New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extending FreeIPA rocky-8-4.9.8 with own plugin #457
Comments
To workaround the To make rpm happy, you likely need Using
I was able to build an image based on Of course, as explained in #305, should your package or your customization touch some of the other locations that land in the data volumes (be it |
Hmm, haven't thought that this could actually solve this two strange errors from above but using your workaround and dnf made the docker image build executing without any errors. So the docker image, at least the build process should be fine now. Using this newly generated docker image, I tried a fresh install/deployment:
Every step before seems to be ok, but here almost at the end, it throws this error. looking into the
But why btw. my plugins src is here: https://github.com/leonidas-o/freeipa-postfixbook-plugin Seems very similar to this one here, but sounds like this bug was ignored and maybe is causing the error for me? |
Is the issue with the LDAP attributes specific to containerized FreeIPA, or will you get the same error when you install FreeIPA with the plugin in a VM and urn |
@adelton I created a new rocky linux VM and executed the following: restorecon -vv -r -F /
dnf module enable idm:DL1
dnf module install idm:DL1/server
dnf install /home/myuser/python3-ipa-postfixbook-server-0.9.0-1.el8.noarch.rpm
dnf install /home/myuser/freeipa-postfixbook-plugin-0.9.0-1.el8.noarch.rpm
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent
# ipa-server-install complained:
# "IPA requires ports 8080 and 8443 for PKI, but one or more are currently in use.
# Aborting installation" therefore changed to SELinux permissive mode
setenforce 0
ipa-server-install Gives me exactly the same error: ...
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/11]: stopping directory server
[2/11]: saving configuration
[3/11]: disabling listeners
[4/11]: enabling DS global lock
[5/11]: disabling Schema Compat
[6/11]: starting directory server
[7/11]: updating schema
[error] DuplicateEntry: Type or value exists
[cleanup]: stopping directory server
[cleanup]: restoring configuration
Update failed: Type or value exists
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information And looking into |
Alexander helped me out as he mentioned: objectClasses: (
1.3.6.1.4.1.29426.1.2.2.1
NAME 'PostfixBookMailAccount'
DESC 'Mail account used in Postfix Book'
SUP top
AUXILIARY
MUST ( mail )
MAY ( mailHomeDirectory $ mailAlias $ mailGroupMember $ mailUidNumber $ mailGidNumber $ mailEnabled $ mailQuota $ mailStorageDirectory $ mailSieveRuleSource )
)
objectClasses: (
1.3.6.1.4.1.29426.1.2.2.2
NAME 'PostfixBookMailForward'
DESC 'Mail forward used in Postfix Book'
SUP top
AUXILIARY
MUST ( mail $ mailAlias )
MAY ( mailForwardingAddress )
) I also left the the .js and .py of both (mailQuota, mailForwardingAddress) in my plugin, I guess they must be there, otherwise I won't have any UI elements? And now I'm becomming insane. As soon as I solve one issue, another pops up and this one right now, I absolutely don't understand why it is happening. I commented out the two attributeTypes, rebuilt the RPM's, rebuilt the docker image, pushed it into the registry and tried the same approach as before. Error: setxattr /srv/freeipa/ipa-data/.configfiles/etc/krb5.conf.d/crypto-policies: operation not permitted
$ ls -la /srv/freeipa/ipa-data/.configfiles/etc/krb5.conf.d/crypto-policies
lrwxrwxrwx. 2 foo foo 42 Nov 9 2021 /srv/freeipa/ipa-data/.configfiles/etc/krb5.conf.d/crypto-policies -> /etc/crypto-policies/back-ends/krb5.config
$ ls -la /etc/crypto-policies/back-ends/krb5.config
lrwxrwxrwx. 1 root root 43 May 29 19:08 /etc/crypto-policies/back-ends/krb5.config -> /usr/share/crypto-policies/DEFAULT/krb5.txt
$ ls -la /usr/share/crypto-policies/DEFAULT/krb5.txt
-rw-r--r--. 2 root root 179 Apr 12 23:13 /usr/share/crypto-policies/DEFAULT/krb5.txt I mean why is it now even earlier dying than the last time? |
I'm sorry but I dont quite follow. Do you have a setup that already works in a VM (outside of containerized FreeIPA)? What filesystem is used to back up that |
Okay, I try to explain a bit better. Besides that, I have another VM with podman on it. This is actually the VM where the FreeIPA container should run. On that VM I had no issues to (rootless) On both VM's selinux is in permissive mode, both use the local volume, xfs. Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/9]: saving configuration
[2/9]: disabling listeners
[3/9]: enabling DS global lock
[4/9]: disabling Schema Compat
[5/9]: starting directory server
[error] CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'dirsrv@MY-DOMAIN.service'] returned non-zero exit status 1: 'Job for dirsrv@MY-DOMAIN.service failed because the control process exited with error code.\nSee "systemctl status dirsrv@MY-DOMAIN.service" and "journalctl -xe" for details.\n')
[cleanup]: stopping directory server
[cleanup]: restoring configuration But I don't understand why it is kind of working without the |
So something is still broken in that actual LDAP schema dn/or dirsrv operation but because it's broken also on on-VM installation, we won't be solving that here -- that's a general FreeIPA issue. As for the containerized operation: What filesystem is used to back up that |
I'm not even using my plugin for the current troubleshooting anymore, as there seems to be something else interfering. To make it clear, what is already not working. I'm using here the official FreeIPA image, not my custom one.
-> I immediately get a: The VMs are running inside Proxmox, it's a VM template I prepared, so each VM is coming up with the same setup.
For the filesystem, it's XFS as already said or do you need something else here? |
Assuming Rocky Linux 8.6 has the same podman version as RHEL 8.6 (podman-4.0.2-6.module+el8.6.0+14673+621cb8be), I believe you are hitting a regression bug https://bugzilla.redhat.com/show_bug.cgi?id=2083570. If that's the case, not using the SELinux relabeling (omit |
Ouh that's mean but well spotted. Yes, that pretty much sounds like the cause and it is of course. I'm already on
Seems both upgrades were executed properly. One issue solved, one left. Don't see any web ui elements for the newly added ldap attributeTypes. Switching to the mailing list (got there a discussion topic with the title |
I'm currently facing a checkbox issue, which feels like a bug. The checkbox is not displaying the stored value when entering the users details view. ...
Account disabled: False
Mail enabled: TRUE
... A bit strange, don't know if this could cause some issues, but the value is |
If this is not containerization specific, please bring this to https://pagure.io/freeipa/issues or https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/. May I assume that the original issue (extending FreeIPA image) has been since resolved? |
Ahh now I know where to put FreeIPA specific (non-container) issues, because here in Github it wasn't possible to create one for FreeIPA. |
I've created a simple plugin which consists of two rpm files:
There are just some ipaserver plugin (.py) files, some UI (.js) files and a schema.d (.ldif) file.
The Dockerfile therefore is pretty simple
Trying to build it with
podman build --tls-verify=false -f Dockerfile -t my-registry/library/freeipa/freeipa-server:rocky-8-pfb-4.9.8 .
is causing the following error:Then I saw the issue: #305
and the explanation why it is behaving like that, so I tried simply changing from
dnf install ...
torpm -i ...
because I actually don't need any dependency management. That "almost" succeeded:So what about the two errors here, any idea how to solve them, so I have a fully working and clean build process?
The text was updated successfully, but these errors were encountered: