[Pkg-freeipa-devel] [Git][freeipa-team/freeipa-healthcheck][master] 46 commits: kdc: Don't return a WARNING if there are no ARGS and cpus == 1

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Wed Nov 22 10:50:52 GMT 2023



Timo Aaltonen pushed to branch master at FreeIPA packaging / freeipa-healthcheck


Commits:
c9feb33f by Rob Crittenden at 2022-06-06T09:30:59-04:00
kdc: Don't return a WARNING if there are no ARGS and cpus == 1

If there is only a single CPU at installation time then
KRB5KDC_ARGS is nnot set and it may contain an empty value like:

KRB5KDC_ARSG=

Treat this as a successful execution.

Related: https://github.com/freeipa/freeipa-healthcheck/issues/258

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
0ca6bb30 by Rob Crittenden at 2022-07-06T11:12:09-04:00
Add /run/ipa to the list of files/directories to check

/run/ipa/ccaches is the main target, to ensure it retains the
right owner/group/permissions for privilege separation to work
by setting setuid and setgid so the underlying ccaches are
only readable by the ipaapi user/group.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/232

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
f7577fb4 by Rob Crittenden at 2022-07-06T11:12:29-04:00
Use DN to compare agent cert issuer and subjects

The comparison was doing a string compare of the expected
description value.  This worked most of the time but if there
were simple case differents in the attributes that would
cause a false failure.

Instead compare them separately using the DN class to do
the comparison.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/93

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
fac00619 by Rob Crittenden at 2022-10-10T09:29:05-04:00
Clarify in the README that healthcheck is only for servers

I also mentioned that it only checks the local server, not others
currently.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/278

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
cf1cacab by Rob Crittenden at 2022-10-10T09:29:05-04:00
Fix E275 missing whitespace after keyword reported by flake8

Related: https://github.com/freeipa/freeipa-healthcheck/issues/278

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
51e582ae by Rob Crittenden at 2022-10-17T16:13:54-04:00
Use exceptions to indicate parsing errors, not a return value

The validation in parse_options() retured a 1 on failure.
Raise an exception instead and expect the caller to handle it.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
a00e0293 by Rob Crittenden at 2022-10-17T16:13:54-04:00
Use new approach to validate whether the ipa-ca DNS record is complete

The previous method counted the number of servers with CA's and
expected an identical count of servers in ipa-ca, for each of the
A and AAAA types.

If one server had only A or AAAA records then this count could be
off and issue a spurious warning.

Instead get the list of A and AAAA records for servers with a CA
and compare the IP addresses to those of the A and AAAA records
of ipa-ca. Return a warning if any are missing or not expected
(e.g. a server was removed but remains in ipa-ca).

https://github.com/freeipa/freeipa-healthcheck/issues/270

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
f1a131b9 by Peter Keresztes Schmidt at 2022-11-19T19:42:45-05:00
Fix a typo in the ipa-healthcheck help message

Signed-off-by: Peter Keresztes Schmidt <carbenium at outlook.com>

- - - - -
cc87413e by Sam Morris at 2022-11-22T11:26:40-05:00
man: remove redundant example

Signed-off-by: Sam Morris <sam at robots.org.uk>

- - - - -
af543477 by Sam Morris at 2022-11-22T11:26:40-05:00
man: grammar

Signed-off-by: Sam Morris <sam at robots.org.uk>

- - - - -
be13ac1f by Sam Morris at 2022-11-22T11:26:40-05:00
man: fix missing new paragraph directive

Signed-off-by: Sam Morris <sam at robots.org.uk>

- - - - -
38b3ddfe by Rob Crittenden at 2022-12-01T10:13:22-05:00
Add limited support for CA certificates on a hardware token (HSM)

dogtagpki supports storing its subsystem and CA certificates on
an HSM. Look up the token name and password in the NSS db
password file. If a token exists then include that in the lookup
and expect (require) the CA, audit, ocsp and subsystem
certificates to be there. If a KRA is also configured then those
certificates will be in the HSM as well.

PKI supports mixing and matching but for now this only supports
a simplistic one HSM or no HSM.

This supports the existing IPA CertDB and NSSDatabase APIs
as well as IPA 4.9.x.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/276

Signed-off-by: Rob Crittenden <rcritten at redhat.com

- - - - -
db7831c7 by Rob Crittenden at 2022-12-01T10:13:22-05:00
Add tests for token support

This required changes to the mock CAInstance to support
the HSM properties in DogtagInstance.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/276

Signed-off-by: Rob Crittenden <rcritten at redhat.com

- - - - -
f8cbe6d5 by Rob Crittenden at 2022-12-01T10:13:22-05:00
Address some newer pylint issues related to API changes

- - - - -
c1091f52 by Antonio Torres at 2022-12-01T16:58:02+01:00
Become 0.12

- - - - -
31be12b8 by Rob Crittenden at 2023-03-28T15:24:52-04:00
Add more services to check the status, switch to using roles

Some services aren't included in ipaplaform.knownservices
like smb and winbind. It is possible to discover the
service name using the same method used by ipactl, via roles.
Switch some services to the roles  method.

The services added:
* ods_enforcerd
* ipa_ods_exporter
* ipa_dnskeysyncd
* chronyd
* smb
* winbind

Add option to skip disabled services. This is currently only
for chronyd which is not required but we'll check it if its
enabled.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/219
Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/196

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
fa6b7caa by Rob Crittenden at 2023-04-06T09:09:42-04:00
Require root to run ipa-healthcheck

The vast majority of checks require root access so enforce
it at run time.

This won't affect other runtimes that use healthcheck-core.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/148

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
41859764 by Rob Crittenden at 2023-04-07T07:59:51-04:00
If there are KRAs, ensure the renewal server is one

If there are KRAs in the topology and there isn't one on
the renewal server then the KRA certificates will not be
renewed because they expect another server to do it for them.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/125

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
6642a1ad by Rob Crittenden at 2023-04-07T08:49:50-04:00
Report certmonger requests that are in the stuck state

These may be caught already by other checks if the tracking
is configured incorrectly but it's a belt-and-suspenders
approach to ensure that the certificates have been issued
properly.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/123

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
30471ebd by Rob Crittenden at 2023-04-07T08:50:26-04:00
Skip AD domains with posix ranges in the catalog check

The catalog check is intended to ensure that the trust is
working by looking up a user. For a non-posix range we can use
the Administrator user because it has a predicible SID.

With a posix range the UID/GID may not be set so the lookup
can fail (with an empty return value).

So skip domain which have a posix range associated with it.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1775199

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
8ca85127 by Rob Crittenden at 2023-04-11T10:05:48-04:00
Report when all ipa-ca records are missing in IPADNSSystemRecordsCheck

If no DNS records were returned at all then the check for mismatches
was missed. Add a special case for this scenario by using a placeholder
for the IP address for a given CA server. If no records are returned
at all this case will catch it. If any exist at all then the
current code will handle it.

This is is easily reproduced using a non-IPA DNS server like
Google or Cloudflare where all lookups will fail.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/284

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
9124c5c6 by Rob Crittenden at 2023-05-09T11:47:17-04:00
Restrict the length of JSON output indent to 32

Too big a value and the system will exhause memory. Normally I
trust users not to do things like but it doesn't hurt to constrain
sometimes.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/197

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
d398f458 by Gordon Bleux at 2023-05-31T15:15:58-04:00
output: fix prometheus output pluging to comply with format specification

use comment syntax for HELP and TYPE annotations, as specified
by the prometheus test-base exposition format [1].

this change also introduces a output sub-class to reduce code
duplication.

closes #292

[1] https://prometheus.io/docs/instrumenting/exposition_formats/#text-based-format

Signed-off-by: Gordon Bleux <33967640+UiP9AV6Y at users.noreply.github.com>

- - - - -
4906c52b by Rob Crittenden at 2023-07-05T11:44:05-04:00
Catch exceptions during user/group name lookup in FileCheck

It's possible that one or more of the allowed users/groups
in a file check do not exist on the system. Catch this
exception and try to proceed as best as possible.

https://github.com/freeipa/freeipa-healthcheck/issues/296

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
2e3028ed by Rob Crittenden at 2023-07-12T09:59:30-04:00
gha: Replace F35/36 with F37/38, add python 3.11 to lint

F35 and F36 are not both obsolete. Switch to current
releases.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/295

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
183b2f85 by Rob Crittenden at 2023-07-12T09:59:30-04:00
pylint: Sync pylint plugin to FreeIPA

This is backport of
freeipa/freeipa at 10e18c3dc732a52d173e803970f6eb53dd9b6087
and
freeipa/freeipa at 232b5a9ddeb222035a9393bfc495b2ffba557801

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/295

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
18178ba0 by Rob Crittenden at 2023-07-12T09:59:30-04:00
Address issues uncovered by pylint 2.15.5

Two variables used before assignment

Three Useless suppression of 'unexpected-keyword-arg'

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/295

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
29855ec7 by Rob Crittenden at 2023-07-19T10:34:16-04:00
Don't error in DogtagCertsConnectivityCheck with external CAs

The purpose of the check is to validate that communication
with the CA works. In the past we looked up serial number 1
for this check. The problem is that if the server was
installed with RSNv3 so had no predictable CA serial number.

It also was broken with externally-issued CA certificate which
cannot be looked up in IPA.

Instead use the IPA RA agent certificate which should definitely
have a serial number in the IPA CA if one is configured.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/285

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
11c77a19 by Rob Crittenden at 2023-07-19T10:35:58-04:00
Become 0.13

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
e05903dc by Florence Blanc-Renaud at 2023-08-16T13:24:51-04:00
Python 3.12: utcnow function is deprecated

ipa-healthcheck on python 3.12 uses datetime.utcnow() which
is deprecated and produces warnings.
Replace with datetime.now(tz=UTC)

When a datetime object is returned through IPACertificate API,
always set the timezone to UTC (this makes the new code compatible
with old IPA and new IPA versions).

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/298
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
04c109a7 by Rob Crittenden at 2023-08-21T09:57:13-04:00
Become 0.14

- - - - -
9603491e by Rob Crittenden at 2023-09-28T22:20:27-04:00
Change the github runners to conform with new requirements

The older style runner is being deprecreated per
https://github.blog/changelog/2023-06-13-github-actions-all-actions-will-run-on-node16-instead-of-node12-by-default/

The documntation is rather confusing what needed to be changed but
one of the examples included this change and it's now passing CI so...

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
cef7d57e by Rob Crittenden at 2023-10-03T09:12:14-04:00
Add a dirsrv requires to services that look up their names in LDAP

Some services aren't included in ipaplaform.knownservices
like smb and winbind. It is possible to discover the
service name using the same method used by ipactl, via roles.

If dirsrv isn't started then this will blow up spectacularly
so use requires as a guard against it.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/301

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
a826ae84 by Rob Crittenden at 2023-10-16T10:09:12-04:00
Convert DBus objects into native python objects

There were cases where values were taken directly from DBus
objects. This worked in some cases but not in the case of the
token name.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/305

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
02211dd4 by Rob Crittenden at 2023-10-16T10:09:12-04:00
Disable the pylint github workflow

Ubuntu has pylint 3.0.1 which is apparently incompatible with
pylint_plugins.py. Disable this temporarily. Chances are good
that once this is addressed in freeipa it can be ported back
here as well.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
fd0b2ce7 by Rob Crittenden at 2023-10-16T10:24:43-04:00
Use timezone.utc instead of datetime.UTC for backwards compatibility

We switched to datetime.UTC because datetime.utcnow() was deprecated.
This is only available in python 3.11+. Use datetime.timezone.utc
instead which is available from python 3.2+

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/302

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
e69589d5 by Rob Crittenden at 2023-10-16T10:24:59-04:00
Validate service keytabs other than just /etc/krb5.keytab

There are quite a few other keytabs in use in IPA other than
just the host keytab. Validate that kinit in that keytab
works if the service is configured.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/175

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
4a9ebb37 by Rob Crittenden at 2023-11-07T09:39:43-05:00
Support validating LWCA certmonger requests

The LWCA ids are UUID4 format and are stored in LDAP so
we can retrieve the list (ignoring the ipa entry) and
construct what the request should look like.

Add a cache for the get_expected_requests() function. The
certificates aren't going to change (or shouldn't) in the
middle of a run and there is no point in duplicating several
LDAP requests for each call.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/307

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
bbffe5fc by Rob Crittenden at 2023-11-07T09:39:43-05:00
Drop all=True in IPACertRevocation cert_show call

This was causing a cache miss in the LDAPCache class. The
'*' + all default attributes was confusing the cache. We in fact
do not need all attributes so this is fine. This increases the
cache hits in cert.py from 7 to 24, reducing the number of
duplicate LDAP searches.

Related: https://github.com/freeipa/freeipa-healthcheck/issues/307

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
25bbaab9 by Rob Crittenden at 2023-11-07T09:39:43-05:00
Disable failing not installed and not configured tests

These pass locally for me but fail in the github workflow. Marking
as xfail for now.

A deprecation warning is being spit out now on stderr instead out
stdout which includes the underlying message. Check both stdout
and stderr to be on the safe side.

Note: these tests only run as root.

Related: https://github.com/freeipa/freeipa-healthcheck/issues/309

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
f2eb911a by Rob Crittenden at 2023-11-07T10:12:15-05:00
Become 0.15

- - - - -
a56f1f80 by Rob Crittenden at 2023-11-09T10:37:34-05:00
Remove call to api.Backend.ldap2.disconnect()

This was added while I was testing the IPA LDAP client
cache performance. By disconnecting a summary of the cache is
logged. I never intended it remain in the code.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/310

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
a6b89d48 by Rob Crittenden at 2023-11-09T10:44:11-05:00
Become 0.16

- - - - -
93bcc265 by Timo Aaltonen at 2023-11-22T12:49:10+02:00
Merge branch 'upstream'

- - - - -
b944038d by Timo Aaltonen at 2023-11-22T12:49:56+02:00
version bump

- - - - -
8e38c563 by Timo Aaltonen at 2023-11-22T12:50:22+02:00
releasing package freeipa-healthcheck version 0.16-1

- - - - -


30 changed files:

- .github/workflows/pipelines.yml
- README.md
- debian/changelog
- man/man5/ipahealthcheck.conf.5
- man/man8/ipa-healthcheck.8
- pylint_plugins.py
- setup.py
- src/ipahealthcheck/core/core.py
- src/ipahealthcheck/core/files.py
- src/ipahealthcheck/core/main.py
- src/ipahealthcheck/core/output.py
- src/ipahealthcheck/core/plugin.py
- src/ipahealthcheck/dogtag/ca.py
- src/ipahealthcheck/ipa/certs.py
- src/ipahealthcheck/ipa/files.py
- src/ipahealthcheck/ipa/host.py
- src/ipahealthcheck/ipa/idns.py
- src/ipahealthcheck/ipa/kdc.py
- src/ipahealthcheck/ipa/roles.py
- src/ipahealthcheck/ipa/trust.py
- src/ipahealthcheck/meta/services.py
- + tests/fixtures/output/prometheus/all.prom
- tests/test_commands.py
- tests/test_core_files.py
- tests/test_dogtag_connectivity.py
- tests/test_ipa_agent.py
- tests/test_ipa_certfile_expiration.py
- tests/test_ipa_dns.py
- tests/test_ipa_kdc.py
- tests/test_ipa_nssdb.py


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/compare/8838639468f38a9a7f3bba0cf44bbbe33f042f54...8e38c563b9a2fd349db99035e5ed4d24f41100e3

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/compare/8838639468f38a9a7f3bba0cf44bbbe33f042f54...8e38c563b9a2fd349db99035e5ed4d24f41100e3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20231122/4600a685/attachment-0001.htm>


More information about the Pkg-freeipa-devel mailing list