January 2021 - FreeIPA-devel - Fedora Mailing-Lists

by Alexander Bokovoy

Hi, I am planning to do FreeIPA 4.9.1 release by end of this week or early next week. Draft release notes are available here: https://vda.li/drafts/freeipa-4.9.1-release-notes.html As usual, please update 'changelog' field in a corresponding Pagure ticket if you want to include something into the release notes. Alternatively, a commit message should have RN: prefixed line, all those lines will be included into release notes as well. Currently we have the following tickets fixed. Some of them were fixed in the previous releases but as they were mentioned in the commit messages for test updates, fixups, they are included: #7676 (rhbz#1544379) ipa-client-install changes system wide ssh configuration #8501 Unify how FreeIPA gets FQDN of current host #8508 Nightly failure (ipa-4-8/master, enforcing mode) in ipa trust-add #8519 Fedora container platform is incomplete #8524 (rhbz#1851835) Deploy & manage the ACME service topology wide from a single system #8528 Use separate logs for AD Trust and DNS installer #8584 ACME communication with dogtag REST endpoints should be using the cookie it creates #8602 Nightly failure in test_acme.py::TestACME::test_certbot_certonly_standalone: An unexpected error occurred: #8618 (rhbz#1780782) ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from CS.cfg #8631 Nightly failure (389ds master branch) in test_commands.py::TestIPACommand::test_ipa_nis_manage_enable_incorrect_password #8644 (rhbz#1912845) ipa-certupdate drops profile from the caSigningCert tracking #8646 permission-mod attrs, includedattrs and excludedattrs issues #8650 Updated dnspython-2.1.0 causes a test failure #8655 (rhbz#1860129) Allow to establish trust to Active Directory in FIPS mode #8656 Use client keytab for 389ds Out of those I think #8646 and all RHBZs are worth a release note update. Before the release, we might also consider improvement to #8656 because current fix does not cover upgrade. Any volunteer? Current state of the PRs that are targetting ipa-4-9: $ ./ipatool pr-list --label ipa-4-9 5424 ipatest: fix test_upgrade.py::TestUpgrade::()::tes ipa-4-6 ipa-4-8 ipa-4-9 needs review https://github.com/freeipa/freeipa/pull/5424 5419 Test that IPA certs are removed on server uninstal WIP ipa-4-8 ipa-4-9 https://github.com/freeipa/freeipa/pull/5419 5408 upgrade.py: restart CS for 30 seconds until it is WIP ipa-4-8 ipa-4-9 https://github.com/freeipa/freeipa/pull/5408 5392 Add cgroup v2 support to the minimum RAM checker ipa-4-9 https://github.com/freeipa/freeipa/pull/5392 5389 Revert "Remove test for minimum ACME support and r ipa-4-9 https://github.com/freeipa/freeipa/pull/5389 5387 Raise RuntimeError when kinit_armor fails ipa-4-9 https://github.com/freeipa/freeipa/pull/5387 5313 Gracefully handle Nsds5replicalastupdateend's abse WIP ipa-4-8 ipa-4-9 https://github.com/freeipa/freeipa/pull/5313 5198 tox.ini: Extend max-line-length from 80 to 88+ ipa-4-8 ipa-4-9 needs review trivial https://github.com/freeipa/freeipa/pull/5198 5176 freeipa.spec.in: client: depend on libsss_sudo WIP ipa-4-8 ipa-4-9 https://github.com/freeipa/freeipa/pull/5176 Let me know which of them will be fixed by the end of the week. I also have a number of trust-related improvements I hope to complete before next week but if I'd slip on those, we can do 4.9.1 release without them. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

3 years, 3 months

1
3
0 / 0

[freeipa PR#5452][opened] Change NameType of custodia client's service

by frozencemetery

URL: https://github.com/freeipa/freeipa/pull/5452 Author: frozencemetery Title: #5452: Change NameType of custodia client's service Action: opened PR body: """ Using hostbased_service for initiators hits an unresolved corner case in Kerberos with respect to realm selection and canonicalization. However, we can just use None instead and avoid the issue. Fixes: https://pagure.io/freeipa/issue/8672 Signed-off-by: Robbie Harwood <rharwood(a)redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5452/head:pr5452 git checkout pr5452

3 years, 3 months

1
1
0 / 0

[freeipa PR#5482][opened] [Backport][ipa-4-9] Sudorules ad users

by rcritten

URL: https://github.com/freeipa/freeipa/pull/5482 Author: rcritten Title: #5482: [Backport][ipa-4-9] Sudorules ad users Action: opened PR body: """ This PR was opened automatically because PR #4792 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5482/head:pr5482 git checkout pr5482

