Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes:
> Jochen Kellner via FreeIPA-users wrote: >> >> Hi, >> >> I've re-installed my test system with Fedora 40. ipa-healthcheck says: >> >> { >> "source": "ipahealthcheck.ipa.files", >> "check": "TomcatFileCheck", >> "result": "WARNING", >> "uuid": "0cad1a21-d450-4c68-845f-e72a640af360", >> "when": "20240610020014Z", >> "duration": "0.000986", >> "kw": { >> "key": "_var_lib_pki_pki-tomcat_conf_ca_CS.cfg_mode", >> "path": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg", >> "type": "mode", >> "expected": "0660", >> "got": "0664", >> "msg": "Permissions of /var/lib/pki/pki-tomcat/conf/ca/CS.cfg are too >> permissive: 0664 and should be 0660" >> } >> }, >> >> Otherwise the system seems to run fine. Might be a packaging problem... > > Were only IPA packages updated or also dogtag-pki* or tomcat? I assume > healthcheck output was clean prior to upgrading? I'm trying to narrow > down where to look for the root cause. The system had been newly installed. The first entry in dnf.rpm.log is from 2024-06-04T21:02:05+0200. These are the entries for 'grep -E "(ipa|pki)" /var/log/dnf.rpm.log': 2024-06-04T21:53:06+0200 SUBDEBUG Installed: freeipa-client-common-4.12.0-1.fc40.noarch 2024-06-04T21:53:06+0200 SUBDEBUG Installed: krb5-pkinit-1.21.2-5.fc40.x86_64 2024-06-04T21:53:07+0200 SUBDEBUG Installed: libipa_hbac-2.9.5-1.fc40.x86_64 2024-06-04T21:53:07+0200 SUBDEBUG Installed: python3-dogtag-pki-11.5.0-3.fc40.noarch 2024-06-04T21:53:07+0200 SUBDEBUG Installed: dogtag-pki-base-11.5.0-3.fc40.noarch 2024-06-04T21:53:08+0200 SUBDEBUG Installed: python3-libipa_hbac-2.9.5-1.fc40.x86_64 2024-06-04T21:53:09+0200 SUBDEBUG Installed: sssd-ipa-2.9.5-1.fc40.x86_64 2024-06-04T21:53:10+0200 SUBDEBUG Installed: freeipa-server-common-4.12.0-1.fc40.noarch 2024-06-04T21:53:10+0200 SUBDEBUG Installed: freeipa-selinux-4.12.0-1.fc40.noarch 2024-06-04T21:53:23+0200 SUBDEBUG Installed: freeipa-common-4.12.0-1.fc40.noarch 2024-06-04T21:53:24+0200 SUBDEBUG Installed: python3-ipalib-4.12.0-1.fc40.noarch 2024-06-04T21:53:24+0200 SUBDEBUG Installed: python3-ipaclient-4.12.0-1.fc40.noarch 2024-06-04T21:53:25+0200 SUBDEBUG Installed: python3-ipaserver-4.12.0-1.fc40.noarch 2024-06-04T21:53:27+0200 SUBDEBUG Installed: pki-resteasy-jackson2-provider-3.0.26-29.fc40.noarch 2024-06-04T21:53:27+0200 SUBDEBUG Installed: pki-resteasy-core-3.0.26-29.fc40.noarch 2024-06-04T21:53:27+0200 SUBDEBUG Installed: pki-resteasy-client-3.0.26-29.fc40.noarch 2024-06-04T21:53:27+0200 SUBDEBUG Installed: pki-resteasy-servlet-initializer-3.0.26-29.fc40.noarch 2024-06-04T21:53:27+0200 SUBDEBUG Installed: dogtag-pki-java-11.5.0-3.fc40.noarch 2024-06-04T21:53:27+0200 SUBDEBUG Installed: dogtag-pki-tools-11.5.0-3.fc40.x86_64 2024-06-04T21:53:30+0200 SUBDEBUG Installed: freeipa-healthcheck-core-0.16-5.fc40.noarch 2024-06-04T21:53:32+0200 SUBDEBUG Installed: dogtag-pki-server-11.5.0-3.fc40.noarch 2024-06-04T21:53:33+0200 SUBDEBUG Installed: dogtag-pki-acme-11.5.0-3.fc40.noarch 2024-06-04T21:53:33+0200 SUBDEBUG Installed: dogtag-pki-ca-11.5.0-3.fc40.noarch 2024-06-04T21:53:33+0200 SUBDEBUG Installed: dogtag-pki-kra-11.5.0-3.fc40.noarch 2024-06-04T21:53:33+0200 SUBDEBUG Installed: freeipa-client-4.12.0-1.fc40.x86_64 2024-06-04T21:53:33+0200 SUBDEBUG Installed: freeipa-server-4.12.0-1.fc40.x86_64 2024-06-04T21:53:42+0200 SUBDEBUG Installed: freeipa-server-dns-4.12.0-1.fc40.noarch 2024-06-05T06:51:41+0200 SUBDEBUG Installed: freeipa-server-trust-ad-4.12.0-1.fc40.x86_64 2024-06-05T06:51:53+0200 SUBDEBUG Installed: freeipa-healthcheck-0.16-5.fc40.noarch ipa-server-install.log starts at 2024-06-04T20:34:53Z, there is no file ipaupgrade.log. These are the only updates applied since installation: root@freeipa:/var/log# grep Upgrade dnf.rpm.log 2024-06-06T06:37:56+0200 SUBDEBUG Upgrade: qt5-srpm-macros-5.15.14-1.fc40.noarch 2024-06-06T06:37:56+0200 SUBDEBUG Upgrade: git-core-2.45.2-2.fc40.x86_64 2024-06-06T06:37:56+0200 SUBDEBUG Upgrade: apache-commons-io-1:2.16.1-1.fc40.noarch 2024-06-06T06:37:56+0200 SUBDEBUG Upgraded: qt5-srpm-macros-5.15.13-1.fc40.noarch 2024-06-06T06:37:56+0200 SUBDEBUG Upgraded: apache-commons-io-1:2.13.0-8.fc40.noarch 2024-06-06T06:37:56+0200 SUBDEBUG Upgraded: git-core-2.45.1-1.fc40.x86_64 2024-06-07T17:04:15+0200 SUBDEBUG Upgrade: iproute-6.7.0-2.fc40.x86_64 2024-06-07T17:04:15+0200 SUBDEBUG Upgraded: iproute-6.7.0-1.fc40.x86_64 2024-06-09T06:36:16+0200 SUBDEBUG Upgrade: rsvg-pixbuf-loader-2.57.1-6.fc40.x86_64 2024-06-09T06:36:16+0200 SUBDEBUG Upgrade: librsvg2-2.57.1-6.fc40.x86_64 2024-06-09T06:36:16+0200 SUBDEBUG Upgrade: libdrm-2.4.121-1.fc40.x86_64 2024-06-09T06:36:16+0200 SUBDEBUG Upgraded: librsvg2-2.57.1-4.fc40.x86_64 2024-06-09T06:36:16+0200 SUBDEBUG Upgraded: rsvg-pixbuf-loader-2.57.1-4.fc40.x86_64 2024-06-09T06:36:16+0200 SUBDEBUG Upgraded: libdrm-2.4.120-3.fc40.x86_64 2024-06-10T06:21:12+0200 SUBDEBUG Upgrade: mesa-filesystem-24.0.9-1.fc40.x86_64 2024-06-10T06:21:12+0200 SUBDEBUG Upgrade: mesa-va-drivers-24.0.9-1.fc40.x86_64 2024-06-10T06:21:12+0200 SUBDEBUG Upgrade: mesa-libglapi-24.0.9-1.fc40.x86_64 2024-06-10T06:21:12+0200 SUBDEBUG Upgrade: mesa-dri-drivers-24.0.9-1.fc40.x86_64 2024-06-10T06:21:13+0200 SUBDEBUG Upgrade: mesa-libgbm-24.0.9-1.fc40.x86_64 2024-06-10T06:21:13+0200 SUBDEBUG Upgrade: mesa-libEGL-24.0.9-1.fc40.x86_64 2024-06-10T06:21:13+0200 SUBDEBUG Upgrade: mesa-libGL-24.0.9-1.fc40.x86_64 2024-06-10T06:21:13+0200 SUBDEBUG Upgrade: fontconfig-2.15.0-6.fc40.x86_64 2024-06-10T06:21:14+0200 SUBDEBUG Upgraded: mesa-libEGL-24.0.8-1.fc40.x86_64 2024-06-10T06:21:14+0200 SUBDEBUG Upgraded: mesa-libGL-24.0.8-1.fc40.x86_64 2024-06-10T06:21:14+0200 SUBDEBUG Upgraded: mesa-libgbm-24.0.8-1.fc40.x86_64 2024-06-10T06:21:14+0200 SUBDEBUG Upgraded: mesa-libglapi-24.0.8-1.fc40.x86_64 2024-06-10T06:21:14+0200 SUBDEBUG Upgraded: mesa-dri-drivers-24.0.8-1.fc40.x86_64 2024-06-10T06:21:14+0200 SUBDEBUG Upgraded: mesa-va-drivers-24.0.8-1.fc40.x86_64 2024-06-10T06:21:14+0200 SUBDEBUG Upgraded: mesa-filesystem-24.0.8-1.fc40.x86_64 2024-06-10T06:21:14+0200 SUBDEBUG Upgraded: fontconfig-2.15.0-4.fc40.x86_64 > In any case I'd heed the warning and tighten up the perms. Thanks a lot. > Thanks for the report. You're welcome! Jochen -- This space is intentionally left blank. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue