6 stack
* OTP import: support hash names with HMAC- prefix
=== Abhijeet Kasurde (1) ===
* Vault testcase improvement
=== Alexander Koksharov (1) ===
* kra-install: better warning message
=== Aleksei Slaikovskii (2) ===
* ipaclient.plugins.dns: Cast DNS name to unicode.
* Less confusing message for PKINIT configuration during install
=== Christian Heimes (1) ===
* Block PyOpenSSL to prevent SELinux execmem in wsgi
=== David Kreitschmann (2) ===
* Disable pylint in get_help function because of type confusion.
* Store help in Schema before writing to disk
=== David Kupka (11) ===
* tests: Add LDAP URI to ldappasswd explicitly
* tests: certmap: Add test for user-{add,remove}-certmap
* tests: tracker: Add CertmapdataMixin tracker
* tests: certmap: Add test for certmapconfig-{mod,show}
* tests: tracker: Add CertmapconfigTracker to tests certmapconfig-* commands
* tests: certmap: Test permissions for certmap
* tests: certmap: Add basic tests for certmaprule commands
* tests: tracker: Add CertmapTracker for testing certmap-* commands
* tests: tracker: Add ConfigurationTracker to test *config-{mod,show}
commands
* tests: tracker: Add EnableTracker to test *-{enable,disable} commands
* tests: tracker: Split Tracker into one-purpose Trackers
=== Felipe Volpone (4) ===
* Changing idoverrideuser-* to treat objectClass case insensitively
* Fixing how sssd.conf is updated when promoting a client to replica
* Removing part of circular dependency of ipalib in ipaplaform
* Changing how commands handles error when it can't connect to IPA server
=== Florence Blanc-Renaud (5) ===
* ipa-cacert-manage renew: switch from ext-signed CA to self-signed
* Backport 4-5: Fix ipa-server-upgrade with server cert tracking
* Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already
exists
* Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca)
* Fix ipa config-mod --ca-renewal-master
=== Fraser Tweedale (2) ===
* Fix external renewal for CA with non-default subject DN
* Restore old version of caIPAserviceCert for upgrade only
=== Martin Basti (1) ===
* DNS update: reduce timeout for CA records
=== Michal Reznik (3) ===
* test_caless: add replica ca-less to ca-full test (master caless)
* test_caless: add server_replica ca-less to ca-full test
* tests: fix external_ca test suite failing due to missing SKI
=== Nathaniel McCallum (1) ===
* ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace
=== Petr Čech (1) ===
* ipatests: Fix on logs collection
=== Petr Vobornik (2) ===
* log progress of wait_for_open_ports
* control logging of host_port_open from caller
=== Pavel Vomacka (9) ===
* WebUI: Fix calling undefined method during reset passwords
* WebUI: remove unused parameter from get_whoami_command
* Adds whoami DS plugin in case that plugin is missing
* WebUI: remove creating js/libs symlink from makefile
* WebUI: Remove plugins symlink as it is unused
* Remove all old JSON files
* Revert "Web UI: Remove offline version of Web UI"
* WebUI: Add hyphenate versions of Host(Role) Based strings
* WebUI: fix incorrectly shown links in association tables
=== Rob Crittenden (1) ===
* Collect group membership without a size limit
=== Sumit Bose (1) ===
* ipa-kdb: reinit trusted domain data for enterprise principals
=== Stanislav Laznicka (4) ===
* travis: make tests fail if pep8 does not pass
* Use correct container for ipa-4-5 testing
* pkinit: don't fail when no pkinit servers found
* travis: temporary workaround for Travis CI
=== Thierry Bordaz (1) ===
* NULL LDAP context in call to ldap_search_ext_s during search
=== Tibor Dudlák (1) ===
* otptoken_yubikey.py: Removed traceback when package missing.
=== Tomas Krizek (11) ===
* Become IPA 4.5.4
* Update contributors
* Update translations
* prci: use f26 template for ipa-4-5
* ipatests: collect log after ipa-ca-install
* dnssec: fix localhsm.py utility script
* prci: rename template to ci-ipa-4-5-f25
* prci: add caless tests
* build: checkout *.po files at the end of makerpms.sh
* freeipa-pr-ci: enable pull-request CI
* 4.5 set back to git snapshot
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
URL: https://github.com/freeipa/freeipa/pull/1174
Author: tomaskrizek
Title: #1174: [Backport][ipa-4-5] ipatests: Fix on logs collection
Action: opened
PR body:
"""
Original PR: #1168
---
If the function `install_kra` or `install_ca` fails
on call `host.run_command(command, raiseonerr=raiseonerr)`
then the logs are not collected.
This situation is not optimal because we need to see what happend
during the debbuging the tests.
So, this patch solves this situation and it adds try--finally
construction.
https://pagure.io/freeipa/issue/7214
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1174/head:pr1174
git checkout pr1174
URL: https://github.com/freeipa/freeipa/pull/1172
Author: tomaskrizek
Title: #1172: [Backport][ipa-4-6] ipa-cacert-manage renew: switch from ext-signed CA to self-signed
Action: opened
PR body:
"""
This PR was opened automatically because PR #1119 was pushed to master and backport to ipa-4-6 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1172/head:pr1172
git checkout pr1172
URL: https://github.com/freeipa/freeipa/pull/1171
Author: tomaskrizek
Title: #1171: [Backport][ipa-4-6] tests: correct usage of host.hostname in logger in tasks
Action: opened
PR body:
"""
This PR was opened automatically because PR #1147 was pushed to master and backport to ipa-4-6 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1171/head:pr1171
git checkout pr1171
URL: https://github.com/freeipa/freeipa/pull/1173
Author: tomaskrizek
Title: #1173: [Backport][ipa-4-5] ipa-cacert-manage renew: switch from ext-signed CA to self-signed
Action: opened
PR body:
"""
This PR was opened automatically because PR #1119 was pushed to master and backport to ipa-4-5 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1173/head:pr1173
git checkout pr1173
URL: https://github.com/freeipa/freeipa/pull/1136
Author: slaykovsky
Title: #1136: ipaclient.plugins.dns: Cast DNS name to unicode.
Action: opened
PR body:
"""
cmd.api.Command.dnsrecord_split_parts expects name to be unicode
string and instead gets ascii. It leads to an error:
ipa: ERROR: invalid 'name': must be Unicode text
This commit's change is casting name's type to unicode so
'ipa dnsrecord-mod' will not fail with error above.
https://pagure.io/freeipa/issue/7185
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1136/head:pr1136
git checkout pr1136
URL: https://github.com/freeipa/freeipa/pull/1119
Author: flo-renaud
Title: #1119: ipa-cacert-manage renew: switch from ext-signed CA to self-signed
Action: opened
PR body:
"""
The scenario switching from externally signed CA to self-signed CA is
currently failing because the certmonger helper goes through the wrong
code path when the cert is not self-signed.
When the cert is not self-signed but the admin wants to switch to self-signed
a new cert needs to be requested, not retrieved from LDAP.
https://pagure.io/freeipa/issue/7173
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1119/head:pr1119
git checkout pr1119
URL: https://github.com/freeipa/freeipa/pull/1167
Author: tomaskrizek
Title: #1167: [Backport][ipa-4-6] p11-kit: add serial number in DER format
Action: opened
PR body:
"""
This PR was opened automatically because PR #1156 was pushed to master and backport to ipa-4-6 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1167/head:pr1167
git checkout pr1167