URL: https://github.com/freeipa/freeipa/pull/5270
Author: abbra
Title: #5270: Merge fixes from rawhide experiments
Action: opened
PR body:
"""
- 11f8ec48c spec: use pkgconf to find out krb5 version
- eecf4dbb3 Drop upper bound on krb5 version in freeipa.spec
- aaf0232f0 Azure CI: use PPA to provide newer libseccomp version
- dde3528ee Azure CI: use Ubuntu-20.04 image by default
- 70175f61b ipa-acme-manage: user a cookie created for the communication with
dogtag REST endpoints
- ed3258563 ipa-otpd: fix gcc complaints in Rawhide
- 95bd6402e ipa-sam: fix gcc complaints on Rawhide
- 300961a13 ipa-kdb: fix gcc complaints in kdb tests
- bb2369329 ipa-kdb: fix gcc complaints
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5270/head:pr5270
git checkout pr5270
From bb236932973ee7861e247709d1699795ba0d348f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Fri, 13 Nov 2020 13:31:51 +0200
Subject: [PATCH 1/9] ipa-kdb: fix gcc complaints
In file included from /usr/include/string.h:519,
from /usr/include/lber.h:30,
from /usr/include/ldap.h:30,
from ipa_kdb.h:37,
from ipa_kdb_mspac.c:26:
In function 'strncpy',
inlined from 'get_server_netbios_name' at ipa_kdb_mspac.c:2358:5,
inlined from 'ipadb_reinit_mspac' at ipa_kdb_mspac.c:2813:39:
/usr/include/bits/string_fortified.h:91:10: warning: 'strncpy' specified bound 255 equals destination size [-Wstringop-truncation]
91 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: https://pagure.io/freeipa/issue/8585
Signed-off-by: Alexander Bokovoy <aboko...@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index fe5b586b6ae..bb9d85c104b 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2352,7 +2352,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
static char *get_server_netbios_name(struct ipadb_context *ipactx)
{
- char hostname[IPA_HOST_FQDN_LEN]; /* NOTE: long enough for DNS name */
+ char hostname[IPA_HOST_FQDN_LEN + 1]; /* NOTE: long enough for DNS name */
char *p;
strncpy(hostname, ipactx->kdc_hostname, IPA_HOST_FQDN_LEN);
From 300961a133cc5fdf3790e3957727833aea99ce0d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Fri, 13 Nov 2020 13:46:38 +0200
Subject: [PATCH 2/9] ipa-kdb: fix gcc complaints in kdb tests
We use string_to_sid() from internal Samba libraries, so we have to link
to it properly.
In addition, size_t is (long unsigned int), just cast to (int) in
asprintf.
Fixes: https://pagure.io/freeipa/issue/8585
Signed-off-by: Alexander Bokovoy <aboko...@redhat.com>
---
daemons/ipa-kdb/Makefile.am | 2 ++
daemons/ipa-kdb/tests/ipa_kdb_tests.c | 7 ++++---
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 11aeec5f0ae..14c0546e0a5 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -92,6 +92,7 @@ ipa_kdb_tests_SOURCES += ipa_kdb_kdcpolicy.c
endif
ipa_kdb_tests_CFLAGS = $(CMOCKA_CFLAGS)
+ipa_kdb_tests_LDFLAGS = -L$(libdir)/samba -Wl,-rpath=$(libdir)/samba
ipa_kdb_tests_LDADD = \
$(CMOCKA_LIBS) \
$(KRB5_LIBS) \
@@ -102,6 +103,7 @@ ipa_kdb_tests_LDADD = \
$(top_builddir)/util/libutil.la \
-lkdb5 \
-lsss_idmap \
+ -lsamba-security-samba4 \
$(NULL)
appdir = $(libexecdir)/ipa
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
index 752b24ea47d..2a174ce6b60 100644
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
@@ -72,7 +72,7 @@ struct test_ctx {
#define DOM_SID_TRUST "S-1-5-21-4-5-6"
#define BLOCKLIST_SID "S-1-5-1"
#define NUM_SUFFIXES 10
-#define SUFFIX_TEMPLATE "d%0d" DOMAIN_NAME
+#define SUFFIX_TEMPLATE "d%zu" DOMAIN_NAME
#define TEST_REALM_TEMPLATE "some." SUFFIX_TEMPLATE
#define EXTERNAL_REALM "WRONG.DOMAIN"
@@ -136,7 +136,8 @@ static int setup(void **state)
ipa_ctx->mspac->trusts[0].upn_suffixes = calloc(NUM_SUFFIXES + 1, sizeof(char *));
ipa_ctx->mspac->trusts[0].upn_suffixes_len = calloc(NUM_SUFFIXES, sizeof(size_t));
for (size_t i = 0; i < NUM_SUFFIXES; i++) {
- asprintf(&(ipa_ctx->mspac->trusts[0].upn_suffixes[i]), SUFFIX_TEMPLATE, i);
+ assert_int_not_equal(asprintf(&(ipa_ctx->mspac->trusts[0].upn_suffixes[i]),
+ SUFFIX_TEMPLATE, i), -1);
ipa_ctx->mspac->trusts[0].upn_suffixes_len[i] =
strlen(ipa_ctx->mspac->trusts[0].upn_suffixes[i]);
@@ -504,7 +505,7 @@ void test_check_trusted_realms(void **state)
for(size_t i = 0; i < NUM_SUFFIXES; i++) {
char *test_realm = NULL;
- asprintf(&test_realm, TEST_REALM_TEMPLATE, i);
+ assert_int_not_equal(asprintf(&test_realm, TEST_REALM_TEMPLATE, i), -1);
if (test_realm) {
kerr = ipadb_is_princ_from_trusted_realm(
From 95bd6402eff3cd63c08f3da343e65b7fc88fac26 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Fri, 13 Nov 2020 14:22:48 +0200
Subject: [PATCH 3/9] ipa-sam: fix gcc complaints on Rawhide
In file included from /usr/include/string.h:519,
from /usr/include/lber.h:30,
from /usr/include/ldap.h:30,
from ipa_sam.c:12:
In function 'strncpy',
inlined from 'save_sid_to_secret' at ipa_sam.c:4478:2,
inlined from 'pdb_init_ipasam' at ipa_sam.c:4985:12:
/usr/include/bits/string_fortified.h:91:10: warning: 'strncpy' specified bound 255 equals destination size [-Wstringop-truncation]
91 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: https://pagure.io/freeipa/issue/8585
Signed-off-by: Alexander Bokovoy <aboko...@redhat.com>
---
daemons/ipa-sam/ipa_sam.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 5dbdc17fbd8..79f4e5a7724 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -4441,7 +4441,7 @@ static char *sec_key(TALLOC_CTX *mem_ctx, const char *d)
static NTSTATUS save_sid_to_secret(struct ipasam_private *ipasam_state)
{
- char hostname[IPA_HOST_FQDN_LEN];
+ char hostname[IPA_HOST_FQDN_LEN + 1];
const char *fqdn;
char *p;
TALLOC_CTX *tmp_ctx;
@@ -4475,7 +4475,7 @@ static NTSTATUS save_sid_to_secret(struct ipasam_private *ipasam_state)
}
/* Copy is necessary, otherwise we this will corrupt the static
* buffer returned by ipa_gethostfqdn(). */
- strncpy(hostname, fqdn, sizeof(hostname));
+ strncpy(hostname, fqdn, IPA_HOST_FQDN_LEN);
p = strchr(hostname, '.');
if (p != NULL) {
*p = '\0';
From ed3258563632f2debd913541dce731496a72b93c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Fri, 13 Nov 2020 14:36:16 +0200
Subject: [PATCH 4/9] ipa-otpd: fix gcc complaints in Rawhide
In file included from /usr/include/string.h:519,
from /usr/include/lber.h:30,
from /usr/include/ldap.h:30,
from internal.h:27,
from main.c:31:
In function 'strncpy',
inlined from 'main' at main.c:237:5:
/usr/include/bits/string_fortified.h:91:10: warning: 'strncpy' specified bound 255 equals destination size [-Wstringop-truncation]
91 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: https://pagure.io/freeipa/issue/8585
Signed-off-by: Alexander Bokovoy <aboko...@redhat.com>
---
daemons/ipa-otpd/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemons/ipa-otpd/main.c b/daemons/ipa-otpd/main.c
index 2efb371ee59..529e3834a5d 100644
--- a/daemons/ipa-otpd/main.c
+++ b/daemons/ipa-otpd/main.c
@@ -214,7 +214,7 @@ static krb5_error_code setup_ldap(const char *uri, krb5_boolean bind,
int main(int argc, char **argv)
{
const char *hostname;
- char fqdn[IPA_HOST_FQDN_LEN];
+ char fqdn[IPA_HOST_FQDN_LEN + 1];
krb5_error_code retval;
krb5_data hndata;
verto_ev *sig;
From 70175f61bd80299ec29d1f75a5bf41e6d3aec1f0 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Fri, 13 Nov 2020 14:44:00 +0200
Subject: [PATCH 5/9] ipa-acme-manage: user a cookie created for the
communication with dogtag REST endpoints
The cookie in ACME processing was supposed to be passed as a part of the
REST request but we did not pass those additional headers. Pylint on
Rawhide noticed that headers objects were left unused.
2020-11-13T11:26:46.1038078Z Please wait ...
2020-11-13T11:26:46.1038385Z
2020-11-13T11:28:02.8563776Z ************* Module ipaserver.install.ipa_acme_manage
2020-11-13T11:28:02.8565974Z ipaserver/install/ipa_acme_manage.py:50: [W0612(unused-variable), acme_state.__exit__] Unused variable 'headers')
2020-11-13T11:28:02.8567071Z ipaserver/install/ipa_acme_manage.py:57: [W0612(unused-variable), acme_state.enable] Unused variable 'headers')
2020-11-13T11:28:02.8568031Z ipaserver/install/ipa_acme_manage.py:63: [W0612(unused-variable), acme_state.disable] Unused variable 'headers')
Fixes: https://pagure.io/freeipa/issue/8584
Signed-off-by: Alexander Bokovoy <aboko...@redhat.com>
---
ipaserver/install/ipa_acme_manage.py | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/ipaserver/install/ipa_acme_manage.py b/ipaserver/install/ipa_acme_manage.py
index 955f7c979d3..0474b9f4a05 100644
--- a/ipaserver/install/ipa_acme_manage.py
+++ b/ipaserver/install/ipa_acme_manage.py
@@ -25,13 +25,15 @@
class acme_state(RestClient):
- def _request(self, url):
+ def _request(self, url, headers=None):
+ headers = headers or {}
return dogtag.https_request(
self.ca_host, 8443,
url=url,
cafile=self.ca_cert,
client_certfile=paths.RA_AGENT_PEM,
client_keyfile=paths.RA_AGENT_KEY,
+ headers=headers,
method='POST'
)
@@ -48,20 +50,21 @@ def __enter__(self):
def __exit__(self, exc_type, exc_value, traceback):
"""Log out of the REST API"""
headers = dict(Cookie=self.cookie)
- status, unused, _unused = self._request('/acme/logout')
+ status, unused, _unused = self._request('/acme/logout', headers=headers)
object.__setattr__(self, 'cookie', None)
if status != 204:
raise RuntimeError('Failed to logout')
def enable(self):
headers = dict(Cookie=self.cookie)
- status, unused, _unused = self._request('/acme/enable')
+ status, unused, _unused = self._request('/acme/enable', headers=headers)
if status != 200:
raise RuntimeError('Failed to enable ACME')
def disable(self):
headers = dict(Cookie=self.cookie)
- status, unused, _unused = self._request('/acme/disable')
+ status, unused, _unused = self._request('/acme/disable',
+ headers=headers)
if status != 200:
raise RuntimeError('Failed to disble ACME')
From dde3528ee09feacff7398094aebcbdb62c555ba7 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Sat, 14 Nov 2020 15:31:25 +0200
Subject: [PATCH 6/9] Azure CI: use Ubuntu-20.04 image by default
Ubuntu 20.04 image is available in Azure Pipelines, migrate to it.
https://github.com/actions/virtual-environments/blob/main/images/linux/Ubuntu2004-README.md
Signed-off-by: Alexander Bokovoy <aboko...@redhat.com>
---
ipatests/azure/templates/variables-common.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipatests/azure/templates/variables-common.yml b/ipatests/azure/templates/variables-common.yml
index 36594064abb..5b3c2ca4914 100644
--- a/ipatests/azure/templates/variables-common.yml
+++ b/ipatests/azure/templates/variables-common.yml
@@ -6,7 +6,7 @@ variables:
# https://github.com/actions/virtual-environments/blob/master/images/linux/Ubuntu1604-REA DME.md
# Ubuntu-18.04 - 3.6.9
# https://github.com/actions/virtual-environments/blob/master/images/linux/Ubuntu1804-REA DME.md
- VM_IMAGE: 'Ubuntu-18.04'
+ VM_IMAGE: 'ubuntu-20.04'
MAX_CONTAINER_ENVS: 5
IPA_TESTS_ENV_WORKING_DIR: $(Build.Repository.LocalPath)/ipa_envs
IPA_TESTS_SCRIPTS: 'ipatests/azure/scripts'
From aaf0232f06b753baab742edd5c02d510fe2c3760 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Mon, 16 Nov 2020 23:07:56 +0200
Subject: [PATCH 7/9] Azure CI: use PPA to provide newer libseccomp version
Linux 5.8 made faccessat2() system call available in August 2020. This
system call is used now by GNU libc to implement more precisely
faccessat() system call. GNU glibc does compile-time check for the
kernel version and uses faccessat2() unconditionally in case it is
available. If kernel responds with ENOSYS error code, GNU libc will
attempt to use older, less flexible, faccessat(() system call.
