New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add dependency on pki-acme #5039
Conversation
With the merging of freeipa#4723, pki-acme should be added as a dependency of IPA. Note that this is only necessary on PKI >= 10.10 and shouldn't be backported to RHEL 8.3 as the subpackage doesn't exist there. Related: dogtagpki/pki#513 Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Before merging this we need:
|
I think you should be able to add @pki/master as an external repo in @freeipa/freeipa-master. |
No, this would only work for packages built in COPR itself. However, now COPR has support for runtime dependencies: https://fedora-copr.github.io/posts/runtime-dependencies. I added copr://@pki/master there. There is, however, a warning that @pki/master COPR repo does not provide following chroots: fedora-rawhide-aarch64, fedora-32-aarch64. This means we will not be able to test on aarch64. Could you please add aarch64 chroots to @pki/master? |
It doesn't seem to help, though, because pki-core >= 10.9.0-0.4 cannot be found in http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/de66f5ec-e0a6-11ea-a8d2-fa163e19313f/runner.log.gz
@netoarmando @f-trivino could you please look at it, may be instead of enabling runtime dependency in COPR we should add
to https://github.com/freeipa/freeipa-pr-ci/blob/master/ansible/vars/ipa_branches/master.yml ? |
I added fedora-32-aarch64 and fedora-rawhide-aarch64 and tried to rebuild the packages, but it looks like there are some issues with f30 and rawhide right now: |
Rawhide is currently broken in COPR due to: |
I've triggered a PR-CI run in the parallel infra (freeipa-pr-ci2#354) to test these changes with a template where @pki/master copr repo is enabled in Fedora 32. Same could be applied here by using these lines: freeipa/ipatests/prci_definitions/nightly_latest_pki.yaml Lines 41 to 42 in 03a5e5f
|
thanks @netoarmando. The packages get installed fine but then deployment fails due to exceptions in pkispawn:
|
Seems like a weird permissions error:
@edewata -- any thoughts? |
@f-trivino as an aside, how would we get |
@cipherboy I can't talk about data sensitivity, but logs available in PR-CI output are defined here: https://github.com/freeipa/freeipa/blob/master/ipatests/pytest_ipa/integration/__init__.py#L43 |
Right now we don't have any hardware-specific secrets in PR CI. Also, VMs get destroyed before logs copied out to a storage location, so anything there is not sensitive anymore. |
@cipherboy Not sure. The CI for commit 1340639 passed. Is |
On my local F32 test deployment of git master I have:
So yes, it is supposed to be owned by |
If the file permissions were correct, the last command shouldn't have failed since it's simply exporting a cert from NSS database into a file. Could someone retry the command on the test machine (with the
|
It didn't work for me in pki 10.9.0-0.4, only worked with 10.10.0-0.1.alpha1. I used a different file in the same folder to save the CA certificate to:
|
The above permissions issue was also reported by @ssidhaye and fixed in Fedora and RHEL packages. A fix should be available in COPR repos for 10.9 and 10.10 packages, plus fixed in F33+. Note that all Fedoras are waiting for respin to fix upgrade issue + additional issue Endi reported. Only F33 compose has succeeded since packages were built; Rawhide compose is still broken apparently. |
As of now, We can either enable Update: |
@cipherboy |
To throw in a monkey wrench I'll soon need this version of PKI for the ipa-4-8 branch too in order to test backporting ACME there. |
Here's an alternative PR where the pki-acme dependency only arsises if |
#5117 merged, closing this one. |
With the merging of #4723, pki-acme should be added as a dependency of
IPA. Note that this is only necessary on PKI >= 10.10 and shouldn't be
backported to RHEL 8.3 as the subpackage doesn't exist there.
Related: dogtagpki/pki#513
Signed-off-by: Alexander Scheel <ascheel@redhat.com>