Hi,
I've re-installed my test system with Fedora 40. ipa-healthcheck says:
{ "source": "ipahealthcheck.ipa.files", "check": "TomcatFileCheck", "result": "WARNING", "uuid": "0cad1a21-d450-4c68-845f-e72a640af360", "when": "20240610020014Z", "duration": "0.000986", "kw": { "key": "_var_lib_pki_pki-tomcat_conf_ca_CS.cfg_mode", "path": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg", "type": "mode", "expected": "0660", "got": "0664", "msg": "Permissions of /var/lib/pki/pki-tomcat/conf/ca/CS.cfg are too permissive: 0664 and should be 0660" } },
Otherwise the system seems to run fine. Might be a packaging problem...
Jochen
Jochen Kellner via FreeIPA-users wrote:
Hi,
I've re-installed my test system with Fedora 40. ipa-healthcheck says:
{ "source": "ipahealthcheck.ipa.files", "check": "TomcatFileCheck", "result": "WARNING", "uuid": "0cad1a21-d450-4c68-845f-e72a640af360", "when": "20240610020014Z", "duration": "0.000986", "kw": { "key": "_var_lib_pki_pki-tomcat_conf_ca_CS.cfg_mode", "path": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg", "type": "mode", "expected": "0660", "got": "0664", "msg": "Permissions of /var/lib/pki/pki-tomcat/conf/ca/CS.cfg are too permissive: 0664 and should be 0660" } },
Otherwise the system seems to run fine. Might be a packaging problem...
Were only IPA packages updated or also dogtag-pki* or tomcat? I assume healthcheck output was clean prior to upgrading? I'm trying to narrow down where to look for the root cause.
In any case I'd heed the warning and tighten up the perms.
Thanks for the report.
rob
Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Jochen Kellner via FreeIPA-users wrote:
Hi,
I've re-installed my test system with Fedora 40. ipa-healthcheck says:
{ "source": "ipahealthcheck.ipa.files", "check": "TomcatFileCheck", "result": "WARNING", "uuid": "0cad1a21-d450-4c68-845f-e72a640af360", "when": "20240610020014Z", "duration": "0.000986", "kw": { "key": "_var_lib_pki_pki-tomcat_conf_ca_CS.cfg_mode", "path": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg", "type": "mode", "expected": "0660", "got": "0664", "msg": "Permissions of /var/lib/pki/pki-tomcat/conf/ca/CS.cfg are too permissive: 0664 and should be 0660" } },
Otherwise the system seems to run fine. Might be a packaging problem...
Were only IPA packages updated or also dogtag-pki* or tomcat? I assume healthcheck output was clean prior to upgrading? I'm trying to narrow down where to look for the root cause.
The system had been newly installed. The first entry in dnf.rpm.log is from 2024-06-04T21:02:05+0200.
These are the entries for 'grep -E "(ipa|pki)" /var/log/dnf.rpm.log':
2024-06-04T21:53:06+0200 SUBDEBUG Installed: freeipa-client-common-4.12.0-1.fc40.noarch 2024-06-04T21:53:06+0200 SUBDEBUG Installed: krb5-pkinit-1.21.2-5.fc40.x86_64 2024-06-04T21:53:07+0200 SUBDEBUG Installed: libipa_hbac-2.9.5-1.fc40.x86_64 2024-06-04T21:53:07+0200 SUBDEBUG Installed: python3-dogtag-pki-11.5.0-3.fc40.noarch 2024-06-04T21:53:07+0200 SUBDEBUG Installed: dogtag-pki-base-11.5.0-3.fc40.noarch 2024-06-04T21:53:08+0200 SUBDEBUG Installed: python3-libipa_hbac-2.9.5-1.fc40.x86_64 2024-06-04T21:53:09+0200 SUBDEBUG Installed: sssd-ipa-2.9.5-1.fc40.x86_64 2024-06-04T21:53:10+0200 SUBDEBUG Installed: freeipa-server-common-4.12.0-1.fc40.noarch 2024-06-04T21:53:10+0200 SUBDEBUG Installed: freeipa-selinux-4.12.0-1.fc40.noarch 2024-06-04T21:53:23+0200 SUBDEBUG Installed: freeipa-common-4.12.0-1.fc40.noarch 2024-06-04T21:53:24+0200 SUBDEBUG Installed: python3-ipalib-4.12.0-1.fc40.noarch 2024-06-04T21:53:24+0200 SUBDEBUG Installed: python3-ipaclient-4.12.0-1.fc40.noarch 2024-06-04T21:53:25+0200 SUBDEBUG Installed: python3-ipaserver-4.12.0-1.fc40.noarch 2024-06-04T21:53:27+0200 SUBDEBUG Installed: pki-resteasy-jackson2-provider-3.0.26-29.fc40.noarch 2024-06-04T21:53:27+0200 SUBDEBUG Installed: pki-resteasy-core-3.0.26-29.fc40.noarch 2024-06-04T21:53:27+0200 SUBDEBUG Installed: pki-resteasy-client-3.0.26-29.fc40.noarch 2024-06-04T21:53:27+0200 SUBDEBUG Installed: pki-resteasy-servlet-initializer-3.0.26-29.fc40.noarch 2024-06-04T21:53:27+0200 SUBDEBUG Installed: dogtag-pki-java-11.5.0-3.fc40.noarch 2024-06-04T21:53:27+0200 SUBDEBUG Installed: dogtag-pki-tools-11.5.0-3.fc40.x86_64 2024-06-04T21:53:30+0200 SUBDEBUG Installed: freeipa-healthcheck-core-0.16-5.fc40.noarch 2024-06-04T21:53:32+0200 SUBDEBUG Installed: dogtag-pki-server-11.5.0-3.fc40.noarch 2024-06-04T21:53:33+0200 SUBDEBUG Installed: dogtag-pki-acme-11.5.0-3.fc40.noarch 2024-06-04T21:53:33+0200 SUBDEBUG Installed: dogtag-pki-ca-11.5.0-3.fc40.noarch 2024-06-04T21:53:33+0200 SUBDEBUG Installed: dogtag-pki-kra-11.5.0-3.fc40.noarch 2024-06-04T21:53:33+0200 SUBDEBUG Installed: freeipa-client-4.12.0-1.fc40.x86_64 2024-06-04T21:53:33+0200 SUBDEBUG Installed: freeipa-server-4.12.0-1.fc40.x86_64 2024-06-04T21:53:42+0200 SUBDEBUG Installed: freeipa-server-dns-4.12.0-1.fc40.noarch 2024-06-05T06:51:41+0200 SUBDEBUG Installed: freeipa-server-trust-ad-4.12.0-1.fc40.x86_64 2024-06-05T06:51:53+0200 SUBDEBUG Installed: freeipa-healthcheck-0.16-5.fc40.noarch
ipa-server-install.log starts at 2024-06-04T20:34:53Z, there is no file ipaupgrade.log.
These are the only updates applied since installation:
root@freeipa:/var/log# grep Upgrade dnf.rpm.log 2024-06-06T06:37:56+0200 SUBDEBUG Upgrade: qt5-srpm-macros-5.15.14-1.fc40.noarch 2024-06-06T06:37:56+0200 SUBDEBUG Upgrade: git-core-2.45.2-2.fc40.x86_64 2024-06-06T06:37:56+0200 SUBDEBUG Upgrade: apache-commons-io-1:2.16.1-1.fc40.noarch 2024-06-06T06:37:56+0200 SUBDEBUG Upgraded: qt5-srpm-macros-5.15.13-1.fc40.noarch 2024-06-06T06:37:56+0200 SUBDEBUG Upgraded: apache-commons-io-1:2.13.0-8.fc40.noarch 2024-06-06T06:37:56+0200 SUBDEBUG Upgraded: git-core-2.45.1-1.fc40.x86_64 2024-06-07T17:04:15+0200 SUBDEBUG Upgrade: iproute-6.7.0-2.fc40.x86_64 2024-06-07T17:04:15+0200 SUBDEBUG Upgraded: iproute-6.7.0-1.fc40.x86_64 2024-06-09T06:36:16+0200 SUBDEBUG Upgrade: rsvg-pixbuf-loader-2.57.1-6.fc40.x86_64 2024-06-09T06:36:16+0200 SUBDEBUG Upgrade: librsvg2-2.57.1-6.fc40.x86_64 2024-06-09T06:36:16+0200 SUBDEBUG Upgrade: libdrm-2.4.121-1.fc40.x86_64 2024-06-09T06:36:16+0200 SUBDEBUG Upgraded: librsvg2-2.57.1-4.fc40.x86_64 2024-06-09T06:36:16+0200 SUBDEBUG Upgraded: rsvg-pixbuf-loader-2.57.1-4.fc40.x86_64 2024-06-09T06:36:16+0200 SUBDEBUG Upgraded: libdrm-2.4.120-3.fc40.x86_64 2024-06-10T06:21:12+0200 SUBDEBUG Upgrade: mesa-filesystem-24.0.9-1.fc40.x86_64 2024-06-10T06:21:12+0200 SUBDEBUG Upgrade: mesa-va-drivers-24.0.9-1.fc40.x86_64 2024-06-10T06:21:12+0200 SUBDEBUG Upgrade: mesa-libglapi-24.0.9-1.fc40.x86_64 2024-06-10T06:21:12+0200 SUBDEBUG Upgrade: mesa-dri-drivers-24.0.9-1.fc40.x86_64 2024-06-10T06:21:13+0200 SUBDEBUG Upgrade: mesa-libgbm-24.0.9-1.fc40.x86_64 2024-06-10T06:21:13+0200 SUBDEBUG Upgrade: mesa-libEGL-24.0.9-1.fc40.x86_64 2024-06-10T06:21:13+0200 SUBDEBUG Upgrade: mesa-libGL-24.0.9-1.fc40.x86_64 2024-06-10T06:21:13+0200 SUBDEBUG Upgrade: fontconfig-2.15.0-6.fc40.x86_64 2024-06-10T06:21:14+0200 SUBDEBUG Upgraded: mesa-libEGL-24.0.8-1.fc40.x86_64 2024-06-10T06:21:14+0200 SUBDEBUG Upgraded: mesa-libGL-24.0.8-1.fc40.x86_64 2024-06-10T06:21:14+0200 SUBDEBUG Upgraded: mesa-libgbm-24.0.8-1.fc40.x86_64 2024-06-10T06:21:14+0200 SUBDEBUG Upgraded: mesa-libglapi-24.0.8-1.fc40.x86_64 2024-06-10T06:21:14+0200 SUBDEBUG Upgraded: mesa-dri-drivers-24.0.8-1.fc40.x86_64 2024-06-10T06:21:14+0200 SUBDEBUG Upgraded: mesa-va-drivers-24.0.8-1.fc40.x86_64 2024-06-10T06:21:14+0200 SUBDEBUG Upgraded: mesa-filesystem-24.0.8-1.fc40.x86_64 2024-06-10T06:21:14+0200 SUBDEBUG Upgraded: fontconfig-2.15.0-4.fc40.x86_64
In any case I'd heed the warning and tighten up the perms.
Thanks a lot.
Thanks for the report.
You're welcome!
Jochen
freeipa-users@lists.fedorahosted.org