Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Custodia 0.3.1 features #517

Closed
wants to merge 1 commit into from
Closed

Use Custodia 0.3.1 features #517

wants to merge 1 commit into from

Conversation

tiran
Copy link
Member

@tiran tiran commented Feb 28, 2017
edited by pvomacka

Use Custodia 0.3 features

  • Use sd-notify in ipa-custodia.service
  • Introduce libexec/ipa/ipa-custodia script. It comes with correct
    default setting for IPA's config file. The new file also makes it
    simpler to run IPA's custodia instance with its own SELinux context.
  • ipapython no longer depends on custodia

The patch addresses three issues:

Signed-off-by: Christian Heimes cheimes@redhat.com

HonzaCholasta
HonzaCholasta reviewed Mar 1, 2017
View reviewed changes
freeipa.spec.in Outdated
@@ -148,7 +148,8 @@ BuildRequires: pki-base-python2
BuildRequires: python-pytest-multihost
BuildRequires: python-pytest-sourceorder
BuildRequires: python-jwcrypto
BuildRequires: python-custodia
# 0.3: sd-notify and ipaserver.secrets.service
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nitpick: Please specify what new API is provided (custodia.server) rather than what requires it (ipaserver.secrets.service). Also I don't think sd-notify is a build dependency.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Counter nit pick: These are the new features provided by Custodia 0.3: fully working sd-notify support and the ability to provide ipaserver.secerts.service with custom argsparser.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's not how any other BuildRequires are commented. My point is, please follow the existing format instead of inventing your own thing.

@tiran
Copy link
Member Author

tiran commented Mar 1, 2017

FYI, Custodia 0.3 hasn't been released yet. I'm still doing smoke tests with FreeIPA's secrets service. So far, FreeIPA master and Custodia master work flawlessly.

@tiran
Copy link
Member Author

tiran commented Mar 1, 2017

Custodia 0.3 is out, https://koji.fedoraproject.org/koji/taskinfo?taskID=18127414

@tiran tiran force-pushed the ipa_custodia branch 2 times, most recently from 8a6b444 to cbd232e Compare March 2, 2017 12:38
@MartinBasti
Copy link
Contributor

ipa-server-install failed

Mar 10 17:48:54 vm-058-129.abc.idm.lab.eng.brq.redhat.com systemd[1]: Stopping IPA Custodia Service...
Mar 10 17:48:54 vm-058-129.abc.idm.lab.eng.brq.redhat.com systemd[1]: Stopped IPA Custodia Service.
Mar 10 18:10:18 vm-058-129.abc.idm.lab.eng.brq.redhat.com systemd[1]: [/usr/lib/systemd/system/ipa-custodia.service:6] Executable path is not absolute, ignoring: @libexecdir@/ipa/ipa-custodia /etc/ipa/custodia/c
Mar 10 18:10:18 vm-058-129.abc.idm.lab.eng.brq.redhat.com systemd[1]: ipa-custodia.service: Service lacks both ExecStart= and ExecStop= setting. Refusing.
Mar 10 18:16:57 vm-058-129.abc.idm.lab.eng.brq.redhat.com systemd[1]: [/usr/lib/systemd/system/ipa-custodia.service:6] Executable path is not absolute, ignoring: @libexecdir@/ipa/ipa-custodia /etc/ipa/custodia/c
Mar 10 18:16:57 vm-058-129.abc.idm.lab.eng.brq.redhat.com systemd[1]: ipa-custodia.service: Service lacks both ExecStart= and ExecStop= setting. Refusing.

@tiran
Copy link
Member Author

tiran commented Mar 14, 2017

sigh, template markers aren't picked up automatically. I fixed init/systemd/Makefile.am.

@tiran
Copy link
Member Author

tiran commented Mar 16, 2017

This PR must be merged into 4.5 ASAP. Without the fix it is not possible to define proper SELinux policies for ipa-custodia and stand-alone custodia.

@MartinBasti
Copy link
Contributor

I assume that this is not WIP anymore then

@martbab
Copy link
Contributor

martbab commented Mar 17, 2017

@tiran we first need a copr build on F25 to unblock Travis CI. Can you provide a copr repo and modify test runner config to add it during builddep phase?

@MartinBasti
Copy link
Contributor

@martbab I will test it manually (when I receive f25/F26 rpms), if works then I will update master copr

@martbab
Copy link
Contributor

martbab commented Mar 17, 2017

@MartinBasti ok there should be no problems with that (built it on F25 VM but threw it away afterwards, oh well)

@tiran
Copy link
Member Author

tiran commented Mar 17, 2017

I had some issues with build system yesterday. For some reason python2-python-etcd dependency was missing dependency on etcd. I'm glad time heals all wounds (or some devs g).

F25 https://koji.fedoraproject.org/koji/taskinfo?taskID=18429524
F26 https://koji.fedoraproject.org/koji/taskinfo?taskID=18429570

@pvoborni
Copy link
Member

This pr does more things then the linked ticket 5825. It needs a new ticket for backport to downstream- mainly for the SELinux separation - 5825 is not usable for it.

@MartinBasti MartinBasti changed the title [WIP] Use Custodia 0.3 features Use Custodia 0.3 features Mar 22, 2017
@tiran
Copy link
Member Author

tiran commented Mar 22, 2017

PR is blocked because custodia 0.3 is not yet in https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-master/packages/ Please add the package fro Koji builds #517 (comment)

@MartinBasti
Copy link
Contributor

No this PR si not blocker by this but by this. I manually tried this patch and replica installation failed.

  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 203, in install
    install_step_0(standalone, replica_config, options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 244, in install_step_0
    replica_config.dirman_password)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 182, in get_ca_keys
    self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 146, in __get_keys
    value = cli.fetch_key(os.path.join(prefix, nickname), False)
  File "/usr/lib/python2.7/site-packages/ipaserver/secrets/client.py", line 101, in fetch_key
    r.raise_for_status()
  File "/usr/lib/python2.7/site-packages/requests/models.py", line 844, in raise_for_status
    raise HTTPError(http_error_msg, response=self)

2017-03-22T09:41:44Z DEBUG The ipa-replica-install command failed, exception: HTTPError: 406 Client Error: Key name ca/caSigningCert%20cert-pki-ca does not match subject ca/caSigningCert cert-pki-ca for url: https://vm-126.abc.idm.lab.eng.brq.redhat.com/ipa/keys/ca/caSigningCert%20cert-pki-ca?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.OxngT9UkpcI1epgfUY4ptfAcgNqcWkolwjxt48l7mYvvvDbejfdPY5IAulLyqXE_vc4ifCmqAJ2je9t2IC-gJXq9csZ60q4_sBhhw-NVp_2GZOasPYnF_LDoLEUx9iKihMiBRXTMS4Ue4wzx41tgSViCpuO7eUT5XKRaYtwOXd5qi46Z6S8XgQJSTeW3WQjRGNqSzYMOeHQNPMz24gSx9ENJ4Mx2x4LxY5cod3HGjocgp9s4qnJLYL3bhEXRL9x_t8RG6B06_FXY044DNsR5YBlHa7J5ks2ldiR7TCBN2te5iv_ePKYdpmMlHqeT1NNjGKMnei-TTtYE8dsJM4Q9gA.eDq3i2fgbry5AabVyJHVeg.Uf9wBxxQSloach8Pcbdi2BMzeHB9bY4tFRvifH3_-omv87g0jDCMEK8Tv56E9psnp1BEhcslPcIQC2k8YTUiMv_SgA-uj3Agb1RhZn1JV9IlZzPRfUELCj0jj-rVsC7UeQjkYRjYhxnCrlYpiLeAEfPnHlSMqCHH2PWJEzxGH8bCrIBkwrvQ8A2an0tP37HTi4fyJJbHaBZD4YWSG5iD7RjzkL8a89edyiZNNO7xbgX2CxvvgIhJ0vxYWPn6SSLJpOJaVF_Wt5cRMfXccPKdB5VUXPefEUbOjf4A5xdGZiCSWY8jCU8Rb246SdWlxKipEVcRua0zKNcC51IHxAIZY-Jxp9yTqQm8OvNNqsV1cG_TSovsH9MES7AEMYTDNxRr-QluR6Nvjc7VqN_nG9e4l8f7B7ut_sG-BQWJcbWm0GApISE9c9FzjtNmJAO5eZpGehLuOIHPornnyye2ulc_5XeRxr9QtpAHE9buluRAP_bBPXwB2IpDyP2gnOQhyI64ulu1_QRjq_XKoSCBOFe94XMt7JpoQe_NcvsR-rlaZLC4aQaUaycT-a_n6ly-Uwoh2jSHJ2lzLSZ2pbdqkCws_LEevY2Ola67VvQjWNcS7udQlDNhDZPso8_Abf8Jlm54iNMTiKKClRrM6kFITslzXpqpJ_NBe6q6gUp2JY-qkny1y0xwF4Q7kjXvSJdjGXSYrpR3eT9GZfdFIIHy_GUa8Sbt0tYddobEaqdGHo1rO90.GovMfUQdvTRXvrae4vbQDBApw37BgjXM9fimKMmkfQA

