Extending FreeIPA rocky-8-4.9.8 with own plugin

[leonidas-o]

I've created a simple plugin which consists of two rpm files:

• python3-ipa-postfixbook-server-0.9.0-1.el8.noarch.rpm
• freeipa-postfixbook-plugin-0.9.0-1.el8.noarch.rpm

There are just some ipaserver plugin (.py) files, some UI (.js) files and a schema.d (.ldif) file.

The Dockerfile therefore is pretty simple

FROM my-domain/dh/freeipa/freeipa-server:rocky-8-4.9.8
# Copy rpm packages into container
COPY python3-ipa-postfixbook-server-0.9.0-1.el8.noarch.rpm \
    freeipa-postfixbook-plugin-0.9.0-1.el8.noarch.rpm \
    /tmp/
# Install rpm packages
RUN dnf install /tmp/python3-ipa-postfixbook-server-0.9.0-1.el8.noarch.rpm -y && \
    dnf install /tmp/freeipa-postfixbook-plugin-0.9.0-1.el8.noarch.rpm -y

Trying to build it with podman build --tls-verify=false -f Dockerfile -t my-registry/library/freeipa/freeipa-server:rocky-8-pfb-4.9.8 . is causing the following error:

Errors during downloading metadata for repository 'appstream':
  - Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=AppStream-8 [error setting certificate verify locations:
  CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none]
Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=AppStream-8 [error setting certificate verify locations:
  CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none]

Then I saw the issue: #305
and the explanation why it is behaving like that, so I tried simply changing from dnf install ... to rpm -i ... because I actually don't need any dependency management. That "almost" succeeded:

STEP 1/3: FROM my-registry/dh/freeipa/freeipa-server:rocky-8-4.9.8
STEP 2/3: COPY python3-ipa-postfixbook-server-0.9.0-1.el8.noarch.rpm     freeipa-postfixbook-plugin-0.9.0-1.el8.noarch.rpm     /tmp/
--> 3f526b1761d
STEP 3/3: RUN rpm -i /tmp/python3-ipa-postfixbook-server-0.9.0-1.el8.noarch.rpm &&     rpm -i /tmp/freeipa-postfixbook-plugin-0.9.0-1.el8.noarch.rpm
error: Couldn't create temporary file for %transfiletriggerin(glibc-common-2.28-189.1.el8.x86_64): File exists
error: Couldn't create temporary file for %posttrans(freeipa-postfixbook-plugin-0.9.0-1.el8.noarch): File exists
COMMIT my-registry/library/freeipa/freeipa-server:rocky-8-pfb-4.9.8
--> 9ada941004b
Successfully tagged my-registry/library/freeipa/freeipa-server:rocky-8-pfb-4.9.8

So what about the two errors here, any idea how to solve them, so I have a fully working and clean build process?

[adelton]

To workaround the /etc/pki/tls/certs/ca-bundle.crt problem, you need to populate the /data/etc/pki/ca-trust for the command that needs it (dnf).

To make rpm happy, you likely need /tmp/var/tmp as well, due to the layout of the underlying image.

Using Dockerfile

FROM docker.io/freeipa/freeipa-server:rocky-8
RUN mkdir -p /data/etc/pki /tmp/var/tmp \
    && cp -rp /data-template/etc/pki/ca-trust /data/etc/pki \
    && dnf install -y zsh \
    && dnf clean all

I was able to build an image based on freeipa/freeipa-server:rocky-8 with an additional package installed.

Of course, as explained in #305, should your package or your customization touch some of the other locations that land in the data volumes (be it /data or /tmp), you might need to create those as well before the installation, and potentially recover any change that needs to persist into /data-template as well.

[leonidas-o]

Hmm, haven't thought that this could actually solve this two strange errors from above but using your workaround and dnf made the docker image build executing without any errors. So the docker image, at least the build process should be fine now.

Using this newly generated docker image, I tried a fresh install/deployment:

...
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/11]: stopping directory server
  [2/11]: saving configuration
  [3/11]: disabling listeners
  [4/11]: enabling DS global lock
  [5/11]: disabling Schema Compat
  [6/11]: starting directory server
  [7/11]: updating schema
  [error] DuplicateEntry: Type or value exists
  [cleanup]: stopping directory server
  [cleanup]: restoring configuration
Update failed: Type or value exists
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
FreeIPA server configuration failed.

Every step before seems to be ok, but here almost at the end, it throws this error.
I had the same issue with the old (rpm -i ... based build) image as well, when trying to upgrade an rocky-8-4.9.6 to my custom rocky-8-pfb-4.9.8.

looking into the ipaserver-install.log file:

...

2022-05-29T09:14:07Z DEBUG update_entry modlist [(0, 'attributetypes', [b"( 1.3.6.1.4.1.29426.1.10.1 NAME 'mailHomeDirectory' DESC 'The absolute path to the mail user home directory' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.9.8' )", b"( 1.3.6.1.4.1.29426.1.10.9 NAME 'mailSieveRuleSource' DESC 'Sun ONE Messaging Server defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Sun ONE Messaging Server' )", b"( 1.3.6.1.4.1.29426.1.10.8 NAME 'mailStorageDirectory' DESC 'The absolute path to the mail users mailbox' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.9.8' )", b"( 1.3.6.1.4.1.29426.1.10.7 NAME 'mailQuota' DESC 'Mail quota limit in kilobytes' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v4.9.8' )", b"( 1.3.6.1.4.1.29426.1.10.2 NAME 'mailAlias' DESC 'RFC822 Mailbox - mail alias' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} X-ORIGIN 'IPA v4.9.8' )", b"( 1.3.6.1.4.1.29426.1.10.6 NAME 'mailGroupMember' DESC 'Name of a mail distribution list' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v4.9.8' )", b"( 1.3.6.1.4.1.29426.1.10.4 NAME 'mailGidNumber' DESC 'GID required to access the mailbox' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9.8' )", b"( 1.3.6.1.4.1.29426.1.10.3 NAME 'mailUidNumber' DESC 'UID required to access the mailbox' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.9.8' )", b"( 1.3.6.1.4.1.29426.1.10.10 NAME 'mailForwardingAddress' DESC 'Address(es) to forward all incoming messages to.' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{320} X-ORIGIN 'IPA v4.9.8' )", b"( 1.3.6.1.4.1.29426.1.10.5 NAME 'mailEnabled' DESC 'TRUE to enable, FALSE to disable account' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9.8' )"])]
2022-05-29T09:14:08Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1088, in error_handler
    yield
  File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1710, in update_entry
    self.conn.modify_s(str(entry.dn), modlist)
  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 640, in modify_s
    return self.modify_ext_s(dn,modlist,None,None)
  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 613, in modify_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 767, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 774, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 340, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 46, in reraise
    raise exc_value
  File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 324, in _ldap_call
    result = func(*args,**kwargs)
ldap.TYPE_OR_VALUE_EXISTS: {'msgtype': 103, 'msgid': 3, 'result': 20, 'desc': 'Type or value exists', 'ctrls': [], 'info': 'attribute type mailQuota: Does not match the OID "1.3.6.1.4.1.29426.1.10.7". Another attribute type is already using the name or OID.'}

...

But why ldap.TYPE_OR_VALUE_EXISTS - attribute type mailQuota: Does not match the OID "1.3.6.1.4.1.29426.1.10.7". Another attribute type is already using the name or OID.
This is strange, mailQuote and the mentioned OID do not exist yet, I'm bringing them in via the plugin.

btw. my plugins src is here: https://github.com/leonidas-o/freeipa-postfixbook-plugin
Also found an older issue: https://pagure.io/freeipa/issue/5972

Seems very similar to this one here, but sounds like this bug was ignored and maybe is causing the error for me?

[adelton]

Is the issue with the LDAP attributes specific to containerized FreeIPA, or will you get the same error when you install FreeIPA with the plugin in a VM and urn ipa-server-install?

[leonidas-o]

@adelton I created a new rocky linux VM and executed the following:

restorecon -vv -r -F /
dnf module enable idm:DL1
dnf module install idm:DL1/server
dnf install /home/myuser/python3-ipa-postfixbook-server-0.9.0-1.el8.noarch.rpm
dnf install /home/myuser/freeipa-postfixbook-plugin-0.9.0-1.el8.noarch.rpm
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent
# ipa-server-install complained:
# "IPA requires ports 8080 and 8443 for PKI, but one or more are currently in use.
# Aborting installation" therefore changed to SELinux permissive mode
setenforce 0
ipa-server-install

Gives me exactly the same error:

...
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/11]: stopping directory server
  [2/11]: saving configuration
  [3/11]: disabling listeners
  [4/11]: enabling DS global lock
  [5/11]: disabling Schema Compat
  [6/11]: starting directory server
  [7/11]: updating schema
  [error] DuplicateEntry: Type or value exists
  [cleanup]: stopping directory server
  [cleanup]: restoring configuration
Update failed: Type or value exists
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

And looking into /var/log/ipaserver-install.log also the same error (mailQuota and OID) as above.

[leonidas-o]

Alexander helped me out as he mentioned: /usr/share/dirsrv/schema I looked into that directory and found 50ns-mail.ldif which contains mailForwardingAddress and mailQuota. I used the search here in GitHub to search for the strings mailQuota, mailForwardingAddress etc. in both repos, FreeIPA and FreeIPA-container, but didn't find anything. So I didn't expect that they exist, must somehow magically be fetched from somewhere.
I therefore commented out these two attributeTypes in my .ldif file, but left the object classes with these two attributeType names:

objectClasses: (
  1.3.6.1.4.1.29426.1.2.2.1
  NAME 'PostfixBookMailAccount'
  DESC 'Mail account used in Postfix Book'
  SUP top
  AUXILIARY
  MUST ( mail )
  MAY ( mailHomeDirectory $ mailAlias $ mailGroupMember $ mailUidNumber $ mailGidNumber $ mailEnabled  $ mailQuota $ mailStorageDirectory $ mailSieveRuleSource )
  )

objectClasses: (
  1.3.6.1.4.1.29426.1.2.2.2
  NAME 'PostfixBookMailForward'
  DESC 'Mail forward used in Postfix Book'
  SUP top
  AUXILIARY
  MUST ( mail $ mailAlias )
  MAY ( mailForwardingAddress )
  )

I also left the the .js and .py of both (mailQuota, mailForwardingAddress) in my plugin, I guess they must be there, otherwise I won't have any UI elements?

And now I'm becomming insane. As soon as I solve one issue, another pops up and this one right now, I absolutely don't understand why it is happening. I commented out the two attributeTypes, rebuilt the RPM's, rebuilt the docker image, pushed it into the registry and tried the same approach as before.
I had a rocky-8-4.9.6 container, created one user, stopped the container, removed the container and started the new 'rocky-8-pfb-4.9.8' container. This was working, the container came up and died in the Applying LDAP updates section. I've done that yesterday a couple of times while troubleshooting.
Now as I have hopefully fixed the RPM's with the new schema. I start up the new container and receive immediately an error:

Error: setxattr /srv/freeipa/ipa-data/.configfiles/etc/krb5.conf.d/crypto-policies: operation not permitted

$ ls -la /srv/freeipa/ipa-data/.configfiles/etc/krb5.conf.d/crypto-policies
lrwxrwxrwx. 2 foo foo 42 Nov  9  2021 /srv/freeipa/ipa-data/.configfiles/etc/krb5.conf.d/crypto-policies -> /etc/crypto-policies/back-ends/krb5.config
$ ls -la /etc/crypto-policies/back-ends/krb5.config
lrwxrwxrwx. 1 root root 43 May 29 19:08 /etc/crypto-policies/back-ends/krb5.config -> /usr/share/crypto-policies/DEFAULT/krb5.txt
$ ls -la /usr/share/crypto-policies/DEFAULT/krb5.txt
-rw-r--r--. 2 root root 179 Apr 12 23:13 /usr/share/crypto-policies/DEFAULT/krb5.txt

I mean why is it now even earlier dying than the last time?

[adelton]

I'm sorry but I dont quite follow. Do you have a setup that already works in a VM (outside of containerized FreeIPA)?

What filesystem is used to back up that /srv/freeipa/ipa-data?

[leonidas-o]

Okay, I try to explain a bit better.
I have the one VM, you asked me to try the plugins (8 hours ago), see the comment above. But as ipa-server-install failed on that machine, it's currently in a "broken" state, also when I execute ipactl status I get IPA is not configured (see man pages of ipa-server-install for help). So don't do anything on here, as I don't know how to re-set that, clean that up, etc.

Besides that, I have another VM with podman on it. This is actually the VM where the FreeIPA container should run. On that VM I had no issues to (rootless) podman run ... rocky-8-4.9.6 and then podman run ... rocky-pfb-8-4.9.8 and watch the FreeIPA upgrade starting (even the upgrade with the official rocky-8-4.9.8 tag throws the same error). But out of nowhere, it simply dies immediately with the error Error: setxattr /srv/freeipa/ipa-data/.configfiles/etc/krb5.conf.d/crypto-policies: operation not permitted, when I do that right now.

On both VM's selinux is in permissive mode, both use the local volume, xfs.
I now changed the command podman run ... -v /srv/freeipa/ipa-data:/data ... rocky-pfb-8-4.9.8, removed :Z on the volume mount, and then Error: setxattr ... disappeared, the regular installation/ upgrade started.
It failed, but without the :Z flag it started:

Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/9]: saving configuration
  [2/9]: disabling listeners
  [3/9]: enabling DS global lock
  [4/9]: disabling Schema Compat
  [5/9]: starting directory server
  [error] CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'dirsrv@MY-DOMAIN.service'] returned non-zero exit status 1: 'Job for dirsrv@MY-DOMAIN.service failed because the control process exited with error code.\nSee "systemctl status dirsrv@MY-DOMAIN.service" and "journalctl -xe" for details.\n')
  [cleanup]: stopping directory server
  [cleanup]: restoring configuration

But I don't understand why it is kind of working without the :Z, I mean SELinux on the host is in permissive mode, so nothing here should block the container. Selinux inside the container is disabled, checked it on a fresh podman run ... rocky-pfb-8-4.9.8.

[adelton]

So something is still broken in that actual LDAP schema dn/or dirsrv operation but because it's broken also on on-VM installation, we won't be solving that here -- that's a general FreeIPA issue.

As for the containerized operation: What filesystem is used to back up that /srv/freeipa/ipa-data? What OS (and version) is on that VM where you run that podman?

[leonidas-o]

I'm not even using my plugin for the current troubleshooting anymore, as there seems to be something else interfering.

To make it clear, what is already not working. I'm using here the official FreeIPA image, not my custom one.

1. Run it for the first time and install FreeIPA.

podman run -e IPA_SERVER_IP=IPADDRESS \
  -p 53:53/udp -p 53:53 -p 80:80 -p 443:443 -p 389:389 -p 636:636 -p 88:88 -p 464:464 -p 88:88/udp -p 464:464/udp -p 123:123/udp \
  --name freeipa-server -h my-freeipa-host -ti --read-only \
  -v /srv/freeipa/ipa-data:/data:Z --tls-verify=false \
  my-registry/dh/freeipa/freeipa-server:rocky-8-4.9.8

2. After successful installation, create a test user via Web UI.
3. Shutdown container and delete container.

podman container stop freeipa-server
podman container rm freeipa-server

4. The exact same podman run command from 1.

-> I immediately get a: Error: setxattr /srv/freeipa/ipa-data/.configfiles/etc/krb5.conf.d/crypto-policies: operation not permitted

The VMs are running inside Proxmox, it's a VM template I prepared, so each VM is coming up with the same setup.

cat /etc/os-release
NAME="Rocky Linux"
VERSION="8.6 (Green Obsidian)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="8.6"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Rocky Linux 8.6 (Green Obsidian)"
...

For the filesystem, it's XFS as already said or do you need something else here?
I'm kind of confused why that happens out of nowhere and as soon as I remove the container, I mean this was working, 100% sure and it has to work, how will you ever be able to upgrade otherwise...
There was no update of Proxmox, had this issue, then I executed a dnf upgrade on the VM, but same behaviour after the upgrade.

[adelton]

Assuming Rocky Linux 8.6 has the same podman version as RHEL 8.6 (podman-4.0.2-6.module+el8.6.0+14673+621cb8be), I believe you are hitting a regression bug https://bugzilla.redhat.com/show_bug.cgi?id=2083570. If that's the case, not using the SELinux relabeling (omit :Z) or using 8.5 instead of 8.6 on that VM might be viable workarounds.

[leonidas-o]

Ouh that's mean but well spotted. Yes, that pretty much sounds like the cause and it is of course. I'm already on container-tools:rhel8, any information when podman 4.1 will be available in here?
Maybe the 4.0.0 version would work as well, as I said, I'm pretty sure this worked a couple of days ago, and I wasn't for sure not on podman 3.x. Nevertheless switched to container-tools:3.0 and using podman 3.0.1 right now. Tested the upgrades from:

• rocky-8-4.9.6 to rocky-8-4.9.8
• rocky-8-4.9.6 to rocky-8-pfb-4.9.8

Seems both upgrades were executed properly. One issue solved, one left. Don't see any web ui elements for the newly added ldap attributeTypes. Switching to the mailing list (got there a discussion topic with the title Extending FreeIPA (Schema, CI, UI)), as it seems more like a "How-To" than a FreeIPA Container issue. In case you got an idea about that as well, let me know. Will report back asap. Thanks a lot for the help so far.

[leonidas-o]

I'm currently facing a checkbox issue, which feels like a bug. The checkbox is not displaying the stored value when entering the users details view.
After saving the changes, ipa user-show is showing that attribute like:

  ... 
  Account disabled: False
  Mail enabled: TRUE
  ...

A bit strange, don't know if this could cause some issues, but the value is TRUE (all uppercase), while the others are written as True (only first letter uppercase). When doing an ldapsearch, I see it also on my user as:
mailEnabled: TRUE. I also tried an ldapsearch with all variations like True, TRUE, true and mailEnabled, mailenabled, I always got the results back.
Other fields of my plugin like "mailAlias", "mailHomeDirectory" or even "mailAlias" work as expected. I can save a value and it will be loaded into the field after entering the details view.
Any idea on that?

[adelton]

If this is not containerization specific, please bring this to https://pagure.io/freeipa/issues or https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/.

May I assume that the original issue (extending FreeIPA image) has been since resolved?

[leonidas-o]

Ahh now I know where to put FreeIPA specific (non-container) issues, because here in Github it wasn't possible to create one for FreeIPA.
The checkbox issue is also on containerised FreeIPA, but it's not container specific, as I first encountered that on the VM with a native FreeIPA running on it. I can create a new issue on Pagure.io for that.
There is still a container specific issue but I will create a new issue for that, as it is regarding the time synchronisation on installation, so it's unrelated to extending FreeIPA, happens right at the beginning.