3 years, 3 months

1
1
0 / 0

[freeipa PR#5477][opened] ipatests: Don't assume sshd flush its logs immediately

by stanislavlevin

URL: https://github.com/freeipa/freeipa/pull/5477 Author: stanislavlevin Title: #5477: ipatests: Don't assume sshd flush its logs immediately Action: opened PR body: """ `sshd` logs are not displayed immediately in `journalctl`, this results in the tests checked the corresponding system logs are racy. I can't find a way to flush ones. So, the best is the time delay before reading the system log. I've experimented with the delay, 5 sec is not enough. Of course, this is just a workaround. Related: https://pagure.io/freeipa/issue/8682 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5477/head:pr5477 git checkout pr5477

3 years, 3 months

2
1
0 / 0

[freeipa PR#4792][closed] Sudorules ad users

by rcritten

URL: https://github.com/freeipa/freeipa/pull/4792 Author: abbra Title: #4792: Sudorules ad users Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4792/head:pr4792 git checkout pr4792

3 years, 3 months

1
0
0 / 0

[freeipa PR#5480][opened] Backport: Allow leading/trailing whitespaces in passwords

by rcritten

URL: https://github.com/freeipa/freeipa/pull/5480 Author: rcritten Title: #5480: Backport: Allow leading/trailing whitespaces in passwords Action: opened PR body: """ Allow leading/trailing whitespaces in passwords kwargs is redefined to set the `noextrawhitespace` parameter from the Str class to `False`. Fixes: https://pagure.io/freeipa/issue/7599 Signed-off-by: Antonio Torres Moríñigo <atorresm(a)protonmail.com> Reviewed-By: Alexander Bokovoy <abokovoy(a)redhat.com> Reviewed-By: Rob Crittenden <rcritten(a)redhat.com> It was a clean cherry-pick for the change and the test, adding ack. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5480/head:pr5480 git checkout pr5480

3 years, 3 months

1
1
0 / 0

[freeipa PR#5479][opened] Ipatests fix collect logs symlinks temp

by wladich

URL: https://github.com/freeipa/freeipa/pull/5479 Author: wladich Title: #5479: Ipatests fix collect logs symlinks temp Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5479/head:pr5479 git checkout pr5479

3 years, 3 months

1
1
0 / 0

[freeipa PR#5475][opened] Use Fedora 33 for temp commit

by wladich

URL: https://github.com/freeipa/freeipa/pull/5475 Author: wladich Title: #5475: Use Fedora 33 for temp commit Action: opened PR body: """ This is to keep temp commit template in line with "nightly_latest.yaml" """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5475/head:pr5475 git checkout pr5475

3 years, 3 months

1
1
0 / 0

[freeipa PR#5472][opened] Manual backport of 9f0ec27e9f13ed40b8e58162d99bf9b0e8b4afd5.

by fcami

URL: https://github.com/freeipa/freeipa/pull/5472 Author: fcami Title: #5472: Manual backport of 9f0ec27e9f13ed40b8e58162d99bf9b0e8b4afd5. Action: opened PR body: """ Manual backport of 9f0ec27e9f13ed40b8e58162d99bf9b0e8b4afd5. Original commit message: **************************************************** ipaCASubjectDN is used by lightweight sub CA feature. ipaExternalMember is used by KRB driver to assemble MS-PAC records. ipaNTSecurityIdentifier was only index for "pres" and was missing an index on "eq". Samba and ipasam perform queries with SID string. memberPrincipal is used by S4U2Proxy constrained delegation and by ipa-custodia. Also note that dnaHostname, ipServiceProtocol, ipaCertSubject, and ipaKeyUsage are currently not index because an index would rarely used or have a poor selectivity. Signed-off-by: Christian Heimes <cheimes(a)redhat.com> **************************************************** The ipaNTSecurityIdentifier entry was missing in ipa-4-6 and is added by this commit. Fixes: https://pagure.io/freeipa/issue/8677 Signed-off-by: François Cami <fcami(a)redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5472/head:pr5472 git checkout pr5472

3 years, 3 months

2
1
0 / 0

[freeipa PR#5469][opened] [Backport][ipa-4-8] ipatests: fix expected output for ipahealthcheck.ipa.files

by rcritten

URL: https://github.com/freeipa/freeipa/pull/5469 Author: rcritten Title: #5469: [Backport][ipa-4-8] ipatests: fix expected output for ipahealthcheck.ipa.files Action: opened PR body: """ This PR was opened automatically because PR #5440 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5469/head:pr5469 git checkout pr5469

3 years, 3 months

1
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-devel January 2021