Rebase to the lastest upstream release:
See release notes here:
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2024-5afdb12065
Please login to add feedback.
This update has been submitted for testing by pbrezina.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'failed'.
This is some kind of real failure, but I'm on PTO today and don't have time to look into it in detail right now. Will look later.
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
I'm not familiar with those tests, but clicking around:
at least some of those tests are due to https://github.com/fedora-selinux/selinux-policy/issues/2455
Some looks like infra failure?
This update has been pushed to testing.
Works (not giving +1 because of test failures).
I'm not sure whether I'm imagining things here, but it seems that downgrading to previous version of sssd breaks things. Apparently, something about permissions of the ini file not being right. This causes sssd and its minions like kcm to fail when starting, which then promptly breaks user DB (in my case LDAP/krb5).
Stuff like this on downgrade:
The openQA test is not designed to do any kind of downgrade (and only would if the package versions were incorrect somehow). See https://bodhi.fedoraproject.org/updates/FEDORA-2024-61dea2e6ce#comment-3863847 for what I found, looking around the logs in the failure on the Rawhide update.
@atikhonov there is no "infra" to speak of here, ipa001.test.openqa.fedoraproject.org is not really part of fedora infra, it is just another job in the openQA cluster. if communication to it weren't working, the test would've failed earlier in different ways, most likely (enrolling the client would not have worked at all).
Thanks @adamwill. The downgrade was something I did locally (by accident, to be honest). Maybe the config file had 0600 before and is now 0640, which upsets the previous version.
in
upgrade_realmd_client
I can see time desync between the client and the server:Right: https://github.com/SSSD/sssd/commit/8472777ec472607ea450ddb4c4666017bd0de704
Wrt failing 'rpminspect': https://github.com/rpminspect/rpminspect-data-fedora/pull/61
https://github.com/fedora-selinux/selinux-policy/pull/2469 was merged upstream and should be included in Fedora soon.
ok
In Cockpit's nightly updates-testing run we also encountered test failures related to selinux
https://cockpit-logs.us-east-1.linodeobjects.com/pull-0-35090b74-20241212-013206-fedora-41-updates-testing/TestIPA-testClientCertAuthentication-fedora-41-127.0.0.2-2401-FAIL-1.log.gz
This update has been unpushed.
I'm unpushing the changes. Once SELinux policy is fixed we'll try again. Thank you everybody for the feedback.
@pbrezina, you may want to include a scriptlet that reverts ini file permissions to 0600 on downgrade below 2.10.1 to avoid breaking existing machines.
@pbrezina, looks like SELinux policy update has been queued. Didn't check whether it includes a fix for sssd.
It does contain fix for SSSD. We'll re-push the build once selinux policy update in the compose.
Hi @bojan,
Thank you for the heads-up. Once the SELinux policy update is stabilized I'll take care of pushing back this build for testing.
This update has been submitted for testing by ipedrosa.
I still think that this package should revert permissions of sssd.conf to 0600 on downgrade to a version below itself. Without that, it can break authentication for anyone rolling back a set of updates. Think about doing something like that at scale. It could render a whole fleet of machines inaccessible.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'failed'.
This update's test gating status has been changed to 'waiting'.
This update has been pushed to testing.
This update's test gating status has been changed to 'passed'.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'passed'.
Works great! LGTM! =)
This update can be pushed to stable now if the maintainer wishes
This update has been submitted for stable by atikhonov.
This update has been pushed to stable.