Rebased:

  • pki-core to 10.6.8
  • dogtag-pki to 10.6.8
  • jss to 4.5.1
  • freeipa to 4.7.2

Resubmitting the following since it didn't make it to the stable:

  • nuxwdog 1.0.5-3
  • tomcatjss 7.3.6-2

This update resolves an issue which caused uninstall of a FreeIPA server to fail with authselect 1.0.2, which recently appeared as an update. See the pull request for more details.

How to install

sudo dnf upgrade --advisory=FEDORA-2018-3241dd6a7f

This update has been submitted for testing by dmoluguw.

2 years ago

This update has been pushed to testing.

2 years ago

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

2 years ago
User Icon dmoluguw commented & provided feedback 2 years ago

The issue that we see in OpenQA isn't reproducible in a normal dev/CI environment. We need to look why we get the following error:

java.lang.NoSuchMethodError: com.netscape.certsrv.apps.CMS.getLogger()Lcom/netscape/certsrv/logging/ILogger;

We don't depend on CMS.getLogger()any more. We try to instantiate a slf4j logger in its place.

User Icon dmoluguw commented & provided feedback 2 years ago

This is a weird error since openQA tests with a conflicting version of IPA. This new PKI package requires IPA >= 4.7.1

A specific conflict was declared in PKI: https://github.com/dogtagpki/pki/blob/master/pki.spec#L679

But, open QA tests with FreeIPA 4.7.0: https://openqa.fedoraproject.org/tests/314576#step/_advisory_update/21

Since freeIPA 4.5.1 doesn't exist yet in bodhi, the errors occurred. Regardless, OpenQA must have reported a different error.

sgallagh edited this update.

New build(s):

  • freeipa-4.7.2-1.fc29
  • pki-core-10.6.8-3.fc29

Removed build(s):

  • pki-core-10.6.8-1.fc29

Karma has been reset.

2 years ago

This update has been submitted for testing by sgallagh.

2 years ago

This update has obsoleted freeipa-4.7.0-5.fc29, and has inherited its bugs and notes.

2 years ago
User Icon sgallagh commented & provided feedback 2 years ago

I've added updated pki-core and freeipa packages together on this Bodhi update so the conflict issues should now be resolved.

sgallagh edited this update.

New build(s):

  • dogtag-pki-10.6.8-3.fc29

Removed build(s):

  • dogtag-pki-10.6.8-1.fc29

Karma has been reset.

2 years ago
User Icon abbra commented & provided feedback 2 years ago

There is a bunch of AVCs in two failed tests:

  • update.upgrade_realmd_client x86_64 server freeipa_client module failed 2 minutes ago
  • update.upgrade_server_domain_controller x86_64 server 2 minutes ago

As far as I can see, the server upgrade failure is purely AVC-related. Client upgrade failure is due to a combination of few factors: - AVCs by SSSD - Certificate for IPA master issued with the same serial as it was used on some older install by this client. Is the client re-enrolled after upgrade? It might have unclean Firefox settings then. - GSSAPI failures in SSSD, preventing to contact and authenticate to LDAP, thus failing to provide user and group infromation. Perhaps, this one is driven by AVCs.

If we could re-run this update with permissive in staging to see if AVCs are the core issue, that would be very helpful.

This update has been pushed to testing.

2 years ago
User Icon cheimes commented & provided feedback 2 years ago
karma

FreeIPA 4.7 PR-CI is passing with pki-core-10.6.8-3, https://github.com/freeipa/freeipa/pull/2646. PR-CI uses F29 while Travis CI tests on F28. I was also able to install an FreeIPA cluster with two servers on Fedora 29 successfully.

User Icon mzink commented & provided feedback 2 years ago
karma

works for me

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

2 years ago

This update has been submitted for batched by sgallagh.

2 years ago
User Icon adamwill commented & provided feedback 2 years ago

@abbra the AVCs seem to always happen - if you look at the same tests on other updates, they also soft-fail due to the presence of AVCs. It should be looked into, but it doesn't appear to relate to this update. No, the client is not re-enrolled after upgrade.

The serial number-related failure is an odd one that seems to just sort of happen now and again, I think I've seen it in Rawhide too. I'm not sure what the cause is.

The most recent run of the tests passed; I'm not sure if I just manually restarted to see if the failure was something transient, or if they got auto-re-run by the edit to include dogtag-pki 3.fc29.

This update has been submitted for stable by bodhi.

2 years ago

This update has been pushed to stable.

2 years ago

Please login to add feedback.

Metadata
Type
enhancement
Karma
2
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
2 years ago
in testing
2 years ago
in stable
2 years ago
modified
2 years ago
BZ#1534765 javadoc for org.mozilla.jss.pkix.cms.SignedData.getSignerInfos() is incorrect
0
0
BZ#1582323 DER encoding error for enumerated types with a value of zero
0
0
BZ#1645708 authselect enable-features should error on unknown features
0
0

Automated Test Results