Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1354620 - Tracker bug -- 7.2.6 respin of sssd-docker
Summary: Tracker bug -- 7.2.6 respin of sssd-docker
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd-container
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-11 18:15 UTC by Lukas Slebodnik
Modified: 2016-08-03 18:46 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-03 18:46:55 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1561 normal SHIPPED_LIVE Red Hat Enterprise Linux Atomic SSSD Container Image Update 2016-08-03 22:46:45 UTC

Description Lukas Slebodnik 2016-07-11 18:15:50 UTC
Tracking rebuild of sssd-docker.

Comment 2 Nikhil Dehadrai 2016-08-01 08:32:45 UTC
Following Tests are w.r.t IPA server:

Test Setup Details:
============================
IPA -server: ipa-server-4.2.0-15.el7_2.18.x86_64
IPA-client: ipa-client-4.2.0-15.el7_2.18.x86_64
Atomic host: 7.2.6


Console Output Logs Sanity:
============================

-bash-4.2# docker tag 5afce78e6705 rhel7/sssd
-bash-4.2# docker images
REPOSITORY             TAG                                               IMAGE ID            CREATED             SIZE
rhel7/sssd             latest                                            5afce78e6705        39 hours ago        346.5 MB

-bash-4.2# atomic install rhel7/sssd
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh
Initializing configuration context from host ...
Client hostname: ipaqa64vmg.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: auto-hv-01-guest05.testrelm.test
BaseDN: dc=testrelm,dc=test
Skipping synchronizing time with NTP server.
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TESTRELM.TEST
    Issuer:      CN=Certificate Authority,O=TESTRELM.TEST
    Valid From:  Sat Jul 30 06:17:47 2016 UTC
    Valid Until: Wed Jul 30 06:17:47 2036 UTC

Enrolled in IPA realm TESTRELM.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.TEST
trying https://auto-hv-01-guest05.testrelm.test/ipa/json
Forwarding 'ping' to json server 'https://auto-hv-01-guest05.testrelm.test/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://auto-hv-01-guest05.testrelm.test/ipa/json'
Systemwide CA database updated.
Added CA certificates to the default NSS database.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://auto-hv-01-guest05.testrelm.test/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring testrelm.test as NIS domain.
Client configuration complete.

Copying new configuration to host ...
Full path required for exclude: net:[4026531956].
Service sssd.service configured to run SSSD container.

-bash-4.2# atomic run rhel7/sssd rpm -q ipa-client
ipa-client-4.2.0-15.el7_2.18.x86_64

-bash-4.2# systemctl status sssd
● sssd.service - System Security Services Daemon in container
   Loaded: loaded (/etc/systemd/system/sssd.service; disabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/sssd.service.d
           └─journal.conf
   Active: failed (Result: exit-code) since Sat 2016-07-30 03:04:47 EDT; 7min ago
 Main PID: 12660 (code=exited, status=0/SUCCESS)

Jul 30 02:59:14 ipaqa64vmg.testrelm.test atomic[12660]: f0dc48866508bb1d94a5d0bf60cce1102ba2726823a33245f665c2a...f450
Jul 30 02:59:14 ipaqa64vmg.testrelm.test atomic[12660]: For more information on these switches and their securi...un'.
Jul 30 02:59:14 ipaqa64vmg.testrelm.test systemd[1]: Started System Security Services Daemon in container.
Jul 30 03:04:46 ipaqa64vmg.testrelm.test systemd[1]: Stopping System Security Services Daemon in container...
Jul 30 03:04:47 ipaqa64vmg.testrelm.test atomic[13958]: Failed to kill container (sssd): Error response from da...sssd
Jul 30 03:04:47 ipaqa64vmg.testrelm.test atomic[13958]: docker kill -s TERM sssd
Jul 30 03:04:47 ipaqa64vmg.testrelm.test systemd[1]: sssd.service: control process exited, code=exited status=1
Jul 30 03:04:47 ipaqa64vmg.testrelm.test systemd[1]: Stopped System Security Services Daemon in container.
Jul 30 03:04:47 ipaqa64vmg.testrelm.test systemd[1]: Unit sssd.service entered failed state.
Jul 30 03:04:47 ipaqa64vmg.testrelm.test systemd[1]: sssd.service failed.
Hint: Some lines were ellipsized, use -l to show in full.

-bash-4.2# systemctl restart sssd

-bash-4.2# systemctl status sssd
● sssd.service - System Security Services Daemon in container
   Loaded: loaded (/etc/systemd/system/sssd.service; disabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/sssd.service.d
           └─journal.conf
   Active: active (exited) since Sat 2016-07-30 03:13:07 EDT; 11s ago
  Process: 14971 ExecStart=/usr/bin/atomic run --name=sssd rhel7/sssd (code=exited, status=0/SUCCESS)
 Main PID: 14971 (code=exited, status=0/SUCCESS)

