stable

dogtag-pki-10.6.8-3.fc29, freeipa-4.7.2-1.fc29, & 4 more

FEDORA-2018-3241dd6a7f created by dmoluguw 5 years ago for Fedora 29

Rebased:

  • pki-core to 10.6.8
  • dogtag-pki to 10.6.8
  • jss to 4.5.1
  • freeipa to 4.7.2

Resubmitting the following since it didn't make it to the stable:

  • nuxwdog 1.0.5-3
  • tomcatjss 7.3.6-2

This update resolves an issue which caused uninstall of a FreeIPA server to fail with authselect 1.0.2, which recently appeared as an update. See the pull request for more details.

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2018-3241dd6a7f

This update has been submitted for testing by dmoluguw.

5 years ago

This update has been pushed to testing.

5 years ago

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

5 years ago
User Icon dmoluguw commented & provided feedback 5 years ago

The issue that we see in OpenQA isn't reproducible in a normal dev/CI environment. We need to look why we get the following error:

java.lang.NoSuchMethodError: com.netscape.certsrv.apps.CMS.getLogger()Lcom/netscape/certsrv/logging/ILogger;

We don't depend on CMS.getLogger()any more. We try to instantiate a slf4j logger in its place.

User Icon dmoluguw commented & provided feedback 5 years ago

This is a weird error since openQA tests with a conflicting version of IPA. This new PKI package requires IPA >= 4.7.1

A specific conflict was declared in PKI: https://github.com/dogtagpki/pki/blob/master/pki.spec#L679

But, open QA tests with FreeIPA 4.7.0: https://openqa.fedoraproject.org/tests/314576#step/_advisory_update/21

Since freeIPA 4.5.1 doesn't exist yet in bodhi, the errors occurred. Regardless, OpenQA must have reported a different error.

sgallagh edited this update.

New build(s):

  • freeipa-4.7.2-1.fc29
  • pki-core-10.6.8-3.fc29

Removed build(s):

  • pki-core-10.6.8-1.fc29

Karma has been reset.

5 years ago

This update has been submitted for testing by sgallagh.

5 years ago

This update has obsoleted freeipa-4.7.0-5.fc29, and has inherited its bugs and notes.

5 years ago
User Icon sgallagh commented & provided feedback 5 years ago

I've added updated pki-core and freeipa packages together on this Bodhi update so the conflict issues should now be resolved.

sgallagh edited this update.

New build(s):

  • dogtag-pki-10.6.8-3.fc29

Removed build(s):

  • dogtag-pki-10.6.8-1.fc29

Karma has been reset.

5 years ago
User Icon abbra commented & provided feedback 5 years ago

There is a bunch of AVCs in two failed tests:

  • update.upgrade_realmd_client x86_64 server freeipa_client module failed 2 minutes ago
  • update.upgrade_server_domain_controller x86_64 server 2 minutes ago

As far as I can see, the server upgrade failure is purely AVC-related. Client upgrade failure is due to a combination of few factors: - AVCs by SSSD - Certificate for IPA master issued with the same serial as it was used on some older install by this client. Is the client re-enrolled after upgrade? It might have unclean Firefox settings then. - GSSAPI failures in SSSD, preventing to contact and authenticate to LDAP, thus failing to provide user and group infromation. Perhaps, this one is driven by AVCs.

If we could re-run this update with permissive in staging to see if AVCs are the core issue, that would be very helpful.

This update has been pushed to testing.

5 years ago
User Icon cheimes commented & provided feedback 5 years ago
karma

FreeIPA 4.7 PR-CI is passing with pki-core-10.6.8-3, https://github.com/freeipa/freeipa/pull/2646. PR-CI uses F29 while Travis CI tests on F28. I was also able to install an FreeIPA cluster with two servers on Fedora 29 successfully.

User Icon mzink commented & provided feedback 5 years ago
karma

works for me

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

5 years ago

This update has been submitted for batched by sgallagh.

5 years ago
User Icon adamwill commented & provided feedback 5 years ago

@abbra the AVCs seem to always happen - if you look at the same tests on other updates, they also soft-fail due to the presence of AVCs. It should be looked into, but it doesn't appear to relate to this update. No, the client is not re-enrolled after upgrade.

The serial number-related failure is an odd one that seems to just sort of happen now and again, I think I've seen it in Rawhide too. I'm not sure what the cause is.

The most recent run of the tests passed; I'm not sure if I just manually restarted to see if the failure was something transient, or if they got auto-re-run by the edit to include dogtag-pki 3.fc29.

This update has been submitted for stable by bodhi.

5 years ago

This update has been pushed to stable.

5 years ago

Please login to add feedback.

Metadata
Type
enhancement
Karma
2
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
5 years ago
in testing
5 years ago
in stable
5 years ago
modified
5 years ago
BZ#1534765 javadoc for org.mozilla.jss.pkix.cms.SignedData.getSignerInfos() is incorrect
0
0
BZ#1582323 DER encoding error for enumerated types with a value of zero
0
0
BZ#1645708 authselect enable-features should error on unknown features
0
0

Automated Test Results