ipa-client-install: enable SELinux for SSSD #6978
Closed
Azure Pipelines / AzurePipeline.freeipa
succeeded
Sep 4, 2023 in 26m 5s
Build #20230901.9 had test failures
Details
- Failed: 14 (0.31%)
- Passed: 4,238 (92.47%)
- Other: 331 (7.22%)
- Total: 4,583
Annotations
Check failure on line 1 in test_krb_uri_txt_to_cname
azure-pipelines / AzurePipeline.freeipa
test_krb_uri_txt_to_cname
subprocess.CalledProcessError: Command '['ipa-server-upgrade']' returned non-zero exit status 1.
Raw output
self = <ipatests.test_integration.test_upgrade.TestUpgrade object at 0x7f8d80d9bc10>
setup_locations = <function TestUpgrade.setup_locations.<locals>._setup_locations at 0x7f8d80cf3100>
def test_krb_uri_txt_to_cname(self, setup_locations):
"""Test that ipa-server-upgrade correctly updates Kerberos DNS records
Test for https://pagure.io/freeipa/issue/9257
Kerberos URI and TXT DNS records should be location-aware in case the
server is part of a location, in order for DNS discovery to prioritize
servers from the same location. This means that for such servers the
_kerberos record should be a CNAME one pointing to the appropriate set
of location-aware records.
"""
realm = self.master.domain.realm
locations = ['a', 'b']
setup_locations(locations)
> self.master.run_command(['ipa-server-upgrade'])
test_integration/test_upgrade.py:439:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
self = <ipatests.pytest_ipa.integration.host.Host master1.ipa.test (master)>
argv = ['ipa-server-upgrade'], set_env = True, stdin_text = None
log_stdout = True, raiseonerr = True, cwd = None, bg = False, encoding = 'utf-8'
ok_returncode = 0
def run_command(self, argv, set_env=True, stdin_text=None,
log_stdout=True, raiseonerr=True,
cwd=None, bg=False, encoding='utf-8', ok_returncode=0):
"""Wrapper around run_command to log stderr on raiseonerr=True
:param ok_returncode: return code considered to be correct,
you can pass an integer or sequence of integers
"""
result = super().run_command(
argv, set_env=set_env, stdin_text=stdin_text,
log_stdout=log_stdout, raiseonerr=False, cwd=cwd, bg=bg,
encoding=encoding
)
# in FIPS mode SSH may print noise to stderr, remove the string
# "FIPS mode initialized" + optional newline.
result.stderr_bytes = FIPS_NOISE_RE.sub(b'', result.stderr_bytes)
try:
result_ok = result.returncode in ok_returncode
except TypeError:
result_ok = result.returncode == ok_returncode
if not result_ok and raiseonerr:
result.log.error('stderr: %s', result.stderr_text)
> raise subprocess.CalledProcessError(
result.returncode, argv,
result.stdout_text, result.stderr_text
)
E subprocess.CalledProcessError: Command '['ipa-server-upgrade']' returned non-zero exit status 1.
pytest_ipa/integration/host.py:202: CalledProcessError
Check failure on line 1 in test_krb_uri_txt_to_cname
azure-pipelines / AzurePipeline.freeipa
test_krb_uri_txt_to_cname
failed on teardown with "ipalib.errors.NetworkError: cannot connect to 'ldap://master1.ipa.test:389': Transport endpoint is not connected"
Raw output
self = <ipatests.pytest_ipa.integration.host.LDAPClientWithoutCertCheck object at 0x7f8d7e578a90>
arg_desc = None
@contextlib.contextmanager
def error_handler(self, arg_desc=None):
"""Context manager that handles LDAPErrors
"""
desc = None
try:
try:
> yield
../ipapython/ipaldap.py:1096:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
self = <ipatests.pytest_ipa.integration.host.LDAPClientWithoutCertCheck object at 0x7f8d7e578a90>
def _connect(self):
with self.error_handler():
conn = ldap_initialize(self.ldap_uri, cacertfile=self._cacert)
# SASL_NOCANON is set to ON in Fedora's default ldap.conf and
# in the ldap_initialize() function.
if not self._sasl_nocanon:
conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_OFF)
if self._start_tls and self.protocol == 'ldap':
# STARTTLS applies only to ldap:// connections
> conn.start_tls_s()
../ipapython/ipaldap.py:1224:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
self = <ldap.ldapobject.SimpleLDAPObject object at 0x7f8d7e57a050>
def start_tls_s(self):
"""
start_tls_s() -> None
Negotiate TLS with server. The `version' attribute must have been
set to VERSION3 before calling start_tls_s.
