Commit Graph

14187 Commits

Author SHA1 Message Date
François Cami
7823da0630 SELinux: Add dedicated policy for ipa-pki-retrieve-key
Add proper labeling, transition and policy for ipa-pki-retrieve-key.
Make sure tomcat_t can execute ipa-pki-retrieve-key.

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2020-09-22 18:05:38 +02:00
François Cami
dfeea1644a ipatests: enhance TestSubCAkeyReplication
enhance the test suite so that it covers:
- deleting subCAs (disabling them first)
- checking what happens when creating a dozen+ subCAs at a time
- adding a subCA that already exists and expect failure

Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2020-09-22 18:05:38 +02:00
Christian Heimes
bc128cae47 Add User and Group to all ipaplatform.constants
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-22 09:23:18 -04:00
Christian Heimes
b19d20e2db Use new classes for run_command and Service
User and Group now return unmodified instance when they are called with
an instance of themselves: User(user) is user.

run_command() and Service class accept either names or User object.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-22 09:23:18 -04:00
Christian Heimes
72fb4e60c8 Add user and group wrappers
New classes for user and group names provide a convenient way to access
the uid and primary gid of a user / gid of a group. The classes also
provide chown() and chgrp() methods to simplify common operations.

The wrappers are subclasses of builtin str type and behave like ordinary
strings with additional features. The pwd and grp structs are retrieved
once and then cached.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-22 09:23:18 -04:00
Christian Heimes
99a40cbbe9 Simplify LDAPUpdater
- drop unused dm_password and ldapi arguments
- remove online feature that was never implemented
- allow passing of api object that is used to populate substitution
  dictionary
- simplify substitution dictionary updates
- remove unused instances vars

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-22 09:21:00 -04:00
Christian Heimes
87cf2a3c78 Add ldap_update() helper to service class
The new _ldap_update() helper methods makes it easier to apply LDAP
update files from a service instance.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-22 09:21:00 -04:00
Christian Heimes
3c86baf0ad Don't create DS SSCA and self-signed cert
Instruct lib389 to not create its self-signed CA and temporary
self-signed certificate. FreeIPA uses local connections and Unix socket
for bootstrapping.

Fixes: https://pagure.io/freeipa/issue/8502
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-21 18:13:51 -04:00
Florence Blanc-Renaud
8ba15027d4 test_smb: skip test_smb_service_s4u2self for fed31
The test test_integration/test_smb.py::TestSMB::test_smb_service_s4u2self
is expected to fail in Fedora <= 31 as it requires krb >= 1.18
that is shipped from fedora 32 only.

Skip the test depending on the fedora version.

Fixes: https://pagure.io/freeipa/issue/8505
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-21 18:12:03 -04:00
Christian Heimes
b606fa6cca Duplicate CA CRT: ignore expected cert
When search for duplicate CA certs ignore the one expected entry.

Related: https://pagure.io/freeipa/issue/7125
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-09-18 14:20:08 -04:00
Fraser Tweedale
c0461eb37c spec: require pki-acme if pki-ca >= 10.10
We can use conditional dependencies (described at [1]) to require
the pki-acme package if pki-ca >= 10.10.0 (the version at which the
ACME service was separated to a subpackage).

[1] https://rpm.org/user_doc/boolean_dependencies.html

I have tested this with repos having only pki-10.9.x (and therefore
no pki-acme package), and dnf is happy.  I have also testing package
installation with pki-10.10 packages installed, but /without/
pki-acme installed. pki-acme was seen as a missing dependency and
installed alongside the freeipa packages.  This change seems to
satisfy all the scenarios.

Related: https://github.com/dogtagpki/pki/pull/513
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-09-18 14:17:03 -04:00
François Cami
be7bf98b3b dogtaginstance.py: add --debug to pkispawn
Since commits:
0102d836f4
de217557a6
pkispawn will not honor the pki_log_level configuration item.
All 10.9 Dogtag versions have these commits.
This affects FreeIPA in that it makes debugging Dogtag installation issues next
to impossible.
Adding --debug to the pkispawn CLI is required to revert to the previous
behavior.

Fixes: https://pagure.io/freeipa/issue/8503
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-17 15:59:00 +02:00
François Cami
c31bf3d430 ipatests: check that pkispawn log is not empty
Since commits:
0102d836f4
de217557a6
pkispawn will not honor the pki_log_level configuration item.
All 10.9 Dogtag versions have these commits.
This affects FreeIPA in that it makes debugging Dogtag installation issues next
to impossible.
Adding --debug to the pkispawn CLI is required to revert to the previous
behavior.
Therefore check that the log is not empty and contains DEBUG+INFO lines.

Fixes: https://pagure.io/freeipa/issue/8503
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-17 15:59:00 +02:00
Armando Neto
26ae95f4b4
ipatests: Add nightly definitions for enforcing mode
Duplicates the scenario for nightly_latest.yaml and
nightly_latest_testing.yaml setting `selinux_enforcing` parameter
as True.

Indentation for all definitions have been fixed.

Issue: https://github.com/freeipa/freeipa-pr-ci/issues/391

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-09-15 09:11:21 -03:00
Christian Heimes
05da1f7f7f Add krbPrincipalName pres index correctly
See: 20b55f4017
See: https://pagure.io/freeipa/issue/8491
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-15 08:58:28 +03:00
Alexander Bokovoy
31bc0df6a2 Specify memory limits as strings for docker compose
Fixes the following error in Azure Pipelines CI after upgrade of Docker
setup:

[2020-09-14 06:50:07] The Compose file './docker-compose.yml' is invalid because:
[2020-09-14 06:50:07] services.client.mem_limit contains an invalid type, it should be a string

Fixes: https://pagure.io/freeipa/issue/8494
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-09-14 14:00:20 +03:00
Rob Crittenden
20b55f4017 Add index for more trust-related attributes
Add index for ipaNTTrustPartner, ipaNTSecurityIdentifier and
krbprincipalname

https://pagure.io/freeipa/issue/8491

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-14 09:19:01 +03:00
Rob Crittenden
fc271a55bb ipatests: Add tests for checking available memory
The tests always force container or no container so they should
run the same in any environment.

The following cases are handled:

- container, no cgroups
- container, insufficent RAM
- container, sufficient RAM for no CA
- container, insufficient RAM with CA
- non-container, sufficient RAM
- non-container, insufficient RAM

https://pagure.io/freeipa/issue/8404

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2020-09-14 09:17:33 +03:00
Rob Crittenden
cfad7af35d Require at least 1.6Gb of available RAM to install the server
Verify that there is at least 1.6Gb of usable RAM on the system. Swap
is not considered. While swap would allow a user to minimally install
IPA it would not be a great experience.

Using any proc-based method to check for available RAM does not
work in containers unless /proc is re-mounted so use cgroups
instead. This also handles the case if the container has memory
constraints on it (-m).

There are envs which mount 'proc' with enabled hidepid option 1
so don't assume that is readable.

Add a switch to skip this memory test if the user is sure they
know what they are doing.

is_hidepid() contributed by Stanislav Levin <slev@altlinux.org>

https://pagure.io/freeipa/issue/8404

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2020-09-14 09:17:33 +03:00
Rob Crittenden
2e4431af70 ipatests: Add test for ACI attribute and permission uniqueness
https://pagure.io/freeipa/issue/8443

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-14 09:15:59 +03:00
Rob Crittenden
2656c4687b Use ACI class set_permissions() method to set permissions
This will ensure uniqueuess and that the ACI has the right
datatype without the caller worrying about it.

https://pagure.io/freeipa/issue/8443

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-14 09:15:59 +03:00
Rob Crittenden
cdf830af18 De-duplicate ACI attributes and permissions
Ensure uniqueuess in attributes and permissions in the ACI class.

