Comments

88 Comments

The problem has been fixed by python-request 2.22 package. The Fedora distgit has been updated but the update was never build and pushed to stable. F30 is still stuck on python3-requests-2.21.0-2.fc30.

F31 is fine, though.

karma

Update works for me on latest F31

BZ#1759290 Web UI login always fails ("preexec_fn not supported within subinterpreters")

ipa-server-install is failing with the latest build. httpd is unable to load the cert generated by FreeIPA.

log

  [18/21]: enable KDC proxy
  [19/21]: starting httpd
  [error] CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'httpd.service'] returned non-zero exit status 1: 'Job for httpd.service failed because the control process exited with error code.\nSee "systemctl status httpd.service" and "journalctl -xe" for details.\n')
CalledProcessError(Command ['/bin/systemctl', 'start', 'httpd.service'] returned non-zero exit status 1: 'Job for httpd.service failed because the control process exited with error code.\nSee "systemctl status httpd.service" and "journalctl -xe" for details.\n')
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
[root@host-10-0-137-103 ~]# 
[root@host-10-0-137-103 ~]# systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/httpd.service.d
           └─ipa.conf
   Active: failed (Result: exit-code) since Fri 2019-09-20 11:43:20 EDT; 18s ago
     Docs: man:httpd.service(8)
  Process: 23686 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=0/SUCCESS)
  Process: 23688 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 23688 (code=exited, status=1/FAILURE)
   Status: "Reading configuration..."
      CPU: 371ms

Sep 20 11:43:20 host-10-0-137-103.ipa.example systemd[1]: Starting The Apache HTTP Server...
Sep 20 11:43:20 host-10-0-137-103.ipa.example ipa-httpd-kdcproxy[23686]: ipa: INFO: KDC proxy enabled
Sep 20 11:43:20 host-10-0-137-103.ipa.example ipa-httpd-kdcproxy[23686]: ipa-httpd-kdcproxy: INFO     KDC proxy enabled
Sep 20 11:43:20 host-10-0-137-103.ipa.example httpd[23688]: AH00526: Syntax error on line 102 of /etc/httpd/conf.d/ssl.conf:
Sep 20 11:43:20 host-10-0-137-103.ipa.example httpd[23688]: SSLCertificateFile: file '/var/lib/ipa/certs/httpd.crt' does not exist or is empty
Sep 20 11:43:20 host-10-0-137-103.ipa.example systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Sep 20 11:43:20 host-10-0-137-103.ipa.example systemd[1]: httpd.service: Failed with result 'exit-code'.
Sep 20 11:43:20 host-10-0-137-103.ipa.example systemd[1]: Failed to start The Apache HTTP Server.

cert

# ls -laZ /var/lib/ipa/certs/
total 12
drwxr-xr-x.  2 root root system_u:object_r:ipa_var_lib_t:s0 4096 Sep 20 11:43 .
drwxr-xr-x. 10 root root system_u:object_r:ipa_var_lib_t:s0 4096 Sep 20 11:42 ..
-rw-------.  1 root root system_u:object_r:ipa_var_lib_t:s0 1911 Sep 20 11:43 httpd.crt

AVC

time->Fri Sep 20 11:43:20 2019
type=AVC msg=audit(1568994200.979:751): avc:  denied  { getattr } for  pid=23688 comm="httpd" path="/var/lib/ipa/certs/httpd.crt" dev="vda1" ino=1577788 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=0

versions

# rpm -qa httpd selinux-policy
httpd-2.4.41-1.fc31.x86_64
selinux-policy-3.14.4-34.fc31.noarch
BZ#1706295 Fedora 29 firefox-65.0.1-1 All extensions disabled due to expiration of intermediate signing cert (Upstream bug)

The update broke one of FreeIPA's tests for automember rules, https://pagure.io/freeipa/issue/7902

IPA's test suite is passing with 1.4.0.21.

Two automember tests were failing, probably caused by a known and requested change to the automember plugin, https://pagure.io/freeipa/issue/7855 .

IPA's test suite is passing with 1.4.0.21.

Two automember tests were failing, probably caused by a known and requested change to the automember plugin, https://pagure.io/freeipa/issue/7855 .

karma

I'm trusting Adam and Robby to do the right thing (tm).

karma

FreeIPA test suite is passing with nss-3.41.0-3.fc28, https://github.com/freeipa/freeipa/pull/2700, thanks!

Tomas suggested that the update was locked because the upload to updates-testing was pending.

karma

nss-3.41.0-2.fc28 no longer runs update-crypto-policies in the post/postun hooks. The update doesn't fix a system that had 3.40 or 3.41.0-1 installed.

FreeIPA 4.7 PR-CI is passing with pki-core-10.6.8-3, https://github.com/freeipa/freeipa/pull/2646. PR-CI uses F29 while Travis CI tests on F28. I was also able to install an FreeIPA cluster with two servers on Fedora 28 successfully.

FreeIPA 4.7 PR-CI is passing with pki-core-10.6.8-3, https://github.com/freeipa/freeipa/pull/2646. PR-CI uses F29 while Travis CI tests on F28. I was also able to install an FreeIPA cluster with two servers on Fedora 29 successfully.

1.4.0.19 causes a regression in FreeIPA, https://pagure.io/freeipa/issue/7794

1.4.0.19 causes a regression in FreeIPA, https://pagure.io/freeipa/issue/7794

karma

I successfully tested installation and uninstallation of a FreeIPA server with freeipa-server-4.7.0-5.fc29.x86_64 and authselect-1.0.2-1.fc29.x86_64

karma

I successfully tested installation and uninstallation of a FreeIPA server with authselect-1.0.2-1.fc28.x86_64 and freeipa-server-4.7.0-5.fc28.x86_64.

karma

Works and fixes the attribute error in is_subclass_of. Thanks!

BZ#1648299 pylint's is_subclass_of fails with AttributeError: 'NoneType' object has no attribute 'name'

@tomegun Yes, I forgot to mention that I'm also working on FreeIPA.

May I suggest that you file a Fedora change proposal for F30? Bonus points if you can offer a stable name that works with all supported Fedora versions (F27 to rawhide) and perhaps RHEL/CentOS, too.