On 11/27/20 12:12 PM, Alexander Bokovoy via FreeIPA-devel wrote:
On ke, 18 marras 2020, Alexander Bokovoy via FreeIPA-devel wrote:
On ma, 16 marras 2020, Alexander Bokovoy via FreeIPA-devel wrote:
On pe, 13 marras 2020, Alexander Bokovoy via FreeIPA-devel wrote:
On ke, 11 marras 2020, Stanislav Levin via FreeIPA-devel wrote:
11.11.2020 14:11, Alexander Bokovoy via FreeIPA-devel пишет:
On ke, 11 marras 2020, Stanislav Levin wrote:
On top of that we have a worrying behavior of the Azure CI with
regards
to DNSSEC that waits for investigation.
please, where to see the failure?
You can look, for example, at
https://github.com/freeipa/freeipa/pull/5248
It is like https://pagure.io/freeipa/issue/8538
At least, 389-ds logging may be raised to 8192 from the current one
(0)
for debugging.
We already have debugging enabled in Azure CI builds. I uploaded
logs to
the issue 8538.
To me this looks like 389-ds issue 4363 is not really fixed yet.
I ran few experiments with Rawhide and git master over weekend. Here is
my status before 4.9.0-rc1 release preparation:
- Master branch seems to be no worse than 4.8.0 in terms of running on
Fedora 32 in Azure Pipelines CI and PR CI.
- Rawhide has fixes for certmonger and 389-ds-base but I was unable to
get them fully tested due to upgrade of glibc that made impossible to
use Azure Pipelines with Rawhide anymore on kernels less than v5.8.
glibc changed implementation of faccessat() to use faccessat2() if this
syscall is available at the compile time -- requires kernel v5.8 or
later. As a result, systemd cannot start anymore in unprivileged
container on Azure Pipelines CI even with host Ubuntu 20.04 which uses
v5.4. The exact solution is unclear yet because it is a general issue
with libseccomp not knowing about newer syscalls and not being able to
filter out unknown syscalls in a way that would trigger a fallback to
faccessat() in glibc.
This is a generic issue -- other projects saw a similar fallout when
coreutils and other projects started to use statx() syscall. For
example, https://bugzilla.redhat.com/show_bug.cgi?id=1784228 outlines
this for libuv which is used by Node.js.
libseccomp only added support for faccessat2() in version 2.5:
https://github.com/seccomp/libseccomp/commit/5696c896409c1feb37eb502df33cf36efb2e8e01,
this version is available in Debian Sid already, so one option would be
to try to update the host image at runtime to use newer libseccomp2
package from Sid (it is easily installable on top of Focal repositories,
I checked), then restart docker and reuse our unprivileged containers.
An update to the FreeIPA 4.9.0 release candidate releases.
We merged most of fixes regarding Rawhide runs to git master and I
branched ipa-4-9 for a new release.
FreeIPA 4.9.0 release candidate 1 is out now and is built in Rawhide.
There is a bug in client-only build which should now be addressed with
PR: https://github.com/freeipa/freeipa/pull/5276
Armando did set up PR CI to track ipa-4-9 branch. I did the same for
Azure Pipelines. There is also a label 'ipa-4-9' for proposing pull
requests for the backports.
Another update.
I am planning for FreeIPA 4.9.0 release candidate 2 for December 1st.
Rawhide state:
- bind-dyndb-ldap 11.6-1.fc34 should be in a working state against BIND
9.11 now. Installing IPA master with integrated DNS works just fine.
- python3-dns 2.1.0-0.1.rc1.fc34 is broken and does not allow to
install IPA replica. This should be fixed with python3-dns
2.1.0-0.2.rc1.fc34:
https://bodhi.fedoraproject.org/updates/FEDORA-2020-622a2dccdc
With this fix installing IPA replica works fine.
- Spec file for FreeIPA needs updates based on our recent discussions
with Thomas for RHEL 8.4 packaging. I'll handle this in
https://github.com/freeipa/freeipa/pull/5279
Pull requests I expect to land before 4.9.0rc2 release:
5294 Allow Apache to answer to ipa-ca requests without
ipa-4-9 https://github.com/freeipa/freeipa/pull/5294 {'failure':
1, 'success': 1, 'pending': 28}
5292 Always define the path DNSSEC_OPENSSL_CONF ipa-4-9
https://github.com/freeipa/freeipa/pull/5292 {'success': 1,
'pending': 3}
5292 has been merged in master and backported to ipa-4-9.
5290 Improve PKI subsystem detection ipa-4-6 ipa-4-8 ipa-4-9
https://github.com/freeipa/freeipa/pull/5290 {'success': 1,
'failure': 1, 'pending': 24}
5290 needs discussions with pki team, we can skip this fix for the next rc.
5279 freeipa.spec.in: unify spec files across upstream WIP
ipa-4-9 https://github.com/freeipa/freeipa/pull/5279 {'success':
1, 'pending': 24}
5199 Change KRA profiles in certmonger tracking so they ipa-4-6
ipa-4-8 ipa-4-9 https://github.com/freeipa/freeipa/pull/5199
{'success': 1, 'pending': 27, 'failure': 1, 'error': 1}
5199 has been merged on the master branch and a backport to ipa-4-9 is
in progress.
flo
If you have other suggested fixes, please mark them with ipa-4-9 label.
