On ke, 18 marras 2020, Alexander Bokovoy via FreeIPA-devel wrote:
On ma, 16 marras 2020, Alexander Bokovoy via FreeIPA-devel wrote:
>On pe, 13 marras 2020, Alexander Bokovoy via FreeIPA-devel wrote:
>>On ke, 11 marras 2020, Stanislav Levin via FreeIPA-devel wrote:
>>>
>>>
>>>11.11.2020 14:11, Alexander Bokovoy via FreeIPA-devel пишет:
>>>>On ke, 11 marras 2020, Stanislav Levin wrote:
>>>>>>
>>>>>>On top of that we have a worrying behavior of the Azure CI with
regards
>>>>>>to DNSSEC that waits for investigation.
>>>>>please, where to see the failure?
>>>>
>>>>You can look, for example, at
https://github.com/freeipa/freeipa/pull/5248
>>>It is like
https://pagure.io/freeipa/issue/8538
>>>
>>>At least, 389-ds logging may be raised to 8192 from the current one (0)
>>>for debugging.
>>>
>>We already have debugging enabled in Azure CI builds. I uploaded logs to
>>the issue 8538.
>>
>>To me this looks like 389-ds issue 4363 is not really fixed yet.
>
>I ran few experiments with Rawhide and git master over weekend. Here is
>my status before 4.9.0-rc1 release preparation:
>
>- Master branch seems to be no worse than 4.8.0 in terms of running on
> Fedora 32 in Azure Pipelines CI and PR CI.
>
>- Rawhide has fixes for certmonger and 389-ds-base but I was unable to
> get them fully tested due to upgrade of glibc that made impossible to
> use Azure Pipelines with Rawhide anymore on kernels less than v5.8.
>
>glibc changed implementation of faccessat() to use faccessat2() if this
>syscall is available at the compile time -- requires kernel v5.8 or
>later. As a result, systemd cannot start anymore in unprivileged
>container on Azure Pipelines CI even with host Ubuntu 20.04 which uses
>v5.4. The exact solution is unclear yet because it is a general issue
>with libseccomp not knowing about newer syscalls and not being able to
>filter out unknown syscalls in a way that would trigger a fallback to
>faccessat() in glibc.
>
>This is a generic issue -- other projects saw a similar fallout when
>coreutils and other projects started to use statx() syscall. For
>example,
https://bugzilla.redhat.com/show_bug.cgi?id=1784228 outlines
>this for libuv which is used by Node.js.
>
>libseccomp only added support for faccessat2() in version 2.5:
>https://github.com/seccomp/libseccomp/commit/5696c896409c1feb37eb502df33cf36efb2e8e01,
>this version is available in Debian Sid already, so one option would be
>to try to update the host image at runtime to use newer libseccomp2
>package from Sid (it is easily installable on top of Focal repositories,
>I checked), then restart docker and reuse our unprivileged containers.
An update to the FreeIPA 4.9.0 release candidate releases.
We merged most of fixes regarding Rawhide runs to git master and I
branched ipa-4-9 for a new release.
FreeIPA 4.9.0 release candidate 1 is out now and is built in Rawhide.
There is a bug in client-only build which should now be addressed with
PR:
https://github.com/freeipa/freeipa/pull/5276
Armando did set up PR CI to track ipa-4-9 branch. I did the same for
Azure Pipelines. There is also a label 'ipa-4-9' for proposing pull
requests for the backports.
Another update.
I am planning for FreeIPA 4.9.0 release candidate 2 for December 1st.
Rawhide state:
- bind-dyndb-ldap 11.6-1.fc34 should be in a working state against BIND
9.11 now. Installing IPA master with integrated DNS works just fine.
- python3-dns 2.1.0-0.1.rc1.fc34 is broken and does not allow to
install IPA replica. This should be fixed with python3-dns
2.1.0-0.2.rc1.fc34:
https://bodhi.fedoraproject.org/updates/FEDORA-2020-622a2dccdc
With this fix installing IPA replica works fine.
- Spec file for FreeIPA needs updates based on our recent discussions
with Thomas for RHEL 8.4 packaging. I'll handle this in
https://github.com/freeipa/freeipa/pull/5279
Pull requests I expect to land before 4.9.0rc2 release:
5294 Allow Apache to answer to ipa-ca requests without
ipa-4-9
https://github.com/freeipa/freeipa/pull/5294 {'failure': 1,
'success': 1, 'pending': 28}
5292 Always define the path
DNSSEC_OPENSSL_CONF ipa-4-9
https://github.com/freeipa/freeipa/pull/5292 {'success':
1, 'pending': 3}
5290 Improve PKI subsystem detection ipa-4-6 ipa-4-8
ipa-4-9
https://github.com/freeipa/freeipa/pull/5290 {'success': 1,
'failure': 1, 'pending': 24}
5279 freeipa.spec.in: unify spec files across upstream WIP
ipa-4-9
https://github.com/freeipa/freeipa/pull/5279 {'success': 1,
'pending': 24}
5199 Change KRA profiles in certmonger tracking so they ipa-4-6 ipa-4-8
ipa-4-9
https://github.com/freeipa/freeipa/pull/5199 {'success': 1,
'pending': 27, 'failure': 1, 'error': 1}
If you have other suggested fixes, please mark them with ipa-4-9 label.