Jul 30 03:13:05 ipaqa64vmg.testrelm.test systemd[1]: Starting System Security Services Daemon in container...
Jul 30 03:13:06 ipaqa64vmg.testrelm.test atomic[14971]: docker run -d --restart=always --privileged --net=host .../pam
Jul 30 03:13:06 ipaqa64vmg.testrelm.test atomic[14971]: This container uses privileged security switches:
Jul 30 03:13:06 ipaqa64vmg.testrelm.test atomic[14971]: INFO: --net=host
Jul 30 03:13:06 ipaqa64vmg.testrelm.test atomic[14971]: Processes in this container can listen to ports (and po...ork.
Jul 30 03:13:06 ipaqa64vmg.testrelm.test atomic[14971]: INFO: --privileged
Jul 30 03:13:06 ipaqa64vmg.testrelm.test atomic[14971]: This container runs without separation and should be co...tem.
Jul 30 03:13:07 ipaqa64vmg.testrelm.test atomic[14971]: df2e6e06650ad42d2dc6fa9801630b48c659e3a9b258ca72ee67a43...4b0a
Jul 30 03:13:07 ipaqa64vmg.testrelm.test atomic[14971]: For more information on these switches and their securi...un'.
Jul 30 03:13:07 ipaqa64vmg.testrelm.test systemd[1]: Started System Security Services Daemon in container.
Hint: Some lines were ellipsized, use -l to show in full.

-bash-4.2# ls -al /etc/systemd/system/sssd.service
-rw-r--r--. 1 root root 732 Jul 30 03:11 /etc/systemd/system/sssd.service


-bash-4.2# atomic run rhel7/sssd kinit admin
Password for admin@TESTRELM.TEST: 
-bash-4.2# atomic run rhel7/sssd klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@TESTRELM.TEST

Valid starting     Expires            Service principal
07/30/16 03:05:17  07/31/16 03:05:15  krbtgt/TESTRELM.TEST@TESTRELM.TEST
-bash-4.2# atomic run rhel7/sssd kdestroy -A
-bash-4.2# atomic run rhel7/sssd klist
klist: Credentials cache keyring 'persistent:0:0' not found

-bash-4.2# atomic run rhel7/sssd kinit admin
Password for admin@TESTRELM.TEST: 
-bash-4.2# atomic run rhel7/sssd klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@TESTRELM.TEST

Valid starting     Expires            Service principal
07/30/16 03:05:46  07/31/16 03:05:44  krbtgt/TESTRELM.TEST@TESTRELM.TEST

-bash-4.2# ssh -o GSSAPIAuthentication=yes admin@ipaqa64vmg.testrelm.test
Could not chdir to home directory /home/admin: No such file or directory
-bash-4.2$ whoami
admin
-bash-4.2$ exit
logout
Connection to ipaqa64vmg.testrelm.test closed.

-bash-4.2# atomic uninstall rhel7/sssd
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/uninstall.sh
Initializing configuration context from host ...
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
Copying new configuration to host ...
Removing /etc/ipa/nssdb/pwdfile.txt
Removing /etc/ipa/nssdb/secmod.db
Removing /etc/ipa/nssdb/cert8.db
Removing /etc/ipa/nssdb/key3.db
Removing /etc/ipa/ca.crt
Removing /etc/ipa/default.conf
Removing /etc/sssd/systemctl-lite-enabled/sssd.service
Removing /etc/sssd/systemctl-lite-enabled/rhel-domainname.service
Removing /etc/sssd/sssd.conf
Removing /var/lib/authconfig/last/system-auth-ac
Removing /var/lib/authconfig/last/postlogin-ac
Removing /var/lib/authconfig/last/password-auth-ac
Removing /var/lib/authconfig/last/fingerprint-auth-ac
Removing /var/lib/authconfig/last/smartcard-auth-ac
Removing /var/lib/ipa-client/sysrestore/92c98eb52eee5f53-nsswitch.conf
Removing /var/lib/ipa-client/sysrestore/sysrestore.index
Removing /var/lib/ipa-client/sysrestore/6ebc2a2874a41bf1-krb5.conf
Removing /var/lib/ipa-client/sysrestore/sysrestore.state
Removing /var/lib/ipa-client/sysrestore/7a28df4b2bcce028-ldap.conf
Removing /var/lib/ipa-client/sysrestore/0ecf075de271d3ef-ssh_config
Removing /var/lib/ipa-client/sysrestore/0fb5ee4b49dd41ca-sshd_config
Removing /var/lib/sss/pipes/private
Removing /var/lib/sss/pipes/private/sbus-dp_testrelm.test.124
Removing /var/lib/sss/pipes/private/sbus-monitor
Removing /var/lib/sss/pipes/private/sbus-dp_testrelm.test.14
Removing /var/lib/sss/pipes/private/sbus-dp_testrelm.test
Removing /var/lib/sss/pipes/private/pam
Removing /var/lib/sss/pipes/nss
Removing /var/lib/sss/pipes/pam
Removing /var/lib/sss/pipes/ssh
Removing /var/lib/sss/pipes/sudo
Removing /var/lib/sss/pipes/pac
Removing /var/lib/sss/mc/passwd
Removing /var/lib/sss/mc/group
Removing /var/lib/sss/mc/initgroups
Removing /var/lib/sss/db/cache_testrelm.test.ldb
Removing /var/lib/sss/db/ccache_TESTRELM.TEST
-bash-4.2# atomic uninstall rhel7/sssd
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/uninstall.sh
Initializing configuration context from host ...
IPA client is not configured on this system.

Comment 4 Niranjan Mallapadi Raghavender 2016-08-01 08:41:00 UTC
Versions:

-bash-4.2# atomic images

  REPOSITORY                               TAG                                               IMAGE ID       CREATED            VIRTUAL SIZE  
> lslebodn/sssd-docker                     extras-rhel-7.2-docker-candidate-20160728152115   sha256:5afce   2016-07-28 11:28   346.52 MB     
> registry.access.stage.redhat.com/rhel7   latest                                            sha256:4a6b6   2016-07-27 12:19   201.61 MB     

-bash-4.2# atomic version rhel7/sssd
sha256:5afce78e6705094789c4f6855d68027b06375edc1b902d26075a30a0303bebc7 rhel7/sssd-7.2-18 rhel7/sssd

Following tests were done for sssd (using realm)

test_positive_realm_discover
----------------------------
Test:
 On atomic host discover windows Domain using realm cli from sssd container

Assert:
 verify realm command discovers domain successfull

Steps:
 1. Configure docker to use access.stage.registry.redhat.com
 2. Set Window system ip address in /etc/resolv.conf
 3. Use atomic cli to run realm command with discover option
     atomic install rhel7/sssd realm -v discover <Domain>

Result: Passed


test_positive_realm_join_with_membership_software_samba
-------------------------------------------------------
Test:
 Join Atomic host to Windows AD Domain using realm cli from sssd container

Assert:
 Atomic host should be joined to AD Domain successfully and sssd
 process should start successfully

Steps:
 1. Configure docker to use access.stage.registry.redhat.com
 2. Set Windows system  ip address in /etc/resolv.conf
 3. Use atomic cli from sssd container to join to AD Domain
     atomic install rhel7/sssd realm join <AD Domain>

 4. start sssd process

test_positive_verify_sssd_selinux_label
---------------------------------------
Test:
 Verify sssd process type is spc_t

Assert:
 Verify sssd process type is spc_t

Steps:
 1. Configure docker to use access.stage.registry.redhat.com
 2. Set Windows system  ip address in /etc/resolv.conf
 3. Use atomic cli from sssd container to join to AD Domain
 4. Start sssd process


Result: Passed

test_positive_realm_id_admin
----------------------------
Test:
 Verify AD users can be queried successfully using id command on Atomic host

Assert:
 Verify id <AD User> returns AD user successfully 

Steps:
 1. Configure docker to use access.stage.registry.redhat.com
 2. Set Windows system  ip address in /etc/resolv.conf
 3. Use atomic cli from sssd container to join to AD Domain
     atomic install rhel7/sssd realm -v discover <Domain>
 4. Start sssd process

Result: Passed

test_positive_id_from_another_container
---------------------------------------

Test:
 Verify AD users can be queried successfully from new containers on Atomic Host

Assert:
 Verify id 'AD user\Domain' successfully shows AD User Details

Steps:
 1. Configure docker to use access.stage.registry.redhat.com
 2. Set Windows system  ip address in /etc/resolv.conf
 3. Use atomic cli from sssd container to join to AD Domain
      atomic install rhel7/sssd realm -v join <Domain>
 4. Start sssd process
 5. Create a new container called sssd-test mounting /var/lib/sss
     'From  RHEL7
      RUN yum install -y sssd-client && yum clean all
      LABEL RUN 'docker run --rm -v /var/lib/sss/:/var/lib/sss/ ${IMAGE}'
 6. Run id "AD User\Domain" command using atomic cli from new container


Result: Passed

test_positive_realm_join_ad_domain_using_adcli
----------------------------------------------
Test:
 Join Atomic host to AD domain using realm with the help of adcli


Assert:
 Verify Atomic host is joined to AD domain and appropriate host
 entries are added to /etc/krb5.ketyab

Feature:
 sssd-container

Status:
 Automated

Steps:
 1. Configure docker to use access.stage.registry.redhat.com
 2. Add Windows AD system ip address in /etc/resolv.conf
 3. Join Atomic Host to AD domain
     atomic install rhel7/sssd realm -v join <AD Domain> --membership-software=adcli
 4. Start sssd process


test_positive_realm_leave_domain
--------------------------------
Test:
 Disjoin Atomic Host from AD Domain using realm cli from sssd container

Assert:
 Verify atomic host is disjoin to AD Domain

Steps:
 1. Configure docker to use access.stage.registry.redhat.com
 2. Set Windows system  ip address in /etc/resolv.conf
 3.  Use atomic cli from sssd container to join to AD Domain
     atomic install rhel7/sssd realm -v discover <Domain>
 4. Start sssd process
 5. Disjoin Atomic host from AD Domain using realm leave command
     atomic install rhel7/sssd realm leave -v -U Administrator <Domain>

Comment 6 errata-xmlrpc 2016-08-03 18:46:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1561


Note You need to log in before you can comment on or make changes to this bug.