A set() is not used because it doesn't guarantee order which ends up
causing cascading and unpredictable test failures. Since all we
really need is de-duplication and not a true mathematical set iterating
through the list is sufficiently fast, particularly since the number
of elements will always be low.

https://pagure.io/freeipa/issue/8443

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-14 09:15:59 +03:00
Rob Crittenden
e92a4ba4ae ipatests: test that a zone name and name-from-ip will be rejected
If a zone name is provided then name-from-ip makes little sense,
don't allow it.

https://pagure.io/freeipa/issue/8446

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2020-09-14 09:14:37 +03:00
Rob Crittenden
2265cb86cf Don't allow both a zone name and --name-from-ip to be provided
--name-from-ip will generate a zone name so there is no point in
the user providing one. If one is provided and doesn't match the
generated name then a validation exception is raised.

https://pagure.io/freeipa/issue/8446

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2020-09-14 09:14:37 +03:00
Christian Heimes
0a2b6ca6ee Only restart DS when duplicate cacrt was found
The update_fix_duplicate_cacrt_in_ldap plugin no longer restarts DS when
CA is disabled or no duplicate cacrt entry was dedected.

Related: https://pagure.io/freeipa/issue/7125
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-09-11 13:22:42 -04:00
Armando Neto
21186540f0 ipatests: Bump PR-CI templates
New templates with a previously working version of `geckodriver`.

Issue: https://pagure.io/freeipa/issue/8473

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-09-10 18:36:25 +02:00
Alexander Bokovoy
ba1a7b97c1 ipa-kdb: test kadmin.local getprincs command
Fixes: https://pagure.io/freeipa/issue/8490
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-10 11:57:14 -04:00
Alexander Bokovoy
d00106b34d ipa-kdb: support getprincs request in kadmin.local
kadmin.local getprincs command results in passing '*' as a principal to
KDB driver function that looks up the principals.

The whole filter looks like this

 (&(|
    (objectclass=krbprincipalaux)
    (objectclass=krbprincipal)
    (objectclass=ipakrbprincipal))
   (|(ipakrbprincipalalias=*)
     (krbprincipalname:caseIgnoreIA5Match:=*)))

There are two parts of the LDAP filter we use to look up principals, the
part with 'krbprincipalname' uses extensible filter syntax of RFC 4515
section 3:

      extensible     = ( attr [dnattrs]
                           [matchingrule] COLON EQUALS assertionvalue )
                       / ( [dnattrs]
                            matchingrule COLON EQUALS assertionvalue )

In case we've got a principal name as '*' we have to follow RFC 4515
section 3 and reencode it using <valueencoding> rule from RFC 4511
section 4.1.6 but only to the part of the filter that does use assertion
value.

Fixes: https://pagure.io/freeipa/issue/8490

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-10 11:57:14 -04:00
Rob Crittenden
f249c51bf4 Set the certmonger subject with a string, not an object
ipa-server-certinstall goes through a slightly different code path
if the replacement certificate is issued by IPA. This was setting
the subject using cert.subject which is a Name object and not the
string representation of that object. This was failing in the
dbus call to certmonger.

https://pagure.io/freeipa/issue/8204

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-09-10 09:21:25 +02:00
Rob Crittenden
040d48fa61 ipatests: test ipa_server_certinstall with an IPA-issued cert
ipa-server-certinstall takes a slightly different code path if
the replacement certificate is IPA-issued so exercise that path.

This replaces the Apache cert with itself which is a bit of a no-op
but it still goes through the motions.

https://pagure.io/freeipa/issue/8204

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-09-10 09:21:25 +02:00
Florence Blanc-Renaud
dbc7881e36 dnsforwardzone-add: support dnspython 2.0
The command dnsforwardzone-add is assuming that the dns.rrset.RRset
type stores "items" as a list. With dnspython 2.0 this is not true
as a dict is used instead.

As a consequence, in order to get the first record, it is not possible
to use items[0]. As dict and list are both iterables, next(iter(items))
can be used in order to be compatible with dnspython 1.16 and 2.0.