@tiran
Copy link
Member Author

tiran commented Mar 22, 2017

@MartinBasti How did you get Custodia into the test envs when it is not available in COPR or Fedora repos?

@MartinBasti
Copy link
Contributor

@tiran I manually installed custodia on my VM from koji. Travis doesn't run replica install tests what is the primary use case for custodia in FreeIPA, so travis result has no weight for this PR

@tiran
Copy link
Member Author

tiran commented Mar 22, 2017

Please custodia logs (journalctl -u ipa-custodia and /var/log/ipa-custodia.audit.log) from the server.

@MartinBasti
Copy link
Contributor 

[root@vm-058-017 ~]# journalctl -u ipa-custodia
-- Logs begin at Wed 2017-03-15 15:56:23 CET, end at Wed 2017-03-22 12:35:17 CET. --
Mar 15 16:20:58 vm-058-017.abc.idm.lab.eng.brq.redhat.com systemd[1]: Started IPA Custodia Service.
Mar 15 16:25:39 vm-058-017.abc.idm.lab.eng.brq.redhat.com systemd[1]: Stopping IPA Custodia Service...
Mar 15 16:25:39 vm-058-017.abc.idm.lab.eng.brq.redhat.com systemd[1]: Stopped IPA Custodia Service.
Mar 22 10:41:43 vm-058-017.abc.idm.lab.eng.brq.redhat.com systemd[1]: Starting IPA Custodia Service...
Mar 22 10:41:44 vm-058-017.abc.idm.lab.eng.brq.redhat.com ipa-custodia[49493]: 2017-03-22 10:41:44 - server                           - Serving on Unix socket /run/httpd/ipa-custodia.sock
Mar 22 10:41:44 vm-058-017.abc.idm.lab.eng.brq.redhat.com systemd[1]: Started IPA Custodia Service.
lines 1-7/7 (END)

Audit file is empty

@MartinBasti
Copy link
Contributor

custodia-0.3.0-3.fc25.noarch

@MartinBasti
Copy link
Contributor

Replica logs^

Master logs:

Mar 21 15:46:03 vm-126.abc.idm.lab.eng.brq.redhat.com systemd[1]: Stopping IPA Custodia Service...
Mar 21 15:46:03 vm-126.abc.idm.lab.eng.brq.redhat.com systemd[1]: Stopped IPA Custodia Service.
Mar 22 10:18:10 vm-126.abc.idm.lab.eng.brq.redhat.com systemd[1]: Starting IPA Custodia Service...
Mar 22 10:18:10 vm-126.abc.idm.lab.eng.brq.redhat.com ipa-custodia[83008]: 2017-03-22 10:18:10 - server                           - Serving on Unix socket /ru
Mar 22 10:18:10 vm-126.abc.idm.lab.eng.brq.redhat.com systemd[1]: Started IPA Custodia Service.
Mar 22 10:41:44 vm-126.abc.idm.lab.eng.brq.redhat.com ipa-custodia[83008]: 2017-03-22 10:41:44 - SimpleCredsAuth-[auth:simple]    - PASS: '83694' authenticate
Mar 22 10:41:44 vm-126.abc.idm.lab.eng.brq.redhat.com ipa-custodia[83008]: 2017-03-22 10:41:44 - SimpleHeaderAuth-[auth:header]   - PASS: '83694' authenticate
Mar 22 10:41:44 vm-126.abc.idm.lab.eng.brq.redhat.com ipa-custodia[83008]: 2017-03-22 10:41:44 - IPAKEMKeys-[authz:kemkeys]       - PASS: '83694' authorized f
Mar 22 10:41:44 vm-126.abc.idm.lab.eng.brq.redhat.com ipa-custodia[83008]: 2017-03-22 10:41:44 - Secrets-[/keys]                  - DENIED: '(null)' requested
Mar 22 10:41:44 vm-126.abc.idm.lab.eng.brq.redhat.com ipa-custodia[83008]: 2017-03-22 10:41:44 - server                           - code 406, message Key name
Mar 22 10:41:44 vm-126.abc.idm.lab.eng.brq.redhat.com ipa-custodia[83008]: 127.0.0.1 - - [22/Mar/2017 10:41:44] "GET /keys/ca/caSigningCert%20cert-pki-ca?type
~

audit.log

2017-03-22 10:41:44 - SimpleCredsAuth-[auth:simple]    - PASS: '83694' authenticated as '48, 48'
2017-03-22 10:41:44 - SimpleHeaderAuth-[auth:header]   - PASS: '83694' authenticated as '(null)'
2017-03-22 10:41:44 - IPAKEMKeys-[authz:kemkeys]       - PASS: '83694' authorized for '/keys'
2017-03-22 10:41:44 - Secrets-[/keys]                  - DENIED: '(null)' requested key 'ca/caSigningCert%20cert-pki-ca'

@MartinBasti MartinBasti self-assigned this Mar 22, 2017
@tiran tiran mentioned this pull request Mar 22, 2017
Closed
@tiran
Copy link
Member Author

tiran commented Mar 22, 2017

Full error message: code 406, message Key name ca/caSigningCert%20cert-pki-ca does not match subject ca/caSigningCert cert-pki-ca

Custodia issue latchset/custodia#135

@tiran tiran changed the title Use Custodia 0.3 features Use Custodia 0.3.1 features Mar 27, 2017
@tiran
Copy link
Member Author

tiran commented Mar 27, 2017

0.3.1 with fix for the space in URLs is out.

@tiran
Copy link
Member Author

tiran commented Mar 28, 2017

F25 scratch build https://koji.fedoraproject.org/koji/taskinfo?taskID=18643521

$ fedpkg clone custodia
$ cd custodia
$ fedpkg switch-branch master
$ fedpkg scratch-build --srpm --target f25

@MartinBasti
Copy link
Contributor

Probably we should bump requires to custodia >= 0.3.1

@MartinBasti
Copy link
Contributor

Works for me, can be pushed when dependencies bumped

@tiran
Use Custodia 0.3.1 features
776d7ec 
* Use sd-notify in ipa-custodia.service
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
  default setting for IPA's config file. The new file also makes it
  simpler to run IPA's custodia instance with its own SELinux context.
* ipapython no longer depends on custodia

The patch addresses three issues:

* https://bugzilla.redhat.com/show_bug.cgi?id=1430247
  Forward compatibility with Custodia 0.3 in Fedora rawhide
* https://pagure.io/freeipa/issue/5825
  Use sd-notify
* https://pagure.io/freeipa/issue/6788
  Prepare for separate SELinux context

Signed-off-by: Christian Heimes <cheimes@redhat.com>
@MartinBasti MartinBasti added the ack Pull Request approved, can be merged label Mar 28, 2017
@pvomacka pvomacka added the pushed Pull Request has already been pushed label Mar 28, 2017
@pvomacka
Copy link

ipa-4-5:

  • 403263d Use Custodia 0.3.1 features
    master:

  • f5bf546 Use Custodia 0.3.1 features

@pvomacka pvomacka closed this Mar 28, 2017
@tiran tiran deleted the ipa_custodia branch March 28, 2017 14:01
@tiran
Copy link
Member Author

tiran commented Mar 28, 2017

Custodia 0.3.1 also fixes latchset/custodia#135 (KEM requests with whitespace in key name fail). The bug has been reported by @adelton as https://bugzilla.redhat.com/show_bug.cgi?id=1411810 .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@HonzaCholasta HonzaCholasta HonzaCholasta left review comments

Assignees

@MartinBasti MartinBasti

Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
6 participants
@tiran @MartinBasti @martbab @pvoborni @pvomacka @HonzaCholasta