<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<h3>

Timo Aaltonen pushed to branch upstream

at <a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck">FreeIPA packaging / freeipa-healthcheck</a>

</h3>

<h4>

Commits:

</h4>

<ul>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/7db48931c9b3045406e465abb4d2a21beaadfcc4">7db48931</a></strong>

<div>

<span>by Rob Crittenden</span>

<i>at 2021-06-14T11:45:06-04:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Handle files that don't exist in FileCheck

A raw os.stat() was called which could raise an exception if the file

doesn't exist. Instead call os.path.exists() and if the result is False

then raise a SUCCESS with a message that the file doesn't exist.

https://github.com/freeipa/freeipa-healthcheck/issues/213

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/2dc433596de0f6331e400c6928b47eef3a5622b4">2dc43359</a></strong>

<div>

<span>by Stanislav Levin</span>

<i>at 2021-06-18T11:05:17-04:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pylint: Fix new recommendations

- use-a-generator (R1729)

> Use a generator instead '%s(%s)' Comprehension inside of 'any' or

'all' is unnecessary. A generator would be sufficient and faster.

- http://pylint.pycqa.org/en/latest/technical_reference/c_extensions.html

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/215

Signed-off-by: Stanislav Levin <slev@altlinux.org>

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/de2032487c73151e13812db78866ddd85d0f541c">de203248</a></strong>

<div>

<span>by Rob Crittenden</span>

<i>at 2021-09-17T16:33:13+02:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow for HIDDEN_SERVICE when checking ADTRUST service

If the host is a trust controller then the ADTRUST service

must be enabled. This is defined as both ENABLED_SERVICE and

HIDDEN_SERVICE.

https://github.com/freeipa/freeipa-healthcheck/issues/217

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/342054645eac819368e27d18d2d0519252f5cd48">34205464</a></strong>

<div>

<span>by Rob Crittenden</span>

<i>at 2021-09-17T17:29:42+02:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Collect and report ACME enablement status

https://github.com/freeipa/freeipa-healthcheck/issues/157

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/6675fdb88d40a026f0e63abe3a3fe352ef4e2ec0">6675fdb8</a></strong>

<div>

<span>by Rob Crittenden</span>

<i>at 2021-09-17T17:31:29+02:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use the new IPA import for is_ipa_configured()

The ipaserver.install.installutils version is deprecated

https://github.com/freeipa/freeipa-healthcheck/issues/221

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/8c2bfa6e2634abec65e16bfc9fbf1a67e85d7e0d">8c2bfa6e</a></strong>

<div>

<span>by Rob Crittenden</span>

<i>at 2021-09-17T17:31:29+02:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use compatibility shim for dns.resolver.resolve()

Loosely based on ipa commit 49e643783d22ded7a44d84599020af4e8a3d4d5a

https://github.com/freeipa/freeipa-healthcheck/issues/221

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/43d55b2d0fafafe9e128a832148dbec55f6ad2ac">43d55b2d</a></strong>

<div>

<span>by Rob Crittenden</span>

<i>at 2021-09-17T17:31:29+02:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add support for the DNS URI type

URI records are not required but if they exist they are

validated.

https://github.com/freeipa/freeipa-healthcheck/issues/222

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/0bdd0f8679efe04743ebdd34ddc10c1ba5aa55ab">0bdd0f86</a></strong>

<div>

<span>by Rob Crittenden</span>

<i>at 2021-09-17T17:31:29+02:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Re-sync the pylint configuration with freeIPA and resolve issues

This is mostly from the freeip commit

eefbe8558b25ca9e9da10b391ec41e2987b8bd2d

Also fix a few legitimate issues the newer pylint uncovered.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/23abcf55d20a55bf60d7bc221e2bca277d0adc5d">23abcf55</a></strong>

<div>

<span>by MIZUTA Takeshi</span>

<i>at 2021-11-02T10:50:41-04:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix typo in README.md

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/02eb4b2926f7f4fea69eba2f88a06e2b078a7009">02eb4b29</a></strong>

<div>

<span>by Stanislav Levin</span>

<i>at 2021-12-01T15:06:54-05:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">core: Relax dependency on IPA stuff

The core plugin system ideally should not depend on IPA, but the

freeipa-healthcheck plugin itself. For example, being reusable the

core may be called outside of console script (ipa-healthcheck) by

any lib/application (if ipaserver is not installed):

```console

[root@281a5762c1bd /]# python3 -c 'import ipahealthcheck.core.main as main; main.main()'

Traceback (most recent call last):

  File "<string>", line 1, in <module>

  File "/usr/lib/python3.10/site-packages/ipahealthcheck/core/main.py", line 12, in <module>

    from ipaserver.install.installutils import is_ipa_configured

ModuleNotFoundError: No module named 'ipaserver'

```

Actual problem is that every plugin of healthcheck system gains extra

IPA stack as the indirect dependency even if IPA is not used by a plugin.

For example, in ALTLinux dogtag-pki-server requires freeipa-healthcheck-core

which in turn, wants ipaserver, but actually dogtag-pki-server works

just fine without the latter. Moreover, this can lead to build loops

known as bootstrap issues like `dogtag -> healthcheck -> ipa -> dogtag`.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/237

Signed-off-by: Stanislav Levin <slev@altlinux.org>

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/ea5d29c3fe17269a35021ebef67562fbb6c1a52b">ea5d29c3</a></strong>

<div>

<span>by Gordon Bleux</span>

<i>at 2022-01-10T12:34:36-05:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">add support for prometheus text metric exposition format output.

this new output plugin generates metrics from the check results in

the prometheus text exposition format. it is intended to be used in

combination with the prometheus node_exporter [textfile collector][].

the output plugin generates similar metrics as the [ipahealthcheck_exporter][]

[ipahealthcheck_exporter]: https://github.com/camptocamp/ipahealthcheck_exporter

[textfile collector]: https://github.com/camptocamp/ipahealthcheck_exporter

Signed-off-by: Gordon Bleux <UiP9AV6Y+git@protonmail.com>

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/839000ba40f075343548a69890cfa465f1366a66">839000ba</a></strong>

<div>

<span>by Rob Crittenden</span>

<i>at 2022-02-01T13:30:04-05:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Unify command-line options and configuration

This makes it possible to add command-line options to the

configuration file.

The config file is loaded then the command-line options are

merged in. The first one option set takes precedence. So if

an option, say output_type, is in the configuration file then

passing output-type on the command-line will not override it.

The workaround is to pass --config= to ipa-healthcheck in order

to not load the configuration file.

This will allow for greater flexibility when running this automatically

without having to manually change test timer scripting directly.

https://bugzilla.redhat.com/show_bug.cgi?id=1872467

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/63016f5cb061663580348e99b716f9cfdefdeaa9">63016f5c</a></strong>

<div>

<span>by Rob Crittenden</span>

<i>at 2022-02-01T14:17:50-05:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Compare proxy shared secret configuration

Compare the ProxyPassMatch secret(s) with those in server.xml

For now we are skipping checking to see if both secret and

requiredSecret are configured since it doesn't seem to cause

tomcat any issues. As long as the secrets match up with

ipa-pki-proxy.conf then things work fine.

https://github.com/freeipa/freeipa-healthcheck/issues/231

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/b3a917c574e16e758fcb166af5ee606c046b5598">b3a917c5</a></strong>

<div>

<span>by Rob Crittenden</span>

<i>at 2022-02-01T14:18:07-05:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Check expected group memberships

The initial purpose of this is for privilege separation

where if the group membership is not correct the ccaches

may not be readable. It's possible this will expand to other

purposes.

https://github.com/freeipa/freeipa-healthcheck/issues/233

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/0274da1ce6ac2d269deafd023ce304d9f62310c6">0274da1c</a></strong>

<div>

<span>by Rob Crittenden</span>

<i>at 2022-02-01T15:27:39-05:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add a timeout wrapper around each check execution

A timeout will raise a new exception, TimeoutError. This

can be caught and handled inside an individual check, otherwise

it will be handled by run_plugin.

https://github.com/freeipa/freeipa-healthcheck/issues/236

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/b6ade2ed5b379c64270c19abf775da365a8dc299">b6ade2ed</a></strong>

<div>

<span>by Rob Crittenden</span>

<i>at 2022-02-01T15:27:55-05:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Loop through the registry twice in order to collect ca_configured

Skipping the pki plugins was dependent upon the order the registry

was being processed. The assumption was that the ipa plugin would

be done first so ca_configured would be defined. If this isn't the

case the the pki plugins are incorrectly skipped. So run through

the list twice (it's short).

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

https://github.com/freeipa/freeipa-healthcheck/issues/201

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/94b4082e45e746ea163630159ed8868caa4235d1">94b4082e</a></strong>

<div>

<span>by Rob Crittenden</span>

<i>at 2022-02-01T15:27:55-05:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Collect ca_configured status prior to checking for trust packages

python3-libsss_nss_idmap isn't required but if it is not present

then the asumption is that trust is not available. This code

was executing prior to collecting the ca_configured status so

if the package was not installed then ca_configured could never

be True.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

https://github.com/freeipa/freeipa-healthcheck/issues/201

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/dfc8caed5713381cb7284f7f61b2083014076980">dfc8caed</a></strong>

<div>

<span>by Rob Crittenden</span>

<i>at 2022-02-04T11:10:13-05:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add a way to exclude sources, checks and/or keys from results

We allow to exclude on three different levels:

 * source

 * check

 * key

Excluding a source could be used to disable a misbehaving set of

checks, particularly one not provided by upstream. A check would

be similar.

Not all results have a key but most do. If we run into corner

cases we can address them as they come up.

The example I had in mind is an untracked certificate that is

otherwise legitimate. This could be marked as excluded by key

so ipa-healthcheck will no longer return failures.

Filtering happens twice. Any sources or checks excluded will simply

not be executed. keys are excluded after execution.

This adds new section, [exclusions], which will contain three types

of exclusions and can be repeated:

source

config

key

https://github.com/freeipa/freeipa-healthcheck/issues/176

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/f0a43d4b7a462cf773ac821a98862f933c200c8b">f0a43d4b</a></strong>

<div>

<span>by Rob Crittenden</span>

<i>at 2022-02-04T11:10:13-05:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add keys to some Results that were missing

Being able to suppress a specific key rather than a whole

source or check is better.

I'm not ready yet to assert that there is a key in each

Result since that would be a rather impactful change but

for the purposes of this change I added an assert and ran

it through the unit tests.

https://github.com/freeipa/freeipa-healthcheck/issues/176

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/4079d628ccae0702a8bdd535f322aa338bf4a8a4">4079d628</a></strong>

<div>

<span>by Rob Crittenden</span>

<i>at 2022-02-04T11:10:13-05:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test suppressing results

Create a new source and register two plugins to it.

Use an Output plugin to collect the results in a global

variable so the results can be evaluated after the run is

complete.

Use a temporary configuration file to set the test

configuration.

Test suppressing:

- nothing

- the source

- one check

- one key

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

https://github.com/freeipa/freeipa-healthcheck/issues/176

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/896824f4fc5e40c201fff5c1c41d8c8458093a31">896824f4</a></strong>

<div>

<span>by Rob Crittenden</span>

<i>at 2022-02-04T11:10:13-05:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update timeout test to use new API in run_plugins

A config option was added which needs to be passed in during

the test call.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/d9619c9323eb18975d555b7c4a24acba6deb306f">d9619c93</a></strong>

<div>

<span>by Rob Crittenden</span>

<i>at 2022-02-04T11:10:40-05:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Include an exception on outer-level failures when running plugins

The traceback will be both in the debug output and within the

Result value for the call so we have half a chance to fix what

is broken.

https://github.com/freeipa/freeipa-healthcheck/issues/224

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

</pre>

</li>

<li>

<strong><a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/commit/d6035fe2c490c801a1b0c2774f93df7f0dbfd136">d6035fe2</a></strong>

<div>

<span>by Rob Crittenden</span>

<i>at 2022-02-08T13:39:59-05:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become 0.10

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

</pre>

</li>

</ul>

<h4>30 changed files:</h4>

<ul>

<li class="file-stats">

<a href="#8ec9a00bfd09b3190ac6b22251dbb1aa95a0579d">

README.md

</a>

</li>

<li class="file-stats">

<a href="#ff41455272b21d0e7ff5aa70d6a8c0fea800c887">

man/man5/ipahealthcheck.conf.5

</a>

</li>

<li class="file-stats">

<a href="#cf39bdc2d6ab11da033ac0ee99031dafffc6aea4">

man/man8/ipa-healthcheck.8

</a>

</li>

<li class="file-stats">

<a href="#fb159141c98dfc6dc91d2cf922e7b89142c624a0">

pylint_plugins.py

</a>

</li>

<li class="file-stats">

<a href="#7ce8b9f946e687a952e4d1a9ae3061055dae97ed">

pylintrc

</a>

</li>

<li class="file-stats">

<a href="#8e2edce0d507e1297474f25c00cae94258db38d8">

setup.py

</a>

</li>

<li class="file-stats">

<a href="#41078d70f15bd92b814fdb1a25f74acc7242ca22">

src/ipaclustercheck/core/output.py

</a>

</li>

<li class="file-stats">

<a href="#fa8036a99c3e8fcb02f2ee13843b2706e459817c">

src/ipaclustercheck/ipa/plugin.py

</a>

</li>

<li class="file-stats">

<a href="#cf5e3519a0c8192e9d0d443cf944bb031d801d19">

src/ipaclustercheck/ipa/ruv.py

</a>

</li>

<li class="file-stats">

<a href="#3b95a4c3ea2e0ff51c21f664e6de6ad2151a8bc5">

src/ipahealthcheck/core/config.py

</a>

</li>

<li class="file-stats">

<a href="#9d4a01f2012858f23ec544c38d46db58c2870a04">

src/ipahealthcheck/core/constants.py

</a>

</li>

<li class="file-stats">

<a href="#58eb99f10f18aaea73d5adadbe927df0afe71093">

src/ipahealthcheck/core/core.py

</a>

</li>

<li class="file-stats">

<a href="#42db739bb154d4fa1b4c7883fdb2138f89795a81">

<span class="new-file">

+

src/ipahealthcheck/core/exceptions.py

</span>

</a>

</li>

<li class="file-stats">

<a href="#fe5062106a80753c1dc4be24b19380351ed6e727">

src/ipahealthcheck/core/files.py

</a>

</li>

<li class="file-stats">

<a href="#65242a1add8c2a7aa3f9418950cd2bf29ee96259">

src/ipahealthcheck/core/main.py

</a>

</li>

<li class="file-stats">

<a href="#6e305c948848b8333d4e083847aecf5d3efb5d41">

src/ipahealthcheck/core/output.py

</a>

</li>

<li class="file-stats">

<a href="#ec7c3d0e9261d29f34f895d1182fc7170df53fc5">

src/ipahealthcheck/dogtag/ca.py

</a>

</li>

<li class="file-stats">

<a href="#e731a9de6a41ccf7bdfbbef5ab2f2dd4b4c07dd3">

src/ipahealthcheck/ipa/certs.py

</a>

</li>

<li class="file-stats">

<a href="#5f969ad1bcefb3c206012ff458c0f1710dd4b640">

src/ipahealthcheck/ipa/dna.py

</a>

</li>

<li class="file-stats">

<a href="#e4cf93f8516ef19917e23e1cfafa1bf5c6436f77">

src/ipahealthcheck/ipa/idns.py

</a>

</li>

<li class="file-stats">

<a href="#4df4768f7b9fb03bfdae4fd433ba28bcb97c8f7a">

<span class="new-file">

+

src/ipahealthcheck/ipa/nss.py

</span>

</a>

</li>

<li class="file-stats">

<a href="#7f112e2cb48f6387dcc8c1fca618763a55a4917d">

src/ipahealthcheck/ipa/plugin.py

</a>

</li>

<li class="file-stats">

<a href="#75bfedbe22e9709913d5899d49325e092cb821c8">

<span class="new-file">

+

src/ipahealthcheck/ipa/proxy.py

</span>

</a>

</li>

<li class="file-stats">

<a href="#2e66ac95e2f4880baf88375b2d4a63c18bca9f0d">

src/ipahealthcheck/ipa/trust.py

</a>

</li>

<li class="file-stats">

<a href="#99631abadb2e8b415f39721965e34fdd3e4accb6">

src/ipahealthcheck/meta/core.py

</a>

</li>

<li class="file-stats">

<a href="#b3e503b08933ce564cf0ca40ef37667b27379b48">

src/ipahealthcheck/system/filesystemspace.py

</a>

</li>

<li class="file-stats">

<a href="#06c40582f46cbc98ba550a19989a93a286dcd40e">

tests/test_commands.py

</a>

</li>

<li class="file-stats">

<a href="#8ef774410af19c9f2bf9a293c3f7c6540cf26311">

tests/test_core_files.py

</a>

</li>

<li class="file-stats">

<a href="#dba859897e0e8cff359fc927f5d5c0990c6309d4">

tests/test_init.py

</a>

</li>

<li class="file-stats">

<a href="#d7f32f897718d99f36128aa626effe4c16699d22">

tests/test_ipa_dns.py

</a>

</li>

</ul>

<h5>The diff was not included because it is too large.</h5>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #666;">

—

<br>

<a href="https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/compare/55cb92b07fb5d74b8fa24ef086b3b00f97949c91...d6035fe2c490c801a1b0c2774f93df7f0dbfd136">View it on GitLab</a>.

<br>

You're receiving this email because of your account on salsa.debian.org.

If you'd like to receive fewer emails, you can

adjust your notification settings.

</p>

</div>

</body>

</html>