Fedora 31

[croissanne]

• image-refresh fedora-31

• rebuild image again to get grubby installed
• fix custom cockpit keytab: PR session: Fix custom cockpit kerberos keytab with krb5 > 1.17 #12732

Issues:

• atomic package isn't available on f31
• docker doesn't support cgroupsv2: fedora 31 docker support #12670

[marusak]

Thank you, a few things though:

0. Before this PR should come PR that would declare fedora-31 into testmap.py so it can be triggered.

1. This needs to be added into bots/image-trigger

2. Bunch of naughties needs to be copied over, but I agree with with firstly running tests and copying only those, that are needed

3. Adding master as default target for fedora-31 (see point 0.)

4. Needs to be mentioned in README

5. Needs to build image in this PR

6. There are a few tests that behave differently on fedora-30, they also needs to check for fedora-31

[marusak]

This URl does not exists (yet), please use https://dl.fedoraproject.org/pub/fedora/linux/development/31/Everything/x86_64/os/

[marusak]

5. Needs to build image in this PR

I see you added it. Don't forget to add bot label when ready so bots really pick it up

[cockpituous]

image-refresh in progress on 3-ci-srv-06.
Log: https://209.132.184.41:8493/logs/image-refresh-12619-20190822-092626/

[cockpituous]

Task failed: https://209.132.184.41:8493/logs/image-refresh-12619-20190822-092626/

[cockpituous]

image-refresh in progress on 1-ci-srv-03.
Log: https://209.132.184.41:8493/logs/image-refresh-12619-20190822-122626/

[cockpituous]

Task failed: https://209.132.184.41:8493/logs/image-refresh-12619-20190822-122626/

[cockpituous]

image-refresh in progress on centosci-tasks-w4dn3.
Log: https://logs-https-cockpit.apps.ci.centos.org/logs/image-refresh-12619-20190823-074646/

[cockpituous]

Task failed: https://logs-https-cockpit.apps.ci.centos.org/logs/image-refresh-12619-20190823-074646/

[cockpituous]

image-refresh in progress on 3-cockpit-8.
Log: https://209.132.184.41:8493/logs/image-refresh-12619-20190823-081515/

[cockpituous]

Task failed: https://209.132.184.41:8493/logs/image-refresh-12619-20190823-081515/

[martinpitt]

Notes about the curl check-realms failure: My initial thought was that F31 may have switched from the kernel keyring to the user-land KCM (keyring cache daemon) by default. But /etc/krb5.conf.d/kcm_default_ccache already exists in F30, and so does sssd-kcm.service. On F31 this service is active, and in klist I do see the ticket:

# klist
Ticket cache: KCM:0
Default principal: admin@COCKPIT.LAN

Valid starting       Expires              Service principal
06.09.2019 10:02:54  07.09.2019 10:02:53  host/x0.cockpit.lan@COCKPIT.LAN
06.09.2019 10:02:53  07.09.2019 10:02:53  krbtgt/COCKPIT.LAN@COCKPIT.LAN
06.09.2019 10:03:01  07.09.2019 10:02:53  HTTP/x0.cockpit.lan@COCKPIT.LAN

But with curl

curl --negotiate --delegation always -u : -D- http://x0.cockpit.lan:9090/cockpit/login

you get

cockpit-session: gssapi auth failed: Request ticket server HTTP/x0.cockpit.lan@COCKPIT.LAN not found in keytab (ticket kvno 1)

But it's cleary there:

# klist -k /etc/cockpit/krb5.keytab 
Keytab name: FILE:/etc/cockpit/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 HTTP/x0.cockpit.lan@COCKPIT.LAN
   1 HTTP/x0.cockpit.lan@COCKPIT.LAN

This is pretty much exactly how it looks like on Fedora 30.

FTR, this is not about the user ticket, that works fine (with KCM and kernel keyring, and you get a ticket either way). This is about kerberos not being able to authenticate the cockpit service.

Interestingly, when we move the cockpit server keytab to the default location, it works:

mv /etc/krb5.keytab{,.disabled}
mv /etc/cockpit/krb5.keytab /etc/krb5.keytab

after that, curl gets a valid login/session. So it seems whatever we do to support a custom keytab in the server stopped working.

I downloaded the older 1.17-4.fc30 version of libkadm5, krb-workstation, and krb5-libs from
Fedora 30, downgraded (rpm -U --force --nodeps), and it immediately started working again. That gives some chance of bisecting between -4 and -40, possibly the $KRB5_KTNAME support got broken? Fortunately it's still the same upstream version.

When looking through the diff, the secure_getenv() patch (backported from upstream) caught my attention, as cockpit-session is suid root. And indeed when I downgrade to 1.17-15 (the version immediately before that), things work. When I upgrade to 1.17-16 (the version that introduced secure_getenv), it fails.

There is unfortunately no other way to set the keytab than through the environment, as changing the global configuration file is out of the question for cockpit-session. So we either need to convince secure_getenv() into accepting the variable, or I'll file an upstream and downstream bug and ask if there's another trick or this could be partially reverted.

I asked on the original upstream PR for advice.

[cockpituous]

image-refresh in progress on 2-cockpit-9.
Log: https://209.132.184.41:8493/logs/image-refresh-12619-20190906-162424/

[cockpituous]

image-refresh fedora-31 done: https://github.com/cockpituous/cockpit/commits/image-refresh-fedora-31-20190906-170808

[martinpitt]

I sent a fix for custom krb keytab in PR #12732. Adding "blocked" for that. Feel free to rope in the commit in the meantime if you wan to run tests on CI.

[martinpitt]

Unblocking. PR #12732 landed, so kerberos (check-realms) should work now.

[martinpitt]

Thanks, great work! Please do some squashing here, this should be by and large just two commits ("add fedora-31", and the image refresh), plus possibly the two unrelated changes (dashboard as "admin" user, and firewall test generalizations) unless you split them out.

[martinpitt]

If that's a temporary hack, fine. If it's planned (or at least likely) that docker just won't be a thing any more in F31, then let's swap this around: Only add docker to fedora-30 (legacy mode).

[martinpitt]

Let's perhaps make this if type docker >/dev/null 2>&1, as long as it's not yet clear which relelases docker will end up on in the long run. Or something similar to $HAVE_KUBERNETES?

[martinpitt]

Can you please split this out into a separate commit (or even PR) with a more detailled explanation?

[martinpitt]

Not sure why this is in the "docker: Skip docker tests on fedora-31" and the previous "add fedora-31" commit. (github web UI bug?). Either way, this commit should be squashed into the "add fedora-31 image" commit.

[martinpitt]

Most of this commit looks like it could go into a separate PR and be landed first, as it's some generalization? Then the "add fedora-31" main commit can just add the "fedora-31" special cases to the lists.

[martinpitt]

This should be fixed properly now in master, and can be dropped.

[martinpitt]

This could also be split out and landed separately. (If it helps, then you don't need to run the entire set of tests for this PR)

[martinpitt]

This now conflicts after PR #12735, sorry.

[martinpitt]

Some nitpicks still, but looking really good now!

[martinpitt]

Thanks! Still needs a Closes #, although it's also fine to just squash the two commits.

changed