search

irods / irods

Open Source Data Management Software
https://irods.org
BSD 3-Clause "New" or "Revised" License
447 stars 138 forks source link

Unattended Install with SSL configuration results in error #7717

Open 0x010C opened 6 months ago

0x010C commented 6 months ago

Bug Report

iRODS Version, OS and Version

iRODS v4.3.1 on Debian 12

What did you try to do?

I'm currently automating the deployment of iRODS servers on our infrastructure. For this I use the --json_configuration_file parameter of the setup_irods.py script. This works perfectly until I tried to activate SSL.

$ cat irods_unattended_installation.json
{
        .....
        "service_account_environment":{
                "irods_client_server_negotiation": "request_server_negotiation",
                "irods_client_server_policy": "CS_NEG_REQUIRE",
                "irods_ssl_certificate_chain_file": "/etc/ssl/irods/fullchain.pem",
                "irods_ssl_certificate_key_file": "/etc/ssl/irods/privkey.pem",
                "irods_ssl_dh_params_file": "/etc/ssl/irods/dhparams.pem",
                ...
        }
}

$ python3 /var/lib/irods/scripts/setup_irods.py --json_configuration_file irods_unattended_installation.json

Expected behavior

I'm expecting to have an up and running iRODS server with SSL enabled.

Observed behavior (including steps to reproduce, if applicable)

sudo python3 /var/lib/irods/scripts/setup_irods.py --json_configuration_file irods_unattended_installation.json
Error encountered running setup_irods:
Traceback (most recent call last):
  File "/var/lib/irods/scripts/setup_irods.py", line 523, in main
    setup_server(irods_config,
  File "/var/lib/irods/scripts/setup_irods.py", line 148, in setup_server
    test_put(irods_config)
  File "/var/lib/irods/scripts/setup_irods.py", line 180, in test_put
    raise IrodsError('Post-install test failed. Please check your configuration.')
irods.exceptions.IrodsError: Post-install test failed. Please check your configuration.

Looking closer, the script does not update the SSL setting in the /etc/irods/core.re file, although it does for the default resource for example.

$cat /etc/irods/core.re 
...
acPreConnect(*OUT) { *OUT="CS_NEG_REFUSE"; }
...
acSetRescSchemeForCreate {msiSetDefaultResc("myResc","null"); }
acSetRescSchemeForRepl {msiSetDefaultResc("myResc","null"); }
...

For information currently as a workaround I directly patch the /var/lib/irods/packaging/core.re.template file before calling setup_irods.py, but I feel it would be cleaner if it could work without this hack.

trel commented 6 months ago

Thanks.