If TLS could not be started an exception will be raised.
"""
> return self._ldap_call(self._l.start_tls_s)
/usr/lib64/python3.11/site-packages/ldap/ldapobject.py:643:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
self = <ldap.ldapobject.SimpleLDAPObject object at 0x7f8d7e57a050>
func = <built-in method start_tls_s of LDAP object at 0x7f8d7e532010>, args = ()
kwargs = {}, diagnostic_message_success = None
def _ldap_call(self,func,*args,**kwargs):
"""
Wrapper method mainly for serializing calls into OpenLDAP libs
and trace logs
"""
self._ldap_object_lock.acquire()
if __debug__:
if self._trace_level>=1:
self._trace_file.write('*** {} {} - {}\n{}\n'.format(
repr(self),
self._uri,
'.'.join((self.__class__.__name__,func.__name__)),
pprint.pformat((args,kwargs))
))
if self._trace_level>=9:
traceback.print_stack(limit=self._trace_stack_limit,file=self._trace_file)
diagnostic_message_success = None
try:
try:
> result = func(*args,**kwargs)
E ldap.SERVER_DOWN: {'result': -1, 'desc': "Can't contact LDAP server", 'errno': 107, 'ctrls': [], 'info': 'Transport endpoint is not connected'}
/usr/lib64/python3.11/site-packages/ldap/ldapobject.py:128: SERVER_DOWN
During handling of the above exception, another exception occurred:
self = <ipatests.test_integration.test_upgrade.TestUpgrade object at 0x7f8d80d9bc10>
@pytest.fixture
def setup_locations(self):
realm = self.master.domain.realm
_locations = []
def _setup_locations(locations):
_locations = locations
ldap = self.master.ldap_connect()
for location in locations:
self.master.run_command(['ipa', 'location-add', location])
self.master.run_command([
'ipa',
'server-mod',
'--location=' + locations[0],
self.master.hostname,
])
main_krb_rec = ldap.get_entry(
get_main_krb_rec_dn(self.master.domain),
)
main_krb_rec['objectClass'].remove('idnsTemplateObject')
del main_krb_rec['idnsTemplateAttribute;cnamerecord']
ldap.update_entry(main_krb_rec)
for location in locations:
location_krb_rec = ldap.get_entry(
get_location_krb_rec_dn(self.master.dom
Check failure on line 1 in test_pki_dropin_file
azure-pipelines / AzurePipeline.freeipa
test_pki_dropin_file
subprocess.CalledProcessError: Command '['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'Secret123']' returned non-zero exit status 255.
Raw output
self = <ipatests.test_integration.test_upgrade.TestUpgrade object at 0x7f8d80d9b5d0>
def test_pki_dropin_file(self):
"""Test that upgrade adds the drop-in file if missing
Test for ticket 9381
Simulate an update from a version that didn't provide
/etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf,
remove one of the certificate profiles from LDAP and check that upgrade
completes successfully and adds the missing file.
When the drop-in file is missing, the upgrade tries to login to
PKI in order to migrate the profile and fails because PKI failed to
start.
