Ubuntu
freeipa package

freeipa-client has a hard dependency on "ntp" which is not wanted in lxd environment

Bug #1630911 reported by Brian Candler
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
freeipa (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

[Note: the package is called "freeipa-client" but launchpad only lets me select "freeipa"]

The "freeipa-client" package has a hard dependency on "ntp".

However: when running Ubuntu inside an lxd container, ntpd cannot run: the host is responsible for setting the clock, not the container.

Hence I want to "apt-get remove ntp" from inside the container. But if I do so, this forcibly removes the "freeipa-client" package as well, because of the dependency. This in turn leaves a whole heap of dangling packages - see below - which are vulnerable to being accidentally removed.

Proposal: change to "Recommends: ntp" instead of "Depends: ntp"

-------------------------------------------------------------------------------
# apt-get remove ntp
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  bind9utils certmonger cracklib-runtime freeipa-common ieee-data iproute
  libavahi-client3 libavahi-common-data libavahi-common3 libbasicobjects0
  libc-ares2 libcollection4 libcrack2 libcups2 libcurl3 libcurl3-nss libdhash1
  libfreetype6 libini-config5 libipa-hbac0 libjbig0 libjpeg-turbo8 libjpeg8
  liblcms2-2 libldb1 libnfsidmap2 libnl-3-200 libnl-route-3-200 libnspr4
  libnss-sss libnss3 libnss3-nssdb libnss3-tools libopts25 libpam-pwquality
  libpam-sss libpath-utils1 libpwquality-common libpwquality1 libref-array1
  libsmbclient libsss-idmap0 libsss-nss-idmap0 libsss-sudo libtdb1 libtevent0
  libtiff5 libwebp5 libwebpmux1 libxmlrpc-core-c3 libxslt1.1 oddjob
  oddjob-mkhomedir python-bs4 python-cffi python-cffi-backend python-chardet
  python-cryptography python-dbus python-decorator python-dnspython
  python-enum34 python-gi python-gssapi python-html5lib python-idna
  python-imaging python-ipaclient python-ipaddress python-ipalib
  python-jwcrypto python-ldap python-libipa-hbac python-lxml python-memcache
  python-netaddr python-nss python-pil python-pkg-resources python-ply
  python-pyasn1 python-pycparser python-qrcode python-setuptools python-six
  python-sss python-talloc python-usb python-yubico samba-libs sssd sssd-ad
  sssd-ad-common sssd-common sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap
  sssd-proxy
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  freeipa-client ntp
0 upgraded, 0 newly installed, 2 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 2002 kB disk space will be freed.
Do you want to continue? [Y/n] n
Abort.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: freeipa-client 4.3.1-0ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-34.53-generic 4.4.15
Uname: Linux 4.4.0-34-generic x86_64
NonfreeKernelModules: nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip6table_filter ip6_tables xt_conntrack ufs msdos xfs binfmt_misc veth ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack isofs xt_CHECKSUM iptable_mangle xt_tcpudp bridge stp llc iptable_filter ip_tables x_tables zfs zunicode zcommon znvpair spl zavl ppdev xen_fbfront syscopyarea sysfillrect sysimgblt fb_sys_fops serio_raw parport_pc parport ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd psmouse floppy
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
Date: Thu Oct 6 09:05:52 2016
Ec2AMI: ami-c06b1eb3
Ec2AMIManifest: (unknown)
Ec2AvailabilityZone: eu-west-1a
Ec2InstanceType: t2.medium
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
SourcePackage: freeipa
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Brian Candler (b-candler) wrote :
Revision history for this message
Brian Candler (b-candler) wrote :

Or maybe what's needed is a virtual package called e.g. "synchronized-time", which freeipa-client depends on and is provided by ntp.

Then you could install a dummy package inside the container, which also provides "synchronized-time"

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

it's not that simple, the client setup would fail if there's no ntp installed, and I don't think there's a reliable way to detect lxc

Revision history for this message
Brian Candler (b-candler) wrote :

"the client setup would fail if there's no ntp installed"

In what way?

Is what you're really saying that the client setup would fail if the clock of the client is not within X seconds of the real time? That's correct, but is not the same as saying ntp must be installed.

There are other ways of obtaining time sufficiently synchronized for Kerberos to work; hence my second suggestion of having a virtual package meaning "the system must have synchronized time (somehow)". This is similar to the virtual package which says "the system must have a mail-transport-agent (but I don't care which one)"

However, "recommends" ntp would actually install it in most cases - i.e. unless the user specifies "--no-install-recommends", or has modified their apt config. If the user explicitly asks not to install "recommended" packages, then they are saying they are happy to deal with the possible consequences.

Also, I don't think detecting lxc/lxd is a good idea. There are other virtualization environments which ensure the guest clock is synchronized, without running NTP on the guest, so this would not be a generic solution.

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

client install expects ntpd to be present

upstream is discussing whether ntp should be configured at all, since it's usually already configured by the distro

Revision history for this message
Brian Candler (b-candler) wrote :
Download full text (5.5 KiB)

> client install expects ntpd to be present

I'm not quite sure what you mean.

"freeipa-client --install" does indeed give NTP errors, but it still proceeds. Here is a transcript of installing freeipa-client inside a (privileged) 16.04 lxd container.

root@unifi:~# apt-get install freeipa-client sssd-tools
...
root@unifi:~# ipa-client-install --domain IPA.EXAMPLE.COM --mkhomedir -p admin -W
Discovery was successful!
Client hostname: unifi.int.example.com
Realm: IPA.EXAMPLE.COM
DNS Domain: IPA.EXAMPLE.COM
IPA Server: lon-ipa-1.int.example.com
BaseDN: dc=ipa,dc=example,dc=com

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Password for <email address hidden>:
Successfully retrieved CA cert
    Subject: CN=Certificate Authority,O=IPA.EXAMPLE.COM
    Issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM
    Valid From: Thu Oct 27 15:27:53 2016 UTC
    Valid Until: Mon Oct 27 15:27:53 2036 UTC

Enrolled in IPA realm IPA.EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.EXAMPLE.COM
trying https://lon-ipa-1.int.example.com/ipa/json
Forwarding 'ping' to json server 'https://lon-ipa-1.int.example.com/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://lon-ipa-1.int.example.com/ipa/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://lon-ipa-1.int.example.com/ipa/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring IPA.EXAMPLE.COM as NIS domain.
Client configuration complete.
root@unifi:~# id brian.candler
uid=1211000003(brian.candler) gid=1211000003(brian.candler) groups=1211000003(brian.candler),1211000000(admins)

(Note that in my case the KDC itself is in a container, so there is no NTP daemon running inside it for the client to talk to anyway)

So enrolment works. The problem is that installation of freeipa-client inside the client container has forcibly installed and started ntpd, which cannot possibly work:

root@unifi:~# dpkg-query -l ntp
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=======================-===========...

Read more...

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

alright, so it does install even without.. anyway, it's a no-brainer to demote as Recommends so I'll just do that

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package freeipa - 4.4.3-3ubuntu1

---------------
freeipa (4.4.3-3ubuntu1) zesty; urgency=medium

  * fix-is-running.diff: Add a third argument to is_running() in
    ipaplatform/debian/services.py.

 -- Timo Aaltonen <email address hidden> Fri, 17 Feb 2017 01:40:15 +0200

Changed in freeipa (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.