Update CA bundle path in krb5 config (el9to10)

[jrisc]

In RHEL10, the historical /etc/ssl/certs/ca-certificates.crt CA bundle file was replaced by /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. The CA bundle file might be used as pkinit_anchors in MIT krb5 configuration files.

The krb5conf actors search for occurrences of the old CA bundle path, and replace them with the new one.

jira: RHEL-65265

[github-actions]

Thank you for contributing to the Leapp project!

Please note that every PR needs to comply with the Leapp Guidelines and must pass all tests in order to be mergeable.
If you want to request a review or rebuild a package in copr, you can use following commands as a comment:

• review please @oamg/developers to notify leapp developers of the review request
• /packit copr-build to submit a public copr build using packit

Packit will automatically schedule regression tests for this PR's build and latest upstream leapp build.
However, here are additional useful commands for packit:

• /packit test to re-run manually the default tests
• /packit retest-failed to re-run failed tests manually
• /packit test oamg/leapp#42 to run tests with leapp builds for the leapp PR#42 (default is latest upstream - main - build)

Note that first time contributors cannot run tests automatically - they need to be started by a reviewer.

It is possible to schedule specific on-demand tests as well. Currently 2 test sets are supported, beaker-minimal and kernel-rt, both can be used to be run on all upgrade paths or just a couple of specific ones.
To launch on-demand tests with packit:

• /packit test --labels kernel-rt to schedule kernel-rt tests set for all upgrade paths
• /packit test --labels beaker-minimal-8.10to9.4,kernel-rt-8.10to9.4 to schedule kernel-rt and beaker-minimal test sets for 8.10->9.4 upgrade path

See other labels for particular jobs defined in the .packit.yaml file.

Please open ticket in case you experience technical problem with the CI. (RH internal only)

Note: In case there are problems with tests not being triggered automatically on new PR/commit or pending for a long time, please contact leapp-infra.

[pirat89]

@jrisc Hi \o thank you for the contribution. I am aware that for first contributors tests are not performed automatically and it could you to wait for our approval always. You can execute tests locally in container using Makefile from the main dir:

TEST_CONTAINER=rhel9 make test_container

see make help for more prepared stuff. Note that I realized that rhel9 container is not documented in the help page, but it's working otherwise.

[pirat89]

The code looks good in general. I found just one thing which is weird to me and based on the outcome of the discussion there could be another things to change or not.

[pirat89]

if we are sure that all files wil be always present and rw operation will allowed, it's ok. otherwise we should cover it by try-except:

try:
     ...
except IOError as e:
    # log error
    return  # give it a chance to fix other files still

[jrisc]

Since the file list is supposed to be collected just before by the scankrb5conf actor, I think we can expect the files to still be there at this point.

I just realize that I forgot to rename this source file though... 😅

[jrisc]

I renamed the file in 724f6be.

[jrisc]

Is Leapp running as root? If that's the case, I don't expect it to face any file permissions problems. However, if it is not and one of the krb5 config file in /etc/krb5.conf.d/ is not publicly readable (which makes no sense, but is technically possible), it will probably cause the scankrb5conf actor to fail. Do you think I should just log a warning and skip the erroneous file in this case?

[pirat89]

you are right. yes, it is running as root always and as we could read it before, we should be able to read it later as well - DAC is ignored by root, selinux will be always in disabled or permissive mode, and I do not expect someone would set an ACL on these files (like making them immutable). So only thing here would be if a file is removed or moved/renamed during the RPM transaction.

[jrisc]

@pirat89 It seems that failing tests are cause by the absence of RPM database. Is there a way to handle this case, or it just cannot be tested?

[MichalHe]

The solution looks code-wise very good, thank you. I left some minor comments intended to ease with maintenance of the code.

[MichalHe]

Suggested change

	'updated to point the new X.509 CA bundle file'),
	'updated to point to the new X.509 CA bundle file'),

[MichalHe]

Could you please add a function that takes a list of entries (e.g. unmanaged files) and outputs the list formatted in human readable form? I see that the same pattern is used in both created reports. The function could improve readability as I had to think a bit about what the output would look like.

[MichalHe]

Could you please add more details what is the nature of the update?

[MichalHe]

Out of curiosity, what does odtd means?

[MichalHe]

The comment is a bit malformed. Maybe something like this?

Suggested change

	# We do not potential files provided by Red Hat RPMs
	# We only want to handle files signed by the distribution, because we have no guarantees about third party packages

[pirat89]

@jrisc @MichalHe let's move this to the plan for the next release (9.8 -> 10.2 is anyway the milestone where upgrades 9 -> 10 is becoming more interesting). @jrisc in the meanwhile, rebase please the branch against the up-to-date upstream so it resolves problems with tests.