Comments page #1 of 3 pages

  • Update works for me on latest F31

    karma: +1 #1759290: +1
  • ipa-server-install is failing with the latest build. httpd is unable to load the cert generated by FreeIPA.

    log

      [18/21]: enable KDC proxy
      [19/21]: starting httpd
      [error] CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'httpd.service'] returned non-zero exit status 1: 'Job for httpd.service failed because the control process exited with error code.\nSee "systemctl status httpd.service" and "journalctl -xe" for details.\n')
    CalledProcessError(Command ['/bin/systemctl', 'start', 'httpd.service'] returned non-zero exit status 1: 'Job for httpd.service failed because the control process exited with error code.\nSee "systemctl status httpd.service" and "journalctl -xe" for details.\n')
    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
    [root@host-10-0-137-103 ~]# 
    [root@host-10-0-137-103 ~]# systemctl status httpd
    ● httpd.service - The Apache HTTP Server
       Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
      Drop-In: /etc/systemd/system/httpd.service.d
               └─ipa.conf
       Active: failed (Result: exit-code) since Fri 2019-09-20 11:43:20 EDT; 18s ago
         Docs: man:httpd.service(8)
      Process: 23686 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=0/SUCCESS)
      Process: 23688 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
     Main PID: 23688 (code=exited, status=1/FAILURE)
       Status: "Reading configuration..."
          CPU: 371ms
    
    Sep 20 11:43:20 host-10-0-137-103.ipa.example systemd[1]: Starting The Apache HTTP Server...
    Sep 20 11:43:20 host-10-0-137-103.ipa.example ipa-httpd-kdcproxy[23686]: ipa: INFO: KDC proxy enabled
    Sep 20 11:43:20 host-10-0-137-103.ipa.example ipa-httpd-kdcproxy[23686]: ipa-httpd-kdcproxy: INFO     KDC proxy enabled
    Sep 20 11:43:20 host-10-0-137-103.ipa.example httpd[23688]: AH00526: Syntax error on line 102 of /etc/httpd/conf.d/ssl.conf:
    Sep 20 11:43:20 host-10-0-137-103.ipa.example httpd[23688]: SSLCertificateFile: file '/var/lib/ipa/certs/httpd.crt' does not exist or is empty
    Sep 20 11:43:20 host-10-0-137-103.ipa.example systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
    Sep 20 11:43:20 host-10-0-137-103.ipa.example systemd[1]: httpd.service: Failed with result 'exit-code'.
    Sep 20 11:43:20 host-10-0-137-103.ipa.example systemd[1]: Failed to start The Apache HTTP Server.
    

    cert

    # ls -laZ /var/lib/ipa/certs/
    total 12
    drwxr-xr-x.  2 root root system_u:object_r:ipa_var_lib_t:s0 4096 Sep 20 11:43 .
    drwxr-xr-x. 10 root root system_u:object_r:ipa_var_lib_t:s0 4096 Sep 20 11:42 ..
    -rw-------.  1 root root system_u:object_r:ipa_var_lib_t:s0 1911 Sep 20 11:43 httpd.crt
    

    AVC

    time->Fri Sep 20 11:43:20 2019
    type=AVC msg=audit(1568994200.979:751): avc:  denied  { getattr } for  pid=23688 comm="httpd" path="/var/lib/ipa/certs/httpd.crt" dev="vda1" ino=1577788 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=0
    

    versions

    # rpm -qa httpd selinux-policy
    httpd-2.4.41-1.fc31.x86_64
    selinux-policy-3.14.4-34.fc31.noarch
    
    karma: -1 critpath: -1
  • The update broke one of FreeIPA's tests for automember rules, https://pagure.io/freeipa/issue/7902

  • IPA's test suite is passing with 1.4.0.21.

    Two automember tests were failing, probably caused by a known and requested change to the automember plugin, https://pagure.io/freeipa/issue/7855 .

    karma: +1
  • IPA's test suite is passing with 1.4.0.21.

    Two automember tests were failing, probably caused by a known and requested change to the automember plugin, https://pagure.io/freeipa/issue/7855 .

    karma: +1
  • I'm trusting Adam and Robby to do the right thing (tm).

    karma: +1
  • FreeIPA test suite is passing with nss-3.41.0-3.fc28, https://github.com/freeipa/freeipa/pull/2700, thanks!

    Tomas suggested that the update was locked because the upload to updates-testing was pending.

    karma: +1 critpath: +1
  • nss-3.41.0-2.fc28 no longer runs update-crypto-policies in the post/postun hooks. The update doesn't fix a system that had 3.40 or 3.41.0-1 installed.

    karma: -1 critpath: -1
  • FreeIPA 4.7 PR-CI is passing with pki-core-10.6.8-3, https://github.com/freeipa/freeipa/pull/2646. PR-CI uses F29 while Travis CI tests on F28. I was also able to install an FreeIPA cluster with two servers on Fedora 28 successfully.

    karma: +1
  • FreeIPA 4.7 PR-CI is passing with pki-core-10.6.8-3, https://github.com/freeipa/freeipa/pull/2646. PR-CI uses F29 while Travis CI tests on F28. I was also able to install an FreeIPA cluster with two servers on Fedora 29 successfully.

    karma: +1
  • I successfully tested installation and uninstallation of a FreeIPA server with freeipa-server-4.7.0-5.fc29.x86_64 and authselect-1.0.2-1.fc29.x86_64

    karma: +1
  • I successfully tested installation and uninstallation of a FreeIPA server with authselect-1.0.2-1.fc28.x86_64 and freeipa-server-4.7.0-5.fc28.x86_64.

    karma: +1
  • Works and fixes the attribute error in is_subclass_of. Thanks!

    karma: +1 #1648299: +1
  • @tomegun Yes, I forgot to mention that I'm also working on FreeIPA.

    May I suggest that you file a Fedora change proposal for F30? Bonus points if you can offer a stable name that works with all supported Fedora versions (F27 to rawhide) and perhaps RHEL/CentOS, too.

  • Previous versions of dbus on Fedora had an alias. /usr/lib/systemd/system contained a symlink messagebus.service -> dbus.service. I would greatly appreciate if you could keep the alias in F29.