Difference between 4.9.0rc1 and ipa-4-9 branch so far:
== Resolved tickets ==
* [
https://pagure.io/freeipa/issue/3299 #3299] [RFE] Switch the client to JSON RPC
* [
https://pagure.io/freeipa/issue/7676 #7676]
([
https://bugzilla.redhat.com/show_bug.cgi?id=1544379 rhbz#1544379]) ipa-client-install
changes system wide ssh configuration
* [
https://pagure.io/freeipa/issue/8424 #8424] Add ipa.p11-kit to ipa-client-install man
page files list
* [
https://pagure.io/freeipa/issue/8531 #8531] RFE: Use host keytab to obtain ticket for
ipa-certupdate
* [
https://pagure.io/freeipa/issue/8554 #8554]
([
https://bugzilla.redhat.com/show_bug.cgi?id=1891056 rhbz#1891056]) ipa-kdb: support
subordinate/superior UPN suffixes
* [
https://pagure.io/freeipa/issue/8581 #8581] Nightly test failure in
test_acme.py::TestACME::test_third_party_certs (updates-testing)
* [
https://pagure.io/freeipa/issue/8587 #8587] client-only build fails due to
unconditional use of pwquality features
* [
https://pagure.io/freeipa/issue/8590 #8590] Nightly test failure in
test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_default::setup
== Detailed changelog since 4.9.10 ==
=== Armando Neto (1) ===
* ipatests: Bump PR-CI templates
[
https://pagure.io/freeipa/c/a3c5c71925b5fd8faa56379d92fa19631d230108 commit]
=== Alexander Bokovoy (2) ===
* ad trust: accept subordinate domains of the forest trust root
[
https://pagure.io/freeipa/c/381cc5e8eae1b7437fc15cb699983887d398f498 commit]
[
https://pagure.io/freeipa/issue/8554 #8554]
* util: Fix client-only build
[
https://pagure.io/freeipa/c/244704cc156dba0731671c55661d82073f970c9b commit]
[
https://pagure.io/freeipa/issue/8587 #8587]
=== Antonio Torres Moríñigo (1) ===
* ipa-client-install manpage: add ipa.p11-kit to list of files created
[
https://pagure.io/freeipa/c/08bbd0a2d712a5a7f1a02999390c4be2a9df3f0e commit]
[
https://pagure.io/freeipa/issue/8424 #8424]
=== Mohammad Rizwan (1) ===
* ipatests: Test certmonger IPA responder switched to JSONRPC
[
https://pagure.io/freeipa/c/25eebb21a2f85817691ce65c431d6b5de3bebe3b commit]
[
https://pagure.io/freeipa/issue/3299 #3299]
=== Rob Crittenden (10) ===
* ipatests: Increase timeout for ACME in gating.yaml
[
https://pagure.io/freeipa/c/17f293e9da0375bac4871c0100c6146a8c2f8e55 commit]
[
https://pagure.io/freeipa/issue/8581 #8581]
* ipatests: honor class inheritance in TestACMEwithExternalCA
[
https://pagure.io/freeipa/c/75ad5757528491616f7f4e596bb9f6b152944d99 commit]
[
https://pagure.io/freeipa/issue/8581 #8581]
* ipatests: configure MDStoreDir for mod_md ACME test
[
https://pagure.io/freeipa/c/b474b263ed0161ba8411cc84014e4d08a44ac15f commit]
[
https://pagure.io/freeipa/issue/8581 #8581]
* ipatests: Clean up existing ACME registration and certs
[
https://pagure.io/freeipa/c/5d286e79515c8a6c856a5acde6300271422acfac commit]
[
https://pagure.io/freeipa/issue/8581 #8581]
* ipatests: Configure a replica in TestACMEwithExternalCA
[
https://pagure.io/freeipa/c/de5baf8516cde060f1606070b2a8824f71178f16 commit]
[
https://pagure.io/freeipa/issue/8581 #8581]
* ipatests: call the CALess install method to generate the CA
[
https://pagure.io/freeipa/c/3cd6b81a68be98ae9f60da67d2bc640831f0cf0c commit]
[
https://pagure.io/freeipa/issue/8581 #8581]
* ipatests: Test that Match ProxyCommand masks on no shell exec
[
https://pagure.io/freeipa/c/d89e3abf2714092baae1607afd83da1c944d6c9f commit]
[
https://pagure.io/freeipa/issue/7676 #7676]
* Create IPA ssh client configuration and move ProxyCommand
[
https://pagure.io/freeipa/c/a525b2ebf01ffff83d0a5925035f4be0fc5c700c commit]
[
https://pagure.io/freeipa/issue/7676 #7676]
* ipatests: Test that ipa-certupdate can run without credentials
[
https://pagure.io/freeipa/c/4941d3d4b1ba10ccddf5429463debcefac6fbd9f commit]
[
https://pagure.io/freeipa/issue/8531 #8531]
* Use host keytab to obtain credentials needed for ipa-certupdate
[
https://pagure.io/freeipa/c/1a09ce9f3fa503eeefe394856be538892652accf commit]
[
https://pagure.io/freeipa/issue/8531 #8531]
=== Robbie Harwood (1) ===
* Fix krbtpolicy tests
[
https://pagure.io/freeipa/c/17a4198a666453dbec55409d4e2acc37a37b57ac commit]
[
https://pagure.io/freeipa/issue/8590 #8590]
=== Sudhir Menon (2) ===
* ipatests: support subordinate upn suffixes
[
https://pagure.io/freeipa/c/7e605e958ef6d41584afc238433669c15458ac67 commit]
* ipatests: Tests for ipahealthcheck.ds.nss_ssl
[
https://pagure.io/freeipa/c/46f114d9e751b2a092b975b909f0e890257a507d commit]
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland