On ke, 20 tammi 2021, Alexander Bokovoy via FreeIPA-devel wrote:
>On to, 14 tammi 2021, Alexander Bokovoy via FreeIPA-devel wrote:
>>Hi,
>>
>>I am planning to do FreeIPA 4.9.1 release by end of this week or early
>>next week. Draft release notes are available here:
>>https://vda.li/drafts/freeipa-4.9.1-release-notes.html
>>
>>As usual, please update 'changelog' field in a corresponding Pagure
>>ticket if you want to include something into the release notes.
>>Alternatively, a commit message should have RN: prefixed line, all those
>>lines will be included into release notes as well.
>>
>>Currently we have the following tickets fixed. Some of them were fixed
>>in the previous releases but as they were mentioned in the commit
>>messages for test updates, fixups, they are included:
>>
>>#7676 (rhbz#1544379) ipa-client-install changes system wide ssh configuration
>>#8501 Unify how FreeIPA gets FQDN of current host
>>#8508 Nightly failure (ipa-4-8/master, enforcing mode) in ipa trust-add
>>#8519 Fedora container platform is incomplete
>>#8524 (rhbz#1851835) Deploy & manage the ACME service topology wide from a
single system
>>#8528 Use separate logs for AD Trust and DNS installer
>>#8584 ACME communication with dogtag REST endpoints should be using the cookie it
creates
>>#8602 Nightly failure in test_acme.py::TestACME::test_certbot_certonly_standalone:
An unexpected error occurred:
>>#8618 (rhbz#1780782) ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing
from CS.cfg
>>#8631 Nightly failure (389ds master branch) in
test_commands.py::TestIPACommand::test_ipa_nis_manage_enable_incorrect_password
>>#8644 (rhbz#1912845) ipa-certupdate drops profile from the caSigningCert tracking
>>#8646 permission-mod attrs, includedattrs and excludedattrs issues
>>#8650 Updated dnspython-2.1.0 causes a test failure
>>#8655 (rhbz#1860129) Allow to establish trust to Active Directory in FIPS mode
>>#8656 Use client keytab for 389ds
>>
>>Out of those I think #8646 and all RHBZs are worth a release note
>>update.
>>
>>Before the release, we might also consider improvement to #8656 because
>>current fix does not cover upgrade. Any volunteer?
>>
>>Current state of the PRs that are targetting ipa-4-9:
>>$ ./ipatool pr-list --label ipa-4-9
>>5424 ipatest: fix test_upgrade.py::TestUpgrade::()::tes ipa-4-6 ipa-4-8 ipa-4-9
needs review
https://github.com/freeipa/freeipa/pull/5424
>>5419 Test that IPA certs are removed on server uninstal WIP ipa-4-8
ipa-4-9
https://github.com/freeipa/freeipa/pull/5419
>>5408 upgrade.py: restart CS for 30 seconds until it is WIP ipa-4-8
ipa-4-9
https://github.com/freeipa/freeipa/pull/5408
>>5392 Add cgroup v2 support to the minimum RAM
checker ipa-4-9
https://github.com/freeipa/freeipa/pull/5392
>>5389 Revert "Remove test for minimum ACME support and
r ipa-4-9
https://github.com/freeipa/freeipa/pull/5389
>>5387 Raise RuntimeError when kinit_armor
fails ipa-4-9
https://github.com/freeipa/freeipa/pull/5387
>>5313 Gracefully handle Nsds5replicalastupdateend's abse WIP ipa-4-8
ipa-4-9
https://github.com/freeipa/freeipa/pull/5313
>>5198 tox.ini: Extend max-line-length from 80 to 88+ ipa-4-8 ipa-4-9 needs review
trivial
https://github.com/freeipa/freeipa/pull/5198
>>5176 freeipa.spec.in: client: depend on libsss_sudo WIP ipa-4-8
ipa-4-9
https://github.com/freeipa/freeipa/pull/5176
>>
>>Let me know which of them will be fixed by the end of the week. I also
>>have a number of trust-related improvements I hope to complete before
>>next week but if I'd slip on those, we can do 4.9.1 release without
>>them.
>
>Current state. Following tickets already fixed in ipa-4-9 branch:
>
>#7676 (rhbz#1544379) ipa-client-install changes system wide ssh configuration
>#8501 Unify how FreeIPA gets FQDN of current host
>#8508 Nightly failure (ipa-4-8/master, enforcing mode) in ipa trust-add
>#8519 Fedora container platform is incomplete
>#8524 (rhbz#1851835) Deploy & manage the ACME service topology wide from a single
system
>#8528 Use separate logs for AD Trust and DNS installer
>#8584 ACME communication with dogtag REST endpoints should be using the cookie it
creates
>#8589 (rhbz#1812871) Intermittent IdM Client Registration Failures
>#8596 (rhbz#1895197) improve IPA PKI susbsystem detection by other means than a
directory presence, use pki-server subsystem-find
>#8602 Nightly failure in test_acme.py::TestACME::test_certbot_certonly_standalone: An
unexpected error occurred:
>#8614 Remove ca.crt from the system-wide store on uninstall
>#8618 (rhbz#1780782) ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing
from CS.cfg
>#8631 Nightly failure (389ds master branch) in
test_commands.py::TestIPACommand::test_ipa_nis_manage_enable_incorrect_password
>#8634 (rhbz#1913089) Install of CA fails on CentOS 8 Stream with pki-core 10.9
>#8644 (rhbz#1912845) ipa-certupdate drops profile from the caSigningCert tracking
>#8646 permission-mod attrs, includedattrs and excludedattrs issues
>#8650 Updated dnspython-2.1.0 causes a test failure
>#8653 Nightly test failure in
test_integration/test_upgrade.py::TestUpgrade::()::test_kra_detection
>#8655 (rhbz#1860129) Allow to establish trust to Active Directory in FIPS mode
>#8656 Use client keytab for 389ds
>#8658 Value stored to 'krberr' is never read in ipa-rmkeytab.c
>#8668 (rhbz#1915471) Nightly failure in (f33+updates-testing)
test_trust.py::TestTrust::test_ipa_commands_run_as_aduser
>
>FIPS-related fixes in trusted domain code cause a regression with
>external trust which I am trying to fix now. The fixes are almost ready
>in PR#5436:
https://github.com/freeipa/freeipa/pull/5436
>
>Other opened PRs targeting ipa-4-9:
>
>5451 ipatests: test_ipahealthcheck: fix units WIP ipa-4-8
ipa-4-9
https://github.com/freeipa/freeipa/pull/5451
>5434 ipatests: use fully qualified name for AD admin
wh ipa-4-9
https://github.com/freeipa/freeipa/pull/5434
>5427 ipatests: rewrite test for requests routing to sub ipa-4-8 ipa-4-9 needs
review
https://github.com/freeipa/freeipa/pull/5427
>5408 upgrade.py: restart CS for 30 seconds until it is WIP ipa-4-8
ipa-4-9
https://github.com/freeipa/freeipa/pull/5408
>5392 Add cgroup v2 support to the minimum RAM
checker ipa-4-9
https://github.com/freeipa/freeipa/pull/5392
>5387 Raise RuntimeError when kinit_armor
fails ipa-4-9
https://github.com/freeipa/freeipa/pull/5387
>5313 Gracefully handle Nsds5replicalastupdateend's abse WIP ipa-4-8
ipa-4-9
https://github.com/freeipa/freeipa/pull/5313
>5198 tox.ini: Extend max-line-length from 80 to 88+ ipa-4-8 ipa-4-9 needs review
trivial
https://github.com/freeipa/freeipa/pull/5198
>5176 freeipa.spec.in: client: depend on libsss_sudo ipa-4-8 ipa-4-9 needs
review
https://github.com/freeipa/freeipa/pull/5176
>
>I think we also need to make our mind with:
>
>https://github.com/freeipa/freeipa/pull/5452 - Custodia fixes
>
>https://github.com/freeipa/freeipa/pull/5444 - DNSSEC fixes which currently lack
upgrade changes
>
>and work on the upgrade code for the ticket #8656 (Use client keytab for
>389ds)
Another update. The changes to ticket #8656 are not needed because we already
handle upgrade of the directory server's systemd snippet since 2019. So
this part is good.