Difference between 4.9.0rc1 and ipa-4-9 branch so far:
== Resolved tickets ==
* [https://pagure.io/freeipa/issue/3299 #3299] [RFE] Switch the client
to JSON RPC
* [https://pagure.io/freeipa/issue/7676 #7676]
([https://bugzilla.redhat.com/show_bug.cgi?id=1544379 rhbz#1544379])
ipa-client-install changes system wide ssh configuration
* [https://pagure.io/freeipa/issue/8424 #8424] Add ipa.p11-kit to
ipa-client-install man page files list
* [https://pagure.io/freeipa/issue/8531 #8531] RFE: Use host keytab to
obtain ticket for ipa-certupdate
* [https://pagure.io/freeipa/issue/8554 #8554]
([https://bugzilla.redhat.com/show_bug.cgi?id=1891056 rhbz#1891056])
ipa-kdb: support subordinate/superior UPN suffixes
* [https://pagure.io/freeipa/issue/8581 #8581] Nightly test failure in
test_acme.py::TestACME::test_third_party_certs (updates-testing)
* [https://pagure.io/freeipa/issue/8587 #8587] client-only build fails
due to unconditional use of pwquality features
* [https://pagure.io/freeipa/issue/8590 #8590] Nightly test failure in
test_integration/test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_default::setup
== Detailed changelog since 4.9.10 ==
=== Armando Neto (1) ===
* ipatests: Bump PR-CI templates
[https://pagure.io/freeipa/c/a3c5c71925b5fd8faa56379d92fa19631d230108
commit]
=== Alexander Bokovoy (2) ===
* ad trust: accept subordinate domains of the forest trust root
[https://pagure.io/freeipa/c/381cc5e8eae1b7437fc15cb699983887d398f498
commit] [https://pagure.io/freeipa/issue/8554 #8554]
* util: Fix client-only build
[https://pagure.io/freeipa/c/244704cc156dba0731671c55661d82073f970c9b
commit] [https://pagure.io/freeipa/issue/8587 #8587]
=== Antonio Torres Moríñigo (1) ===
* ipa-client-install manpage: add ipa.p11-kit to list of files created
[https://pagure.io/freeipa/c/08bbd0a2d712a5a7f1a02999390c4be2a9df3f0e
commit] [https://pagure.io/freeipa/issue/8424 #8424]
=== Mohammad Rizwan (1) ===
* ipatests: Test certmonger IPA responder switched to JSONRPC
[https://pagure.io/freeipa/c/25eebb21a2f85817691ce65c431d6b5de3bebe3b
commit] [https://pagure.io/freeipa/issue/3299 #3299]
=== Rob Crittenden (10) ===
* ipatests: Increase timeout for ACME in gating.yaml
[https://pagure.io/freeipa/c/17f293e9da0375bac4871c0100c6146a8c2f8e55
commit] [https://pagure.io/freeipa/issue/8581 #8581]
* ipatests: honor class inheritance in TestACMEwithExternalCA
[https://pagure.io/freeipa/c/75ad5757528491616f7f4e596bb9f6b152944d99
commit] [https://pagure.io/freeipa/issue/8581 #8581]
* ipatests: configure MDStoreDir for mod_md ACME test
[https://pagure.io/freeipa/c/b474b263ed0161ba8411cc84014e4d08a44ac15f
commit] [https://pagure.io/freeipa/issue/8581 #8581]
* ipatests: Clean up existing ACME registration and certs
[https://pagure.io/freeipa/c/5d286e79515c8a6c856a5acde6300271422acfac
commit] [https://pagure.io/freeipa/issue/8581 #8581]
* ipatests: Configure a replica in TestACMEwithExternalCA
[https://pagure.io/freeipa/c/de5baf8516cde060f1606070b2a8824f71178f16
commit] [https://pagure.io/freeipa/issue/8581 #8581]
* ipatests: call the CALess install method to generate the CA
[https://pagure.io/freeipa/c/3cd6b81a68be98ae9f60da67d2bc640831f0cf0c
commit] [https://pagure.io/freeipa/issue/8581 #8581]
* ipatests: Test that Match ProxyCommand masks on no shell exec
[https://pagure.io/freeipa/c/d89e3abf2714092baae1607afd83da1c944d6c9f
commit] [https://pagure.io/freeipa/issue/7676 #7676]
* Create IPA ssh client configuration and move ProxyCommand
[https://pagure.io/freeipa/c/a525b2ebf01ffff83d0a5925035f4be0fc5c700c
commit] [https://pagure.io/freeipa/issue/7676 #7676]
* ipatests: Test that ipa-certupdate can run without credentials
[https://pagure.io/freeipa/c/4941d3d4b1ba10ccddf5429463debcefac6fbd9f
commit] [https://pagure.io/freeipa/issue/8531 #8531]
* Use host keytab to obtain credentials needed for ipa-certupdate
[https://pagure.io/freeipa/c/1a09ce9f3fa503eeefe394856be538892652accf
commit] [https://pagure.io/freeipa/issue/8531 #8531]
=== Robbie Harwood (1) ===
* Fix krbtpolicy tests
[https://pagure.io/freeipa/c/17a4198a666453dbec55409d4e2acc37a37b57ac
commit] [https://pagure.io/freeipa/issue/8590 #8590]
=== Sudhir Menon (2) ===
* ipatests: support subordinate upn suffixes
[https://pagure.io/freeipa/c/7e605e958ef6d41584afc238433669c15458ac67
commit]
* ipatests: Tests for ipahealthcheck.ds.nss_ssl
[https://pagure.io/freeipa/c/46f114d9e751b2a092b975b909f0e890257a507d
commit]
_______________________________________________
FreeIPA-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