"""
self.master.run_command(["rm", "-f", paths.SYSTEMD_PKI_TOMCAT_IPA_CONF])
ldif = textwrap.dedent("""
dn: cn=caECServerCertWithSCT,ou=certificateProfiles,ou=ca,o=ipaca
changetype: delete
""")
> tasks.ldapmodify_dm(self.master, ldif)
test_integration/test_upgrade.py:476:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
pytest_ipa/integration/tasks.py:2118: in ldapmodify_dm
return host.run_command(args, stdin_text=ldif_text, **kwargs)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
self = <ipatests.pytest_ipa.integration.host.Host master1.ipa.test (master)>
argv = ['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'Secret123']
set_env = True
stdin_text = '\ndn: cn=caECServerCertWithSCT,ou=certificateProfiles,ou=ca,o=ipaca\nchangetype: delete\n'
log_stdout = True, raiseonerr = True, cwd = None, bg = False, encoding = 'utf-8'
ok_returncode = 0
def run_command(self, argv, set_env=True, stdin_text=None,
log_stdout=True, raiseonerr=True,
cwd=None, bg=False, encoding='utf-8', ok_returncode=0):
"""Wrapper around run_command to log stderr on raiseonerr=True
:param ok_returncode: return code considered to be correct,
you can pass an integer or sequence of integers
"""
result = super().run_command(
argv, set_env=set_env, stdin_text=stdin_text,
log_stdout=log_stdout, raiseonerr=False, cwd=cwd, bg=bg,
encoding=encoding
)
# in FIPS mode SSH may print noise to stderr, remove the string
# "FIPS mode initialized" + optional newline.
result.stderr_bytes = FIPS_NOISE_RE.sub(b'', result.stderr_bytes)
try:
result_ok = result.returncode in ok_returncode
except TypeError:
result_ok = result.returncode == ok_returncode
if not result_ok and raiseonerr:
result.log.error('stderr: %s', result.stderr_text)
> raise subprocess.CalledProcessError(
result.returncode, argv,
result.stdout_text, result.stderr_text
)
E subprocess.CalledProcessError: Command '['ldapmodify', '-x', '-D', 'cn=Directory Manager', '-w', 'Secret123']' returned non-zero exit status 255.
pytest_ipa/integration/host.py:202: CalledProcessError
Check failure on line 1 in test_pki_dropin_file
azure-pipelines / AzurePipeline.freeipa
test_pki_dropin_file
subprocess.CalledProcessError: Command '['ipa-server-upgrade']' returned non-zero exit status 1.
Raw output
self = <ipatests.test_integration.test_upgrade.TestUpgrade object at 0x7fd08f2dc290>
def test_pki_dropin_file(self):
"""Test that upgrade adds the drop-in file if missing
Test for ticket 9381
Simulate an update from a version that didn't provide
/etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf,
remove one of the certificate profiles from LDAP and check that upgrade
completes successfully and adds the missing file.
When the drop-in file is missing, the upgrade tries to login to
PKI in order to migrate the profile and fails because PKI failed to
start.
"""
self.master.run_command(["rm", "-f", paths.SYSTEMD_PKI_TOMCAT_IPA_CONF])
ldif = textwrap.dedent("""
dn: cn=caECServerCertWithSCT,ou=certificateProfiles,ou=ca,o=ipaca
changetype: delete
""")
tasks.ldapmodify_dm(self.master, ldif)
> self.master.run_command(['ipa-server-upgrade'])
test_integration/test_upgrade.py:477:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
self = <ipatests.pytest_ipa.integration.host.Host master1.ipa.test (master)>
argv = ['ipa-server-upgrade'], set_env = True, stdin_text = None
log_stdout = True, raiseonerr = True, cwd = None, bg = False, encoding = 'utf-8'
ok_returncode = 0
def run_command(self, argv, set_env=True, stdin_text=None,
log_stdout=True, raiseonerr=True,
cwd=None, bg=False, encoding='utf-8', ok_returncode=0):
"""Wrapper around run_command to log stderr on raiseonerr=True
:param ok_returncode: return code considered to be correct,
you can pass an integer or sequence of integers
"""
result = super().run_command(
argv, set_env=set_env, stdin_text=stdin_text,
log_stdout=log_stdout, raiseonerr=False, cwd=cwd, bg=bg,
encoding=encoding
)
# in FIPS mode SSH may print noise to stderr, remove the string
# "FIPS mode initialized" + optional newline.
result.stderr_bytes = FIPS_NOISE_RE.sub(b'', result.stderr_bytes)
try:
result_ok = result.returncode in ok_returncode
except TypeError:
result_ok = result.returncode == ok_returncode
if not result_ok and raiseonerr:
result.log.error('stderr: %s', result.stderr_text)
> raise subprocess.CalledProcessError(
result.returncode, argv,
result.stdout_text, result.stderr_text
)
E subprocess.CalledProcessError: Command '['ipa-server-upgrade']' returned non-zero exit status 1.
pytest_ipa/integration/host.py:202: CalledProcessError