Fixes: https://pagure.io/freeipa/issue/8481
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-10 09:14:50 +02:00
François Cami
68328299c8 SELinux Policy: let custodia replicate keys
Enhance the SELinux policy so that custodia can replicate sub-CA keys
and certificates:
allow ipa_custodia_t self:tcp_socket { bind create };
allow ipa_custodia_t node_t:tcp_socket node_bind;
allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
allow ipa_custodia_t pki_tomcat_cert_t:file create;
allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
allow ipa_custodia_t self:process execmem;

Found by: test_replica_promotion::TestSubCAkeyReplication

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-09 17:49:23 -04:00
Florence Blanc-Renaud
50fdc8089a ipatests: fix bind service name
With the commit 721435cf7f
the service name for bind is now 'named' instead of
'named-pkcs11' on fedora. The ipa-healthcheck test was hardcoding
the service name but it should instead use the name stored in
knownservices.named.systemd_name as it varies depending on
the OS.

Fixes: https://pagure.io/freeipa/issue/8482
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-07 09:25:25 +02:00
Sudhir Menon
15f168c103 ipatests: Install healthcheck pkg for TestIpaHealthCheckWithADtrust
Tests for TestIpaHealthCheckWithADtrust are failing since
package is not installed, this patch installs
healthcheck pkg on the IPA Master.

Patch to install healthcheck package for TestIpaHealthCheckWithExternalCA

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-09-03 15:56:15 +02:00
Fraser Tweedale
9094dfc294 install: simplify host name verification
Perform a small refactor to the installer code that chooses and
verifies the hostname.  In particular:

- choice of hostname is separate from validation
- read_host_name no longer performs validation
- verify_fqdn is now called from one place
- if/else branches are now "balanced"

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-03 13:58:59 +02:00
Fraser Tweedale
b54d936487 delete unused subroutine get_host_name()
Commit a42a711394, from September
2018, removed the only call site of installutils.get_host_name().
Delete the definition.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-03 13:56:45 +02:00
Stanislav Levin
b450c9bd32 dns: Make use of resolve_address of a current resolver instead of the global one
For now, `resolve_address` for dnspython < 2.0.0 is actually
the instance method of the global DNSResolver object and is not
the instance method of the corresponding object from which it was
called. This can result in unexpected behavior.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 17:24:40 +03:00
Stanislav Levin
49e643783d dnspython: Add compatibility shim
`dnspython` 2.0.0 has many changes and several deprecations like:

```
> dns.resolver.resolve() has been added, allowing control of whether
search lists are used. dns.resolver.query() is retained for backwards
compatibility, but deprecated. The default for search list behavior can
be set at in the resolver object with the use_search_by_default
parameter. The default is False.

> dns.resolver.resolve_address() has been added, allowing easy
address-to-name lookups.
```

The new class `DNSResolver`:
- provides the compatibility layer
- defaults the previous behavior (the search list configured in the
  system's resolver configuration is used for relative names)
- defaults lifetime to 15sec (determines the number of seconds
  to spend trying to get an answer to the question)

Fixes: https://pagure.io/freeipa/issue/8383
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 09:46:03 +03:00
Stanislav Levin
fdb227e55a tox: Don't expand symlinks
`virtualenv` < 20.0.0 copies system python binary into virt
environment and then links `python` to it. While
`virtualenv` >= 20.0.0 directly links `python` to system python
binary (without copying).

`realpath` by default expands symlinks. Thereby, pip attempts to
install packages into the system's site-packages and
fails with 'Permission denied' (non-privileged user).

