FreeIPA 4.9.1 preparation
by Alexander Bokovoy
Hi,
I am planning to do FreeIPA 4.9.1 release by end of this week or early
next week. Draft release notes are available here:
https://vda.li/drafts/freeipa-4.9.1-release-notes.html
As usual, please update 'changelog' field in a corresponding Pagure
ticket if you want to include something into the release notes.
Alternatively, a commit message should have RN: prefixed line, all those
lines will be included into release notes as well.
Currently we have the following tickets fixed. Some of them were fixed
in the previous releases but as they were mentioned in the commit
messages for test updates, fixups, they are included:
#7676 (rhbz#1544379) ipa-client-install changes system wide ssh configuration
#8501 Unify how FreeIPA gets FQDN of current host
#8508 Nightly failure (ipa-4-8/master, enforcing mode) in ipa trust-add
#8519 Fedora container platform is incomplete
#8524 (rhbz#1851835) Deploy & manage the ACME service topology wide from a single system
#8528 Use separate logs for AD Trust and DNS installer
#8584 ACME communication with dogtag REST endpoints should be using the cookie it creates
#8602 Nightly failure in test_acme.py::TestACME::test_certbot_certonly_standalone: An unexpected error occurred:
#8618 (rhbz#1780782) ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from CS.cfg
#8631 Nightly failure (389ds master branch) in test_commands.py::TestIPACommand::test_ipa_nis_manage_enable_incorrect_password
#8644 (rhbz#1912845) ipa-certupdate drops profile from the caSigningCert tracking
#8646 permission-mod attrs, includedattrs and excludedattrs issues
#8650 Updated dnspython-2.1.0 causes a test failure
#8655 (rhbz#1860129) Allow to establish trust to Active Directory in FIPS mode
#8656 Use client keytab for 389ds
Out of those I think #8646 and all RHBZs are worth a release note
update.
Before the release, we might also consider improvement to #8656 because
current fix does not cover upgrade. Any volunteer?
Current state of the PRs that are targetting ipa-4-9:
$ ./ipatool pr-list --label ipa-4-9
5424 ipatest: fix test_upgrade.py::TestUpgrade::()::tes ipa-4-6 ipa-4-8 ipa-4-9 needs review https://github.com/freeipa/freeipa/pull/5424
5419 Test that IPA certs are removed on server uninstal WIP ipa-4-8 ipa-4-9 https://github.com/freeipa/freeipa/pull/5419
5408 upgrade.py: restart CS for 30 seconds until it is WIP ipa-4-8 ipa-4-9 https://github.com/freeipa/freeipa/pull/5408
5392 Add cgroup v2 support to the minimum RAM checker ipa-4-9 https://github.com/freeipa/freeipa/pull/5392
5389 Revert "Remove test for minimum ACME support and r ipa-4-9 https://github.com/freeipa/freeipa/pull/5389
5387 Raise RuntimeError when kinit_armor fails ipa-4-9 https://github.com/freeipa/freeipa/pull/5387
5313 Gracefully handle Nsds5replicalastupdateend's abse WIP ipa-4-8 ipa-4-9 https://github.com/freeipa/freeipa/pull/5313
5198 tox.ini: Extend max-line-length from 80 to 88+ ipa-4-8 ipa-4-9 needs review trivial https://github.com/freeipa/freeipa/pull/5198
5176 freeipa.spec.in: client: depend on libsss_sudo WIP ipa-4-8 ipa-4-9 https://github.com/freeipa/freeipa/pull/5176
Let me know which of them will be fixed by the end of the week. I also
have a number of trust-related improvements I hope to complete before
next week but if I'd slip on those, we can do 4.9.1 release without
them.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
3 years, 3 months
[freeipa PR#5472][opened] Manual backport of 9f0ec27e9f13ed40b8e58162d99bf9b0e8b4afd5.
by fcami
URL: https://github.com/freeipa/freeipa/pull/5472
Author: fcami
Title: #5472: Manual backport of 9f0ec27e9f13ed40b8e58162d99bf9b0e8b4afd5.
Action: opened
PR body:
"""
Manual backport of 9f0ec27e9f13ed40b8e58162d99bf9b0e8b4afd5.
Original commit message:
****************************************************
ipaCASubjectDN is used by lightweight sub CA feature.
ipaExternalMember is used by KRB driver to assemble MS-PAC records.
ipaNTSecurityIdentifier was only index for "pres" and was missing an
index on "eq". Samba and ipasam perform queries with SID string.
memberPrincipal is used by S4U2Proxy constrained delegation and by
ipa-custodia.
Also note that dnaHostname, ipServiceProtocol, ipaCertSubject, and
ipaKeyUsage are currently not index because an index would rarely used
or have a poor selectivity.
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
****************************************************
The ipaNTSecurityIdentifier entry was missing in ipa-4-6 and is
added by this commit.
Fixes: https://pagure.io/freeipa/issue/8677
Signed-off-by: François Cami <fcami(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5472/head:pr5472
git checkout pr5472
3 years, 3 months