URL: https://github.com/freeipa/freeipa/pull/3073
Author: tiran
Title: #3073: Check for SELinux AVCs after installation
Action: opened
PR body:
"""
Look for SELinux violation after installing a master with CA, KRA, and
DNS with DNSSEC. The test does not fail yet, because there are known
SELinux violations.
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3073/head:pr3073
git checkout pr3073
URL: https://github.com/freeipa/freeipa/pull/3071
Author: stanislavlevin
Title: #3071: Allow acquire `_CrossProcessLock` on owner kill
Action: opened
PR body:
"""
For now the lock can be acquired only if the previous owner has
released filelock or on timeout (1h).
There are cases when the owner dies before release the lock (e.g. on upgrade).
This leads to lock-waiting for expire date by all the other processes
being synced.
An additional check for owner status was added. If a previous owner
is dead then an awaiting process becomes a new lock owner.
Fixes: https://pagure.io/freeipa/issue/7924
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3071/head:pr3071
git checkout pr3071
URL: https://github.com/freeipa/freeipa/pull/3077
Author: abbra
Title: #3077: Backport FTBS fixes to iap-4-7
Action: opened
PR body:
"""
As requested by @tjaalton and also required for Fedora, backport Samba talloc_stackframe.h changes to ipa-4-7 branch.
Recent Samba versions removed some header files which did include
non-public APIs. As a result talloc_strackframe.h and memory.h (for
SAFE_FREE) are not available anymore. This patch replaces the use of the
non-public APIs with public ones.
Resolves: rhbz#1678670
Reviewed-By: Alexander Bokovoy <abokovoy(a)redhat.com>
Reviewed-By: Rob Crittenden <rcritten(a)redhat.com>
Reviewed-By: François Cami <fcami(a)redhat.com>
(cherry picked from commit d1f5ed64e16d65b9df45cc0eac7d2724dcae7b67)
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3077/head:pr3077
git checkout pr3077
URL: https://github.com/freeipa/freeipa/pull/3074
Author: tiran
Title: #3074: [Backport][ipa-4-7] Globally disable softhsm2 in p11-kit-proxy
Action: opened
PR body:
"""
Manual backport of PR #3063
The p11-kit configuration injects p11-kit-proxy into all NSS databases.
Amongst other p11-kit loads SoftHSM2 PKCS#11 provider. This interferes
with 389-DS, certmonger, Dogtag and other services. For example certmonger
tries to open OpenDNSSEC's SoftHSM2 token, although it doesn't use it at
all. It also breaks Dogtag HSM support testing with SoftHSM2.
IPA server does neither need nor use SoftHSM2 proxied by p11-kit.
Related: https://pagure.io/freeipa/issue/7810
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3074/head:pr3074
git checkout pr3074
URL: https://github.com/freeipa/freeipa/pull/3066
Author: xxblx
Title: #3066: Check have packages for extra features been installed before restoring backup
Action: opened
PR body:
"""
Check have packages for extra features been installed before restoring backup
`iparestore --full` should check that packages for extra features such as dns and adtrust are installed in the system before restoring a backup in case the backup includes content for these features. If the packages are not installed full backup should be refused and an error message with suggestions should be showed.
If corresponding packages for these features are not installed before the backup restoring, it may cause a situation when the packages are going to be installed after the restoring. In that case configuration files restored by `ipa-restore` will be replaced by default configuration files if the files are tracked by `rpm`. E.g. if `freeipa-server-trust-ad` is not installed before `ipa-restore --full` running, when the package will be installed it also will bring `samba` package according to the dependencies. At `samba` installation step exist correct `/etc/samba/smb.conf` is going to be replaced by the default one from the `samba` package.
Fixes: https://pagure.io/freeipa/issue/7630
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3066/head:pr3066
git checkout pr3066
URL: https://github.com/freeipa/freeipa/pull/3063
Author: tiran
Title: #3063: Globally disable softhsm2 in p11-kit-proxy
Action: opened
PR body:
"""
The p11-kit configuration injects p11-kit-proxy into all NSS databases.
Amongst other p11-kit loads SoftHSM2 PKCS#11 provider. This interferes
with 389-DS, certmonger, Dogtag and other services. For example certmonger
tries to open OpenDNSSEC's SoftHSM2 token, although it doesn't use it at
all. It also breaks Dogtag HSM support testing with SoftHSM2.
IPA server does neither need nor use SoftHSM2 proxied by p11-kit.
Related: pagure.io/freeipa/issue/7810
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3063/head:pr3063
git checkout pr3063
URL: https://github.com/freeipa/freeipa/pull/3052
Author: tiran
Title: #3052: Pass token_name to certmonger
Action: opened
PR body:
"""
For HSM support, IPA has to pass the token name for CA and subsystem
certificates to certmonger. For now, only the default 'internal' token is
supported.
Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3052/head:pr3052
git checkout pr3052
URL: https://github.com/freeipa/freeipa/pull/3067
Author: tiran
Title: #3067: [Backport][ipa-4-7] Deprecate ipa-client-install --request-cert
Action: opened
PR body:
"""
This PR was opened automatically because PR #3053 was pushed to master and backport to ipa-4-7 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3067/head:pr3067
git checkout pr3067
URL: https://github.com/freeipa/freeipa/pull/3064
Author: wladich
Title: #3064: fix test test_integration/test_commands.py::test_ssh_key_connection
Action: opened
PR body:
"""
In testcase test_ssh_key_connection the value provided by tmpdir fixture
is used as regular string, i.e. passed as an argument to os.path.join.
tmpdir is an instance of py.path.local, and in old versions of package
python-py it does not have methods of string object,
which causes this test to fail in distributions where such version of
python-py is installed.
Fixed by explicitly changing type of tmpdir to str.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3064/head:pr3064
git checkout pr3064