Fixes: https://pagure.io/freeipa/issue/8475
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 09:46:03 +03:00
Stanislav Levin
30cf59d0ae Azure: Increase verbosity for Tox task
This allows to debug issues happened during packages installation:

> -v, --verbose     increase verbosity of reporting output.
-vv mode turns off output redirection for package installation,
above level two verbosity flags are passed through to pip (with two less
level) (default: 0)

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 09:46:03 +03:00
Stanislav Levin
f3d1087130 deps: Require nss-tools for make's fasttest target
Otherwise, tests fail with:
```
E               FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/certutil'
...
=================================== short test summary info ===================================
FAILED test_ipapython/test_certdb.py::test_dbm_tmp - FileNotFoundError: [Errno 2] No such fi...
FAILED test_ipapython/test_certdb.py::test_sql_tmp - FileNotFoundError: [Errno 2] No such fi...
FAILED test_ipapython/test_certdb.py::test_convert_db - FileNotFoundError: [Errno 2] No such...
FAILED test_ipapython/test_certdb.py::test_convert_db_nokey - FileNotFoundError: [Errno 2] N...
FAILED test_ipapython/test_certdb.py::test_auto_db - FileNotFoundError: [Errno 2] No such fi...
FAILED test_ipapython/test_certdb.py::test_delete_cert_and_key - FileNotFoundError: [Errno 2...
FAILED test_ipapython/test_certdb.py::test_check_validity - FileNotFoundError: [Errno 2] No ...
...
```

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 09:46:03 +03:00
Stanislav Levin
a102cfe5fa nss: Raise exception earlier on unsupported DB type
For now FreeIPA handles explicit migration of NSS DB (dbm->sql).
But Mozilla's NSS can be built without the support of legacy database
(DBM). This implies that neither implicit nor explicit DB migration
to SQL will work. So, eventually, this support will be removed from
FreeIPA.

With this patch, the instantiation of NSS with legacy db(if not
supported by NSS) is forbidden.

Fixes: https://pagure.io/freeipa/issue/8474
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 09:46:03 +03:00
Stanislav Levin
a5b23287ae Azure: base: Collect both install and uninstall logs
Some applications remove their logs on uninstallation.
As a result of this, Azure lost `install` logs.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 09:46:03 +03:00
Stanislav Levin
60ff2841cd Azure: Drop dependency on UsePythonVersion task
Python is provided by the Docker container image and it's no
longer needed to bind mount host's Python into container.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 09:46:03 +03:00
Stanislav Levin
0d326a9097 Azure: Add Rawhide definitions
- allow override variables template file with an externally
provided one. This allows to add new Azure Pipeline which will
point to a custom platform definition. Note: Azure's WebUI
variables are runtime variables and not available at parsing time,
that's why it's impossible to override template from WebUI in
this case.

- add Rawhide templates

- add Dockerfile for build Rawhie Docker image for tests phase
Note: 'fedora:rawhide' is too old, use for now
'registry.fedoraproject.org/fedora:rawhide'.
See, https://bugzilla.redhat.com/show_bug.cgi?id=1869612

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 09:46:03 +03:00
Stanislav Levin
92157bc880 ipa-dnskeysyncd: Raise loglevel to DEBUG
Previously, the logging level of StreamHandler for ipa-dnskeysyncd
was restricted to INFO via `standard_logging_setup(verbose=False)`.
Thus, it was impossible to get messages having lower level.

This also sets the loglevel for ipa-dnskeysyncd to DEBUG for
troubleshooting.

Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-08-31 09:42:31 +03:00
Stanislav Levin
e2030b8cad named: Include crypto policy in openssl config
On platforms which have system-wide crypto policy the latter has
to be included in openssl config.

Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-08-31 09:42:31 +03:00
Stanislav Levin
ecfaf897b9 named: Don't override custom command line options for named
Custom options can be supplied by a vendor via 'OPTIONS' env
variable(platform specific) and IPA installer will override them
in this case. Thus, at least, the base parsing of existing options
is required.

Current named command line options:
NS_MAIN_ARGS "46A:c:C:d:D:E:fFgi:lL:MⓂ️n:N:p:P:sS:t:T:U:u:vVx:X:"

If there are several same options the last passed wins.

Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-08-31 09:42:31 +03:00
Stanislav Levin
8716881fc4 service: Allow service to clean up its state
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-08-31 09:42:31 +03:00
Stanislav Levin
53b341f94b spec: Bump required openssl-pkcs11 and softhsm
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-08-31 09:42:31 +03:00