Trust-related fixes were merged, as well as support for cgroup v2 in
a containerized environment. Right now there is one outstanding bug in
trust tests related to Samba 4.13+ lockdown on NTLMSSP authentication in
Fedora 33+ and RHEL 8.4+. This is handled with
https://github.com/freeipa/freeipa/pull/5473
I completed a work on allowing AD users/groups in sudo rules in
https://github.com/freeipa/freeipa/pull/4792. The tests there pass just
fine, a review is needed.
List of closed tickets and bugs for ipa-4-9 as of this morning:
#7676 (rhbz#1544379) ipa-client-install changes system wide ssh configuration
#8501 Unify how FreeIPA gets FQDN of current host
#8508 Nightly failure (ipa-4-8/master, enforcing mode) in ipa trust-add
#8519 Fedora container platform is incomplete
#8524 (rhbz#1851835) Deploy & manage the ACME service topology wide from a single
system
#8528 Use separate logs for AD Trust and DNS installer
#8576 (rhbz#1728015) ipasam: derive parent domain for subdomains automatically
#8584 ACME communication with dogtag REST endpoints should be using the cookie it creates
#8589 (rhbz#1812871) Intermittent IdM Client Registration Failures
#8596 (rhbz#1895197) improve IPA PKI susbsystem detection by other means than a directory
presence, use pki-server subsystem-find
#8602 Nightly failure in test_acme.py::TestACME::test_certbot_certonly_standalone: An
unexpected error occurred:
#8614 Remove ca.crt from the system-wide store on uninstall
#8618 (rhbz#1780782) ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from
CS.cfg
#8631 Nightly failure (389ds master branch) in
test_commands.py::TestIPACommand::test_ipa_nis_manage_enable_incorrect_password
#8634 (rhbz#1913089) Install of CA fails on CentOS 8 Stream with pki-core 10.9
#8635 Memory availability detection does not work with cgroupsv2 environment
#8644 (rhbz#1912845) ipa-certupdate drops profile from the caSigningCert tracking
#8646 permission-mod attrs, includedattrs and excludedattrs issues
#8650 Updated dnspython-2.1.0 causes a test failure
#8653 Nightly test failure in
test_integration/test_upgrade.py::TestUpgrade::()::test_kra_detection
#8655 (rhbz#1860129) Allow to establish trust to Active Directory in FIPS mode
#8656 Use client keytab for 389ds
#8658 Value stored to 'krberr' is never read in ipa-rmkeytab.c
#8659 ipa-kdb: provide correct logon time in MS-PAC from authentication time
#8660 ipasam: implement PASSDB getgrnam call
#8661 ipasam: allow search of users by user principal name (UPN)
#8662 Nightly test failure (rawhide) in
test_ipahealthcheck.py::TestIpaHealthCheckFileCheck::test_ipa_filecheck_bad_owner
#8664 Nightly test failure (fed33, rawhide) in ipa trust-add --external=True
#8668 (rhbz#1915471) Nightly failure in (f33+updates-testing)
test_trust.py::TestTrust::test_ipa_commands_run_as_aduser
#8670 Nightly failure (fed33) in
test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_encryption
#8674 test_ipahealthcheck divides KiB by 1000
It looks like DNSSEC PR (5444) and Custodia fixes PR (5452) need more
work, there are still failing test suites. Most of the failures related
to DNS handling in the test environment.
Once trust-related PRs 5473 and 4792 reviewed and pushed, I'll work on
4.9.1 release. Hopefully this will happen today.
I think we are ready with FreeIPA 4.9.1 release.
You can find draft release notes at
I'll do a release today.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland