Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ipa-client-install: add support for sss_ssh_knownhosts #7254

Closed
wants to merge 2 commits into from
Closed

ipa-client-install: add support for sss_ssh_knownhosts #7254

wants to merge 2 commits into from

Conversation

f-trivino
Copy link
Contributor

sss_ssh_knownhostsproxy will be deprecated in favor of sss_ssh_knownhosts. With this update, if the file /usr/bin/sss_ssh_knownhosts is present, it will be used instead of /usr/bin/sss_ssh_knownhostsproxy. This commit also implements a mechanism to apply the change when upgrading from older versions.

Fixes: https://pagure.io/freeipa/issue/9536

@f-trivino f-trivino added the WIP Work in progress - not ready yet for review label Feb 28, 2024
@flo-renaud
Copy link
Contributor

@f-trivino the failure of test_commands is related to feb 29, please see 9548. Re-run the test tomorrow and it should succeed.

@f-trivino
Copy link
Contributor Author

@flo-renaud thank you for the pointer! Yeah, I noticed that the error wasn't related to the PR. I'll rerun it tomorrow so I can test this code "Without" sss_ssh_knownhosts feature (sssd-2-10), then will wait till sss_ssh_knownhosts is in place and re-run again so I test the "With".

@rcritten rcritten added the re-run Trigger a new run of PR-CI label Mar 5, 2024
@freeipa-pr-ci freeipa-pr-ci removed the re-run Trigger a new run of PR-CI label Mar 5, 2024
@rcritten
Copy link
Contributor

rcritten commented Mar 6, 2024

Looks like there is a usage error in test_integration/test_commands.py::TestIPACommand::test_sss_ssh_authorizedkeys and est_integration/test_sssd.py::TestNestedMembers::test_nested_group_members

Usage: sss_ssh_knownhosts [-?] [-?|--help] [--usage] [-d|--domain=STRING]
HOST

I wonder if the credentials revoked failure in test_integration/test_commands.py::TestIPACommand::test_reset_password_unlock is related to too many failed authentications.

aplopez
aplopez reviewed Mar 7, 2024
View reviewed changes
ipaclient/install/client.py Outdated Show resolved Hide resolved
f-trivino
f-trivino commented Mar 8, 2024
View reviewed changes
ipaclient/install/client.py Outdated Show resolved Hide resolved
aplopez
aplopez reviewed Mar 8, 2024
View reviewed changes
ipaclient/install/client.py Outdated Show resolved Hide resolved
@f-trivino
Copy link
Contributor Author

Looks like there is a usage error in test_integration/test_commands.py::TestIPACommand::test_sss_ssh_authorizedkeys and est_integration/test_sssd.py::TestNestedMembers::test_nested_group_members

Usage: sss_ssh_knownhosts [-?] [-?|--help] [--usage] [-d|--domain=STRING] HOST

I wonder if the credentials revoked failure in test_integration/test_commands.py::TestIPACommand::test_reset_password_unlock is related to too many failed authentications.

thanks @rcritten , thanks to @aplopez I found out that the new arg for KnownHostsCommand is: "%H" instead of "-p %p %h". Fixed now.

@aplopez
Copy link

aplopez commented Mar 8, 2024

LGTM from the SSSD side.

@miskopo miskopo self-requested a review March 11, 2024 09:35
@aplopez aplopez mentioned this pull request Mar 20, 2024
Closed
@f-trivino
Copy link
Contributor Author

Tests from temp_commit are passing. I'm adding links here just for reference:

sssd-fedora/build — (^_^)/
Details
@freeipa-pr-ci
sssd-fedora/test_commands —
Details
@freeipa-pr-ci
sssd-fedora/test_sssd —
Details

@f-trivino f-trivino added needs review Pull Request is waiting for a review and removed WIP Work in progress - not ready yet for review labels Apr 15, 2024
@f-trivino f-trivino changed the title WIP: ipa-client-install: add support for sss_ssh_knownhosts ipa-client-install: add support for sss_ssh_knownhosts Apr 15, 2024
@f-trivino
Copy link
Contributor Author

I have a worry about upgrades. What if ipa-client gets upgraded before the sssd-common package. In that case, the old ssh_ipa.conf will persist in the system even after sssd is updated, and the new sss_ssh_knownhosts file is present.

@flo-renaud
Copy link
Contributor

I have a worry about upgrades. What if ipa-client gets upgraded before the sssd-common package. In that case, the old ssh_ipa.conf will persist in the system even after sssd is updated, and the new sss_ssh_knownhosts file is present.

The spec file can use %triggerin client -- sssd-common >= 2.10 as defined in https://rpm-software-management.github.io/rpm/manual/triggers.html

@f-trivino f-trivino force-pushed the sss_ssh_knownhosts branch 2 times, most recently from 468484a to e9136e6 Compare April 22, 2024 11:44
flo-renaud
flo-renaud reviewed Apr 22, 2024
View reviewed changes
freeipa.spec.in Outdated Show resolved Hide resolved
@aplopez
Copy link

aplopez commented Apr 23, 2024
edited

For this particular case, I think it could be better to user file triggers (%filetriggerin).

https://rpm-software-management.github.io/rpm/manual/file_triggers.html

%filetriggerin -n %{name}-common -- /usr/bin
echo "TRIGGERING freeipa-common script"
if [ -x /usr/bin/sss_ssh_knownhosts ]; then
    echo "File installed"
fi

This example script is executed every time freeipa-client is installed and there is a file in /usr/bin (always), but it is also executed when another RPM installs a file in /usr/bin. It is not possible to know which file was installed and it can be invoked more than once.

Documentation always mentions file prefixes as condition. I tried with the full file path and it worked for RPM removal (%filetriggerpostun) but not for installation. I don' t know if this is a bug or a feature.

flo-renaud
flo-renaud reviewed May 7, 2024
View reviewed changes
Copy link
Contributor

@flo-renaud flo-renaud left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @f-trivino,
Please find inline comments.

freeipa.spec.in Outdated Show resolved Hide resolved
freeipa.spec.in Show resolved Hide resolved
freeipa.spec.in Show resolved Hide resolved
flo-renaud
flo-renaud reviewed May 7, 2024
View reviewed changes
Copy link
Contributor

@flo-renaud flo-renaud left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @f-trivino
thanks for the PR. I have 2 minor nitpicks (line length) but otherwise the fix looks good to me. I tested upgrade of ipa-client then sssd-client or sssd-client then ipa-client, as well as downgrade of sssd-client, we have the expected output.
New installation also properly handles the sssd version.

ipaclient/install/client.py Outdated
)

enableproxy = bool(
options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTSPROXY) and not enableknownhosts # noqa: E501
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a line break instead of ignoring the linter error

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

ipaclient/install/client.py Outdated
enableproxy = bool(
options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTSPROXY)
options.sssd and os.path.isfile(paths.SSS_SSH_KNOWNHOSTSPROXY) and not enableknownhosts # noqa: E501
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a line break instead of ignoring the linter error

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

@f-trivino
Copy link
Contributor Author

Hi @f-trivino thanks for the PR. I have 2 minor nitpicks (line length) but otherwise the fix looks good to me. I tested upgrade of ipa-client then sssd-client or sssd-client then ipa-client, as well as downgrade of sssd-client, we have the expected output. New installation also properly handles the sssd version.

thanks for testing all use cases. I do agree that lines can be broken while maintaining readability, fixed.

@f-trivino
Copy link
Contributor Author

For this particular case, I think it could be better to user file triggers (%filetriggerin).

https://rpm-software-management.github.io/rpm/manual/file_triggers.html

%filetriggerin -n %{name}-common -- /usr/bin
echo "TRIGGERING freeipa-common script"
if [ -x /usr/bin/sss_ssh_knownhosts ]; then
    echo "File installed"
fi

This example script is executed every time freeipa-client is installed and there is a file in /usr/bin (always), but it is also executed when another RPM installs a file in /usr/bin. It is not possible to know which file was installed and it can be invoked more than once.

Documentation always mentions file prefixes as condition. I tried with the full file path and it worked for RPM removal (%filetriggerpostun) but not for installation. I don' t know if this is a bug or a feature.

thanks @aplopez , I finally opted for

triggerin client -- sssd-common < 2.10
...
triggerin client -- sssd-common >= 2.10
...

as filetriggerin would react for all file changes in /usr/bin

@f-trivino
ipa-client-install: add support for sss_ssh_knownhosts
4f4c503 
sss_ssh_knownhostsproxy will be deprecated in favor of sss_ssh_knownhosts.

With this update, if the file /usr/bin/sss_ssh_knownhosts is present,
KnownHostsCommand will be used instead of ProxyCommand. Also, GlobalKnownHostsFile
is disabled as it is no longer needed.

Fixes: https://pagure.io/freeipa/issue/9536
Signed-off-by: Francisco Trivino <[email protected]>
@f-trivino
Spec file: add support for sss_ssh_knownhosts
829dd45 
sss_ssh_knownhostsproxy will be deprecated in favor of sss_ssh_knownhosts. This commit
implements a mechanism to apply the change when upgrading from older versions.

Fixes: https://pagure.io/freeipa/issue/9536
Signed-off-by: Francisco Trivino <[email protected]>
@f-trivino f-trivino added the ipa-4-11 Mark for backport to ipa 4.11 label May 8, 2024
@flo-renaud flo-renaud added ack Pull Request approved, can be merged pushed Pull Request has already been pushed and removed needs review Pull Request is waiting for a review labels May 13, 2024
@flo-renaud
Copy link
Contributor

master:

  • 7d54a6d ipa-client-install: add support for sss_ssh_knownhosts
  • b34525c Spec file: add support for sss_ssh_knownhosts

@flo-renaud flo-renaud closed this May 17, 2024
@flo-renaud flo-renaud mentioned this pull request May 17, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aplopez aplopez aplopez left review comments

@flo-renaud flo-renaud flo-renaud left review comments

@miskopo miskopo Awaiting requested review from miskopo

Assignees
No one assigned
Labels
ack Pull Request approved, can be merged ipa-4-11 Mark for backport to ipa 4.11 pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
5 participants
@f-trivino @flo-renaud @rcritten @aplopez @freeipa-pr-ci