On ma, 25 tammi 2021, Alexander Bokovoy via FreeIPA-devel wrote:
On ke, 20 tammi 2021, Alexander Bokovoy via FreeIPA-devel wrote:
On to, 14 tammi 2021, Alexander Bokovoy via FreeIPA-devel wrote:
Hi,
I am planning to do FreeIPA 4.9.1 release by end of this week or early
next week. Draft release notes are available here:
https://vda.li/drafts/freeipa-4.9.1-release-notes.html
As usual, please update 'changelog' field in a corresponding Pagure
ticket if you want to include something into the release notes.
Alternatively, a commit message should have RN: prefixed line, all those
lines will be included into release notes as well.
Currently we have the following tickets fixed. Some of them were fixed
in the previous releases but as they were mentioned in the commit
messages for test updates, fixups, they are included:
#7676 (rhbz#1544379) ipa-client-install changes system wide ssh configuration
#8501 Unify how FreeIPA gets FQDN of current host
#8508 Nightly failure (ipa-4-8/master, enforcing mode) in ipa trust-add
#8519 Fedora container platform is incomplete
#8524 (rhbz#1851835) Deploy & manage the ACME service topology wide from a
single system
#8528 Use separate logs for AD Trust and DNS installer
#8584 ACME communication with dogtag REST endpoints should be using the cookie
it creates
#8602 Nightly failure in
test_acme.py::TestACME::test_certbot_certonly_standalone: An unexpected error
occurred:
#8618 (rhbz#1780782) ipa-cert-fix tool fails when the Dogtag CA SSL CSR is
missing from CS.cfg
#8631 Nightly failure (389ds master branch) in
test_commands.py::TestIPACommand::test_ipa_nis_manage_enable_incorrect_password
#8644 (rhbz#1912845) ipa-certupdate drops profile from the caSigningCert
tracking
#8646 permission-mod attrs, includedattrs and excludedattrs issues
#8650 Updated dnspython-2.1.0 causes a test failure
#8655 (rhbz#1860129) Allow to establish trust to Active Directory in FIPS mode
#8656 Use client keytab for 389ds
Out of those I think #8646 and all RHBZs are worth a release note
update.
Before the release, we might also consider improvement to #8656 because
current fix does not cover upgrade. Any volunteer?
Current state of the PRs that are targetting ipa-4-9:
$ ./ipatool pr-list --label ipa-4-9
5424 ipatest: fix test_upgrade.py::TestUpgrade::()::tes ipa-4-6 ipa-4-8
ipa-4-9 needs review https://github.com/freeipa/freeipa/pull/5424
5419 Test that IPA certs are removed on server uninstal WIP ipa-4-8
ipa-4-9 https://github.com/freeipa/freeipa/pull/5419
5408 upgrade.py: restart CS for 30 seconds until it is WIP ipa-4-8
ipa-4-9 https://github.com/freeipa/freeipa/pull/5408
5392 Add cgroup v2 support to the minimum RAM checker ipa-4-9
https://github.com/freeipa/freeipa/pull/5392
5389 Revert "Remove test for minimum ACME support and r ipa-4-9
https://github.com/freeipa/freeipa/pull/5389
5387 Raise RuntimeError when kinit_armor fails ipa-4-9
https://github.com/freeipa/freeipa/pull/5387
5313 Gracefully handle Nsds5replicalastupdateend's abse WIP ipa-4-8
ipa-4-9 https://github.com/freeipa/freeipa/pull/5313
5198 tox.ini: Extend max-line-length from 80 to 88+ ipa-4-8 ipa-4-9 needs
review trivial https://github.com/freeipa/freeipa/pull/5198
5176 freeipa.spec.in: client: depend on libsss_sudo WIP ipa-4-8 ipa-4-9
https://github.com/freeipa/freeipa/pull/5176
Let me know which of them will be fixed by the end of the week. I also
have a number of trust-related improvements I hope to complete before
next week but if I'd slip on those, we can do 4.9.1 release without
them.
Current state. Following tickets already fixed in ipa-4-9 branch:
#7676 (rhbz#1544379) ipa-client-install changes system wide ssh configuration
#8501 Unify how FreeIPA gets FQDN of current host
#8508 Nightly failure (ipa-4-8/master, enforcing mode) in ipa trust-add
#8519 Fedora container platform is incomplete
#8524 (rhbz#1851835) Deploy & manage the ACME service topology wide from a
single system
#8528 Use separate logs for AD Trust and DNS installer
#8584 ACME communication with dogtag REST endpoints should be using the cookie
it creates
#8589 (rhbz#1812871) Intermittent IdM Client Registration Failures
#8596 (rhbz#1895197) improve IPA PKI susbsystem detection by other means than a
directory presence, use pki-server subsystem-find
#8602 Nightly failure in
test_acme.py::TestACME::test_certbot_certonly_standalone: An unexpected error
occurred:
#8614 Remove ca.crt from the system-wide store on uninstall
#8618 (rhbz#1780782) ipa-cert-fix tool fails when the Dogtag CA SSL CSR is
missing from CS.cfg
#8631 Nightly failure (389ds master branch) in
test_commands.py::TestIPACommand::test_ipa_nis_manage_enable_incorrect_password
#8634 (rhbz#1913089) Install of CA fails on CentOS 8 Stream with pki-core 10.9
#8644 (rhbz#1912845) ipa-certupdate drops profile from the caSigningCert
tracking
#8646 permission-mod attrs, includedattrs and excludedattrs issues
#8650 Updated dnspython-2.1.0 causes a test failure
#8653 Nightly test failure in
test_integration/test_upgrade.py::TestUpgrade::()::test_kra_detection
#8655 (rhbz#1860129) Allow to establish trust to Active Directory in FIPS mode
#8656 Use client keytab for 389ds
#8658 Value stored to 'krberr' is never read in ipa-rmkeytab.c
#8668 (rhbz#1915471) Nightly failure in (f33+updates-testing)
test_trust.py::TestTrust::test_ipa_commands_run_as_aduser
FIPS-related fixes in trusted domain code cause a regression with
external trust which I am trying to fix now. The fixes are almost ready
in PR#5436: https://github.com/freeipa/freeipa/pull/5436
Other opened PRs targeting ipa-4-9:
5451 ipatests: test_ipahealthcheck: fix units WIP ipa-4-8 ipa-4-9
https://github.com/freeipa/freeipa/pull/5451
5434 ipatests: use fully qualified name for AD admin wh ipa-4-9
https://github.com/freeipa/freeipa/pull/5434
5427 ipatests: rewrite test for requests routing to sub ipa-4-8 ipa-4-9
needs review https://github.com/freeipa/freeipa/pull/5427
5408 upgrade.py: restart CS for 30 seconds until it is WIP ipa-4-8
ipa-4-9 https://github.com/freeipa/freeipa/pull/5408
5392 Add cgroup v2 support to the minimum RAM checker ipa-4-9
https://github.com/freeipa/freeipa/pull/5392
5387 Raise RuntimeError when kinit_armor fails ipa-4-9
https://github.com/freeipa/freeipa/pull/5387
5313 Gracefully handle Nsds5replicalastupdateend's abse WIP ipa-4-8
ipa-4-9 https://github.com/freeipa/freeipa/pull/5313
5198 tox.ini: Extend max-line-length from 80 to 88+ ipa-4-8 ipa-4-9 needs
review trivial https://github.com/freeipa/freeipa/pull/5198
5176 freeipa.spec.in: client: depend on libsss_sudo ipa-4-8 ipa-4-9 needs
review https://github.com/freeipa/freeipa/pull/5176
I think we also need to make our mind with:
https://github.com/freeipa/freeipa/pull/5452 - Custodia fixes
https://github.com/freeipa/freeipa/pull/5444 - DNSSEC fixes which currently
lack upgrade changes
and work on the upgrade code for the ticket #8656 (Use client keytab for
389ds)
Another update. The changes to ticket #8656 are not needed because we already
handle upgrade of the directory server's systemd snippet since 2019. So
this part is good.
Trust-related fixes were merged, as well as support for cgroup v2 in
a containerized environment. Right now there is one outstanding bug in
trust tests related to Samba 4.13+ lockdown on NTLMSSP authentication in
Fedora 33+ and RHEL 8.4+. This is handled with
https://github.com/freeipa/freeipa/pull/5473
I completed a work on allowing AD users/groups in sudo rules in
https://github.com/freeipa/freeipa/pull/4792. The tests there pass just
fine, a review is needed.
List of closed tickets and bugs for ipa-4-9 as of this morning:
#7676 (rhbz#1544379) ipa-client-install changes system wide ssh configuration
#8501 Unify how FreeIPA gets FQDN of current host
#8508 Nightly failure (ipa-4-8/master, enforcing mode) in ipa trust-add
#8519 Fedora container platform is incomplete
#8524 (rhbz#1851835) Deploy & manage the ACME service topology wide from a
single system
#8528 Use separate logs for AD Trust and DNS installer
#8576 (rhbz#1728015) ipasam: derive parent domain for subdomains automatically
#8584 ACME communication with dogtag REST endpoints should be using the cookie
it creates
#8589 (rhbz#1812871) Intermittent IdM Client Registration Failures
#8596 (rhbz#1895197) improve IPA PKI susbsystem detection by other means than a
directory presence, use pki-server subsystem-find
#8602 Nightly failure in
test_acme.py::TestACME::test_certbot_certonly_standalone: An unexpected error
occurred:
#8614 Remove ca.crt from the system-wide store on uninstall
#8618 (rhbz#1780782) ipa-cert-fix tool fails when the Dogtag CA SSL CSR is
missing from CS.cfg
#8631 Nightly failure (389ds master branch) in
test_commands.py::TestIPACommand::test_ipa_nis_manage_enable_incorrect_password
#8634 (rhbz#1913089) Install of CA fails on CentOS 8 Stream with pki-core 10.9
#8635 Memory availability detection does not work with cgroupsv2 environment
#8644 (rhbz#1912845) ipa-certupdate drops profile from the caSigningCert
tracking
#8646 permission-mod attrs, includedattrs and excludedattrs issues
#8650 Updated dnspython-2.1.0 causes a test failure
#8653 Nightly test failure in
test_integration/test_upgrade.py::TestUpgrade::()::test_kra_detection
#8655 (rhbz#1860129) Allow to establish trust to Active Directory in FIPS mode
#8656 Use client keytab for 389ds
#8658 Value stored to 'krberr' is never read in ipa-rmkeytab.c
#8659 ipa-kdb: provide correct logon time in MS-PAC from authentication time
#8660 ipasam: implement PASSDB getgrnam call
#8661 ipasam: allow search of users by user principal name (UPN)
#8662 Nightly test failure (rawhide) in
test_ipahealthcheck.py::TestIpaHealthCheckFileCheck::test_ipa_filecheck_bad_owner
#8664 Nightly test failure (fed33, rawhide) in ipa trust-add --external=True
#8668 (rhbz#1915471) Nightly failure in (f33+updates-testing)
test_trust.py::TestTrust::test_ipa_commands_run_as_aduser
#8670 Nightly failure (fed33) in
test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_encryption
#8674 test_ipahealthcheck divides KiB by 1000
It looks like DNSSEC PR (5444) and Custodia fixes PR (5452) need more
work, there are still failing test suites. Most of the failures related
to DNS handling in the test environment.
Once trust-related PRs 5473 and 4792 reviewed and pushed, I'll work on
4.9.1 release. Hopefully this will happen today.
I think we are ready with FreeIPA 4.9.1 release.
You can find draft release notes at
https://vda.li/drafts/freeipa-4.9.1-release-notes.html
I'll do a release today.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