When running on a system where libseccomp does not know about the new
syscall, the default action in seccomp filters in Docker and other
container runtimes is to respond with EPERM error code. This breaks GNU
libc's implementation of the faccessat() function -- as well as other
newer syscall implementations (e.g. statx()).
libseccomp started to support faccessat2() in July 2020 with
https://github.com/seccomp/libseccomp/commit/5696c896409c1feb37eb502df33cf36efb2e8e01
(version 2.5.0: https://github.com/seccomp/libseccomp/releases/tag/v2.5.0)
With Ubuntu 20.04 as a host, use PPA abbra/freeipa-libseccomp which
provides libseccomp 2.5.0 rebuild from Debian Sid.
Signed-off-by: Alexander Bokovoy <aboko...@redhat.com>
---
ipatests/azure/Dockerfiles/seccomp.json | 1 +
ipatests/azure/templates/test-jobs.yml | 6 +++++-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/ipatests/azure/Dockerfiles/seccomp.json b/ipatests/azure/Dockerfiles/seccomp.json
index c269d92e5a0..d5a5631facb 100644
--- a/ipatests/azure/Dockerfiles/seccomp.json
+++ b/ipatests/azure/Dockerfiles/seccomp.json
@@ -90,6 +90,7 @@
"exit",
"exit_group",
"faccessat",
+ "faccessat2",
"fadvise64",
"fadvise64_64",
"fallocate",
diff --git a/ipatests/azure/templates/test-jobs.yml b/ipatests/azure/templates/test-jobs.yml
index 4f9abf394ad..1ccf907fe9c 100644
--- a/ipatests/azure/templates/test-jobs.yml
+++ b/ipatests/azure/templates/test-jobs.yml
@@ -12,7 +12,11 @@ steps:
moreutils \
rng-tools \
systemd-coredump \
- python3-docker
+ python3-docker \
+ software-properties-common
+ sudo add-apt-repository -y ppa:abbra/freeipa-libseccomp
+ sudo apt-get update
+ sudo apt-get install -y libseccomp2
# ubuntu's one is too old: different API
python3 -m pip install docker --user
displayName: Install Host's tests requirements
From eecf4dbb30c17cbf6dc7b7fab81bdc43f87d657a Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharw...@redhat.com>
Date: Mon, 8 Apr 2019 15:26:11 -0400
Subject: [PATCH 8/9] Drop upper bound on krb5 version in freeipa.spec
This check is no longer needed now that krb5 exports the KDB version.
Signed-off-by: Robbie Harwood <rharw...@redhat.com>
---
freeipa.spec.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index ae684c67df2..c302341ceae 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -365,7 +365,7 @@ Requires: 389-ds-base >= %{ds_version}
Requires: openldap-clients > 2.4.35-4
Requires: nss-tools >= %{nss_version}
Requires(post): krb5-server >= %{krb5_version}
-Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100
+Requires(post): krb5-server >= %{krb5_base_version}
Requires: krb5-pkinit-openssl >= %{krb5_version}
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: chrony
From 11f8ec48cfb05b9faab452df8095e1993d44d43c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Tue, 10 Nov 2020 12:55:21 +0200
Subject: [PATCH 9/9] spec: use pkgconf to find out krb5 version
In Fedora 33 RPM migrated to use SQLITE as its database format. When
COPR builders run on Fedora 33 and build a package for older Fedora
version that uses RPM with BDB backend, RPM inside the build environment
will not be able to open its own database (SQLITE).
Replace use of RPM to discover krb5 version by use of pkgconf which
provides the same output but doesn't need to look into RPM database.
Signed-off-by: Alexander Bokovoy <aboko...@redhat.com>
---
freeipa.spec.in | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index c302341ceae..13b569abb6b 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -143,7 +143,7 @@
# https://bugzilla.redhat.com/show_bug.cgi?id=1345975#c20
%global sssd_version 1.16.3-2
-%define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
+%define krb5_base_version %(LC_ALL=C pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version)
%if 0%{?fedora} >= 33
# systemd with resolved enabled
@@ -185,6 +185,7 @@ BuildRequires: openldap-devel
# DAL version change may cause code crash or memory leaks, it is better to fail early.
BuildRequires: krb5-kdb-version = %{krb5_kdb_version}
BuildRequires: krb5-devel >= %{krb5_version}
+BuildRequires: pkgconfig(krb5)
%if 0%{?with_ipa_join_xml}
# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation
BuildRequires: xmlrpc-c-devel >= 1.27.4
@@ -195,7 +196,7 @@ BuildRequires: jansson-devel
BuildRequires: popt-devel
BuildRequires: gcc
BuildRequires: make
-BuildRequires: pkgconfig
+BuildRequires: pkgconf
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
