The FreeIPA team would like to announce FreeIPA 4.8.10 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
Highlights in 4.8.10#
8275: Support systemd-resolved
FreeIPA DNS servers now detect systemd-resolved and configure it to pass through itself.
8404: Detect and fail if not enough memory is available for installation
FreeIPA server now requires at least 1.2 GiB RAM for installation to prevent performance degradation.
8488: SELinux blocks custodia key replication / retrieval for sub-CAs
SELinux: Make sure ipa_custodia_t has the necessary rights ; add dedicated policy rules for ipa-pki-retrieve-key.
8490: It is not possible to edit KDC database when the FreeIPA server is running
kadmin.local command ‘getprincs’ is now supported
8503: pkispawn logs files are empty
On recent versions of Dogtag PKI, pkispawn does not create logs by default, making debugging failed IPA installs impossible. Invoke pkispawn with –debug to revert to the previous behavior.
8507: [WebUI] Backport jQuery patches from newer versions of the library (e.g. 3.5.0)
Support reproducible builds for jQuery library
Enhancements#
Known Issues#
Bug fixes#
FreeIPA 4.8.10 is a stabilization release for the features delivered as a part of 4.8.10 version series.
There are more than 20 bug-fixes details of which can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.
Resolved tickets#
#5914 (rhbz#1298288) invalid setting of DS lock table size
#6115 (rhbz#1357495) ipa command provides stack trace when provided with single hypen commands
#7125 (rhbz#1480102) ipa-server-upgrade failes with “This entry already exists”
#8204 (rhbz#1810148) ipa-server-certinstall -> certmonger add_subject template-subject dbus ‘unable to set arguments’ a{sv}
#8248 httpd ccaches created during server upgrade aren’t cleaned up on uninstall/install
#8275 (rhbz#1880628) Support systemd-resolved
#8344 Nightly test failure in test_smb.py::TestSMB::test_smb_service_s4u2self
#8383 Test with dnspython 2.0
#8404 Detect and fail if not enough memory is available for installation
#8443 ipa delegation-add can add permissions and attributes several times
#8446 ipa dnszone-add ignores –name-from-ip option if name is given
#8458 auto-upgrade will never happen for existing installations
#8468 [pylint] new warnings on dev branch
#8472 [tracker] Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA
#8473 Nightly test failure in all webui tests: Invalid or corrupt jarfile /opt/selenium.jar
#8474 Mozilla’s NSS without DBM
#8475 Azure: tox task and virtualenv 20+
#8481 Nightly test failure in rawhide in tasks.configure_dns_for_trust
#8488 (rhbz#1868432) SELinux blocks custodia key replication / retrieval for sub-CAs
#8490 (rhbz#1875001) It is not possible to edit KDC database when the FreeIPA server is running
#8491 Unindexed searches in FreeIPA git master
#8494 Azure Pipelines are broken due to docker compose tool upgrade
#8503 (rhbz#1879604) pkispawn logs files are empty
#8505 Nightly failure (fedora31) in test_integration/test_smb.py::TestSMB::test_smb_service_s4u2self
#8507 [WebUI] Backport jQuery patches from newer versions of the library (e.g. 3.5.0)
#8511 The selinux subpackage does not have a requirement to match the server install
#8512 Import of psutil can trigger SELinux violation
#8513 (rhbz#1868432) SELinux module fails to load: Re-declaration of type node_t
#8515 (rhbz#1882340) nsslapd-db-locks patching no longer works
Detailed changelog since 4.8.9#
Armando Neto (3)#
Alexander Bokovoy (6)#
Christian Heimes (11)#
François Cami (12)#
SELinux: do not double-define node_t and pki_tomcat_cert_t commit #8513
SELinux Policy: Allow tomcat_t to read kerberos keytabs commit #8488
SELinux Policy: make interfaces for kernel modules non-optional commit #8488
SELinux Policy: flag ipa_pki_retrieve_key_exec_t as domain_type commit #8488
SELinux Policy: ipa_custodia_pki_tomcat_exec_t => ipa_custodia_pki_tomcat_t commit #8488
SELinux Policy: ipa_pki_retrieve_key_exec_t => ipa_pki_retrieve_key_t commit #8488
SELinux Policy: let custodia_t map custodia_tmp_t commit #8488
SELinux: Add dedicated policy for ipa-pki-retrieve-key commit #8488
Florence Blanc-Renaud (4)#
Mohammad Rizwan (3)#
Rob Crittenden (19)#
Test that ccaches are cleaned up during installation commit #8248
Clean up entire /run/ipa/ccaches directory not just files commit #8248
Reduce the memory requirement from 1.6 to 1.2 GB commit #8404
Require a matching server package for the selinux subpackage commit #8511
ipatests: Add test for ACI attribute and permission uniqueness commit #8443
Use ACI class set_permissions() method to set permissions commit #8443
ipatests: Add tests for checking available memory commit #8404
Require at least 1.6Gb of available RAM to install the server commit #8404
ipatests: test that a zone name and name-from-ip will be rejected commit #8446
Don’t allow both a zone name and –name-from-ip to be provided commit #8446
Set the certmonger subject with a string, not an object commit #8204
ipatests: test ipa_server_certinstall with an IPA-issued cert commit #8204
Fall back to old server installation detection when needed commit #8458
cli: When parsing options require name/value pairs commit #6115
ipatests: Add option/arg parsing tests for the cli commit #6115
Stanislav Levin (13)#
dns: Make use of `resolve_address` of a current resolver instead of the global one commit
Azure: Increase verbosity for Tox task commit
deps: Require `nss-tools` for make’s fasttest target commit
nss: Raise exception earlier on unsupported DB type commit #8474
Azure: base: Collect both install and uninstall logs commit
Azure: Drop dependency on UsePythonVersion task commit
Azure: Add Rawhide definitions commit
Sergey Orlov (2)#
Sumedh Sidhaye (1)#
This is a manual backport of freeipa/freeipa# commit
Serhii Tsymbaliuk (1)#
Sudhir Menon (1)#
ipatests: Install healthcheck pkg for TestIpaHealthCheckWithADtrust commit