From 464b576fdb7a5efc8fafbb9d4a5abca424a62579 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 06 2020 14:24:30 +0000 Subject: import sssd-1.16.4-37.el7_8.4 --- diff --git a/SOURCES/0115-MONITOR-Propagate-error-when-resolv.conf-does-not-ex.patch b/SOURCES/0115-MONITOR-Propagate-error-when-resolv.conf-does-not-ex.patch new file mode 100644 index 0000000..f47b281 --- /dev/null +++ b/SOURCES/0115-MONITOR-Propagate-error-when-resolv.conf-does-not-ex.patch @@ -0,0 +1,52 @@ +From 6e82ba82e4f2ce1440588437ca9e23a1b159df09 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Fri, 19 Jul 2019 12:19:53 +0200 +Subject: [PATCH 19/21] MONITOR: Propagate error when resolv.conf does not + exists in polling mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Return ENOENT when resolv.conf is missing after falling back to polling +mode. This way missing_resolv_conf will schedule a timer to check again +after some seconds. + +Signed-off-by: Samuel Cabrero + +Reviewed-by: Sumit Bose +(cherry picked from commit d20a7f9d5e56d1e9af273d97c7fd42fe8b2eda47) + +Reviewed-by: Pavel Březina +--- + src/monitor/monitor.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c +index 12250a15e..04e0017a2 100644 +--- a/src/monitor/monitor.c ++++ b/src/monitor/monitor.c +@@ -1908,18 +1908,14 @@ static errno_t monitor_config_file_fallback(TALLOC_CTX *parent_ctx, + if (ret < 0) { + err = errno; + if (err == ENOENT) { +- DEBUG(SSSDBG_MINOR_FAILURE, +- "file [%s] is missing. Will not update online status " +- "based on watching the file\n", file); +- return EOK; +- ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "file [%s] is missing. Will try again later.\n", file); + } else { + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not stat file [%s]. Error [%d:%s]\n", + file, err, strerror(err)); +- +- return err; + } ++ return err; + } + + file_ctx->poll_check.parent_ctx = parent_ctx; +-- +2.21.1 + diff --git a/SOURCES/0116-MONITOR-Add-a-new-option-to-control-resolv.conf-moni.patch b/SOURCES/0116-MONITOR-Add-a-new-option-to-control-resolv.conf-moni.patch new file mode 100644 index 0000000..469c647 --- /dev/null +++ b/SOURCES/0116-MONITOR-Add-a-new-option-to-control-resolv.conf-moni.patch @@ -0,0 +1,189 @@ +From f952a5de24ba7c40310bbf63fa83d772a9cbaec9 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 2 Sep 2019 15:31:09 +0200 +Subject: [PATCH 20/21] MONITOR: Add a new option to control resolv.conf + monitoring +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +For those use-cases where resolv.conf will never exist the new +'monitor_resolv_conf' option can be set to false to skip the retry loop +which tries to set the inotify watcher. + +Signed-off-by: Samuel Cabrero + +Reviewed-by: Sumit Bose +(cherry picked from commit 9b6323d8e99c3edb16b64ef60a769efbc3a292aa) + +Reviewed-by: Pavel Březina +--- + src/confdb/confdb.h | 1 + + src/config/SSSDConfigTest.py | 1 + + src/config/cfg_rules.ini | 1 + + src/config/etc/sssd.api.conf | 1 + + src/man/sssd.conf.5.xml | 23 ++++++++++++----- + src/monitor/monitor.c | 49 ++++++++++++++++++++++++++++-------- + 6 files changed, 59 insertions(+), 17 deletions(-) + +diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h +index 0251ab606..d3e71be86 100644 +--- a/src/confdb/confdb.h ++++ b/src/confdb/confdb.h +@@ -66,6 +66,7 @@ + #define CONFDB_MONITOR_SBUS_TIMEOUT "sbus_timeout" + #define CONFDB_MONITOR_ACTIVE_SERVICES "services" + #define CONFDB_MONITOR_ACTIVE_DOMAINS "domains" ++#define CONFDB_MONITOR_RESOLV_CONF "monitor_resolv_conf" + #define CONFDB_MONITOR_TRY_INOTIFY "try_inotify" + #define CONFDB_MONITOR_KRB5_RCACHEDIR "krb5_rcache_dir" + #define CONFDB_MONITOR_DEFAULT_DOMAIN "default_domain_suffix" +diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py +index 863304424..979b1806f 100755 +--- a/src/config/SSSDConfigTest.py ++++ b/src/config/SSSDConfigTest.py +@@ -391,6 +391,7 @@ class SSSDConfigTestSSSDService(unittest.TestCase): + 'enable_files_domain', + 'domain_resolution_order', + 'try_inotify', ++ 'monitor_resolv_conf', + ] + + self.assertTrue(type(options) == dict, +diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini +index 228c8841e..997ba5aec 100644 +--- a/src/config/cfg_rules.ini ++++ b/src/config/cfg_rules.ini +@@ -51,6 +51,7 @@ option = disable_netlink + option = enable_files_domain + option = domain_resolution_order + option = try_inotify ++option = monitor_resolv_conf + + [rule/allowed_nss_options] + validator = ini_allowed_options +diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf +index a10e74889..355c1fc9b 100644 +--- a/src/config/etc/sssd.api.conf ++++ b/src/config/etc/sssd.api.conf +@@ -34,6 +34,7 @@ disable_netlink = bool, None, false + enable_files_domain = str, None, false + domain_resolution_order = list, str, false + try_inotify = bool, None, false ++monitor_resolv_conf = bool, None, false + + [nss] + # Name service +diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml +index 277a3c0cb..0e1a97a31 100644 +--- a/src/man/sssd.conf.5.xml ++++ b/src/man/sssd.conf.5.xml +@@ -318,16 +318,27 @@ + + + ++ ++ monitor_resolv_conf (boolean) ++ ++ ++ Controls if SSSD should monitor the state of ++ resolv.conf to identify when it needs to ++ update its internal DNS resolver. ++ ++ ++ Default: true ++ ++ ++ + + try_inotify (boolean) + + +- SSSD monitors the state of resolv.conf to +- identify when it needs to update its internal +- DNS resolver. By default, we will attempt to +- use inotify for this, and will fall back to +- polling resolv.conf every five seconds if +- inotify cannot be used. ++ By default, SSSD will attempt to use inotify ++ to monitor configuration files changes and ++ will fall back to polling every five seconds ++ if inotify cannot be used. + + + There are some limited situations where it is +diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c +index 04e0017a2..5dfc4423c 100644 +--- a/src/monitor/monitor.c ++++ b/src/monitor/monitor.c +@@ -1971,13 +1971,46 @@ static void missing_resolv_conf(struct tevent_context *ev, + } + } + ++static int monitor_config_files(struct mt_ctx *ctx) ++{ ++ int ret; ++ bool monitor_resolv_conf; ++ struct timeval tv; ++ struct tevent_timer *te; ++ ++ /* Watch for changes to the DNS resolv.conf */ ++ ret = confdb_get_bool(ctx->cdb, ++ CONFDB_MONITOR_CONF_ENTRY, ++ CONFDB_MONITOR_RESOLV_CONF, ++ true, &monitor_resolv_conf); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ if (monitor_resolv_conf) { ++ ret = monitor_config_file(ctx, ctx, monitor_update_resolv, ++ RESOLV_CONF_PATH); ++ if (ret == ENOENT) { ++ tv = tevent_timeval_current_ofs(MISSING_RESOLV_CONF_POLL_TIME, 0); ++ te = tevent_add_timer(ctx->ev, ctx, tv, missing_resolv_conf, ctx); ++ if (te == NULL) { ++ DEBUG(SSSDBG_FATAL_FAILURE, "resolv.conf will be ignored\n"); ++ } ++ } else if (ret != EOK) { ++ return ret; ++ } ++ } else { ++ DEBUG(SSS_LOG_NOTICE, "%s monitoring is disabled\n", RESOLV_CONF_PATH); ++ } ++ ++ return EOK; ++} ++ + static int monitor_process_init(struct mt_ctx *ctx, + const char *config_file) + { + TALLOC_CTX *tmp_ctx; + struct tevent_signal *tes; +- struct timeval tv; +- struct tevent_timer *te; + struct sss_domain_info *dom; + char *rcachedir; + int num_providers; +@@ -2052,15 +2085,9 @@ static int monitor_process_init(struct mt_ctx *ctx, + ret = sss_sigchld_init(ctx, ctx->ev, &ctx->sigchld_ctx); + if (ret != EOK) return ret; + +- /* Watch for changes to the DNS resolv.conf */ +- ret = monitor_config_file(ctx, ctx, monitor_update_resolv, RESOLV_CONF_PATH); +- if (ret == ENOENT) { +- tv = tevent_timeval_current_ofs(MISSING_RESOLV_CONF_POLL_TIME, 0); +- te = tevent_add_timer(ctx->ev, ctx, tv, missing_resolv_conf, ctx); +- if (te == NULL) { +- DEBUG(SSSDBG_FATAL_FAILURE, "resolv.conf will be ignored\n"); +- } +- } else if (ret != EOK) { ++ /* Set up watchers for system config files */ ++ ret = monitor_config_files(ctx); ++ if (ret != EOK) { + return ret; + } + +-- +2.21.1 + diff --git a/SOURCES/0117-MONITOR-Resolve-symlinks-setting-the-inotify-watcher.patch b/SOURCES/0117-MONITOR-Resolve-symlinks-setting-the-inotify-watcher.patch new file mode 100644 index 0000000..66e2a5a --- /dev/null +++ b/SOURCES/0117-MONITOR-Resolve-symlinks-setting-the-inotify-watcher.patch @@ -0,0 +1,111 @@ +From 9fe64023e32ab9e3fbbfeefc2168a49b748a1846 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Fri, 19 Jul 2019 12:24:56 +0200 +Subject: [PATCH 21/21] MONITOR: Resolve symlinks setting the inotify watchers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If resolv.conf is a symlink and sssd starts before getting an address +from dhcp the data provider will remain forever offline, as the watched +parent directory is the directory containing the symlink. + +Signed-off-by: Samuel Cabrero + +Reviewed-by: Sumit Bose +(cherry picked from commit d57c67e4efc64a16b874b46eb9670fdc9c73a39f) + +Reviewed-by: Pavel Březina +--- + src/util/inotify.c | 55 +++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 52 insertions(+), 3 deletions(-) + +diff --git a/src/util/inotify.c b/src/util/inotify.c +index 2e2dc1a6e..ffc15ad4d 100644 +--- a/src/util/inotify.c ++++ b/src/util/inotify.c +@@ -381,13 +381,62 @@ static int watch_ctx_destructor(void *memptr) + return 0; + } + ++static errno_t resolve_filename(struct snotify_ctx *snctx, ++ const char *filename, ++ char *resolved, ++ size_t resolved_size) ++{ ++ /* NOTE: The code below relies in the GNU extensions for realpath, ++ * which will store in 'resolved' the prefix of 'filename' that does ++ * not exists if realpath call fails and errno is set to ENOENT */ ++ if (realpath(filename, resolved) == NULL) { ++ char fcopy[PATH_MAX + 1]; ++ char *p; ++ struct stat st; ++ ++ if (errno != ENOENT) { ++ return errno; ++ } ++ ++ /* Check if the unique missing component is the basename. The ++ * dirname must exist to be notified watching the parent dir. */ ++ strncpy(fcopy, filename, sizeof(fcopy) - 1); ++ fcopy[PATH_MAX] = '\0'; ++ ++ p = dirname(fcopy); ++ if (p == NULL) { ++ return EIO; ++ } ++ ++ if (stat(p, &st) == -1) { ++ return errno; ++ } ++ ++ /* The basedir exist, check the caller requested to watch it. ++ * Otherwise return error as never will be notified. */ ++ ++ if ((snctx->snotify_flags & SNOTIFY_WATCH_DIR) == 0) { ++ return ENOENT; ++ } ++ } ++ ++ return EOK; ++} ++ + static errno_t copy_filenames(struct snotify_ctx *snctx, + const char *filename) + { + char *p; ++ char resolved[PATH_MAX + 1]; + char fcopy[PATH_MAX + 1]; ++ errno_t ret; ++ ++ ret = resolve_filename(snctx, filename, resolved, sizeof(resolved)); ++ if (ret != EOK) { ++ return ret; ++ } + +- strncpy(fcopy, filename, sizeof(fcopy) - 1); ++ strncpy(fcopy, resolved, sizeof(fcopy) - 1); + fcopy[PATH_MAX] = '\0'; + + p = dirname(fcopy); +@@ -400,7 +449,7 @@ static errno_t copy_filenames(struct snotify_ctx *snctx, + return ENOMEM; + } + +- strncpy(fcopy, filename, sizeof(fcopy) - 1); ++ strncpy(fcopy, resolved, sizeof(fcopy) - 1); + fcopy[PATH_MAX] = '\0'; + + p = basename(fcopy); +@@ -413,7 +462,7 @@ static errno_t copy_filenames(struct snotify_ctx *snctx, + return ENOMEM; + } + +- snctx->filename = talloc_strdup(snctx, filename); ++ snctx->filename = talloc_strdup(snctx, resolved); + if (snctx->filename == NULL) { + return ENOMEM; + } +-- +2.21.1 + diff --git a/SOURCES/0118-DOMAIN-Downgrade-log-message-type.patch b/SOURCES/0118-DOMAIN-Downgrade-log-message-type.patch new file mode 100644 index 0000000..f2427c3 --- /dev/null +++ b/SOURCES/0118-DOMAIN-Downgrade-log-message-type.patch @@ -0,0 +1,41 @@ +From 5774526cf66d1e48b2226050e4dfeff394849771 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= +Date: Wed, 29 Apr 2020 12:48:40 +0200 +Subject: [PATCH] DOMAIN: Downgrade log message type + +Not all domains contains flat name. +This is specific and in most cases needed for AD domain. +In case of AD domain flat name checking and failure log already exists: +src/providers/ad/ad_domain_info.c +104 + +src/util/usertools.c contains more generic domain related +functions. In those cases missing of flat_name should not be +considered as failure. + +Resolves: +https://github.com/SSSD/sssd/issues/1032 + +Reviewed-by: Sumit Bose +(cherry picked from commit 4c93aa76d93fa786d52f78cd76d3afd94ee75ea2) +--- + src/util/usertools.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/util/usertools.c b/src/util/usertools.c +index 33f4f7811..4e63f4e05 100644 +--- a/src/util/usertools.c ++++ b/src/util/usertools.c +@@ -561,8 +561,8 @@ calc_flat_name(struct sss_domain_info *domain) + + s = domain->flat_name; + if (s == NULL) { +- DEBUG(SSSDBG_MINOR_FAILURE, "Flat name requested but domain has no" +- "flat name set, falling back to domain name\n"); ++ DEBUG(SSSDBG_FUNC_DATA, "Domain has no flat name set," ++ "using domain name instead\n"); + s = domain->name; + } + +-- +2.21.1 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index d83ce6c..4be6a91 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -48,7 +48,7 @@ Name: sssd Version: 1.16.4 -Release: 37%{?dist}.3 +Release: 37%{?dist}.4 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -171,6 +171,10 @@ Patch0111: 0111-Add-TCP-level-timeout-to-LDAP-services.patch Patch0112: 0112-sss_sockets-pass-pointer-instead-of-integer.patch Patch0113: 0113-SBUS-defer-deallocation-of-sbus_watch_ctx.patch Patch0114: 0114-memberof-keep-memberOf-attribute-for-nested-member.patch +Patch0115: 0115-MONITOR-Propagate-error-when-resolv.conf-does-not-ex.patch +Patch0116: 0116-MONITOR-Add-a-new-option-to-control-resolv.conf-moni.patch +Patch0117: 0117-MONITOR-Resolve-symlinks-setting-the-inotify-watcher.patch +Patch0118: 0118-DOMAIN-Downgrade-log-message-type.patch #This patch should not be removed in RHEL-7 Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec @@ -1330,6 +1334,10 @@ systemctl try-restart sssd >/dev/null 2>&1 || : } %changelog +* Fri Jun 12 2020 Alexey Tikhonov - 1.16.4-37.4 +- Resolves: rhbz#1842861 - sssd boots offline if symlink for /etc/resolv.conf is broken/missing [rhel-7.8.z] +- Resolves: rhbz#1845009 - [Bug] Reduce logging about flat names [rhel-7.8.z] + * Fri Mar 27 2020 Alexey Tikhonov - 1.16.4-37.3 - Resolves: rhbz#1817380 - Removing an IPA sub-group should NOT remove the members from indirect parent that also belong to other subgroups