[Backport release-24.05] kanidm: 1.2.3 -> 1.3.3

[adamcstephens]

We need to upgrade stable to 1.3, as skip upgrades are not permitted. Since upstream currently releases quarterly, we will need to backport releases moving forward.

x86 tests
/nix/store/2nhjvgdccb83y5l788pmnc9w954kfbyv-vm-test-run-kanidm

Description of changes

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[mweinelt]

Doesn't ofborg fail the same way on master? Cool find!

[adamcstephens]

Yep, I've added it to the master PR too. #336445

[adamcstephens]

The failing cherry pick is expected. Master has a set of changes for provisioning that are not in 24.05.

[niklaskorz]

Looks like this PR broke building kanidm on NixOS 24.05. Updating my system, it now tries to build kanidm from source and fails:

       > thread 'main' panicked at cargo-auditable/src/rustc_wrapper.rs:101:39:
       > called `Option::unwrap()` on a `None` value
       > note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
       > error: could not compile `kanidmd_lib` (lib test)
       > warning: build failed, waiting for other jobs to finish...
       For full logs, run 'nix log /nix/store/pv9c1hnfj78a7lbdbmz7bpyfvxqp61d9-kanidm-1.3.3.drv'

Edit: Hydra failed too, but with a timeout: https://hydra.nixos.org/build/270639154

[adamcstephens]

I built this multiple times to validate it. I kicked off another hydra build to see, but it looks like it maybe timed out or was terminated by hydra and not due to a build failure.

When building locally, you will want at least 16GB of memory.

[mweinelt]

Still building fine for me.

[niklaskorz]

@adamcstephens Timed out again on Hydra. The build itself finishes in one hour but the check phase gets stuck compiling the tests apparently.

[mweinelt]

Adressed through #338001.

[erictapen]

Does anybody else has a crashing service after this?

Aug 29 18:16:58 hetzner6 systemd[1]: Started kanidm identity management daemon.
Aug 29 18:16:58 hetzner6 kanidmd[3838821]: 📜 Using config file: "/nix/store/smfy8q5pbq4hfxd3p8l27v3asnqvi8gg-server.toml"
Aug 29 18:16:58 hetzner6 kanidmd[3838821]: Log filter: Info
Aug 29 18:16:58 hetzner6 kanidmd[3838821]: 00000000-0000-0000-0000-000000000000 WARN     🚧 [warn]: WARNING: /nix/store/smfy8q5pbq4hfxd3p8l27v3asnqvi8gg-server.toml has 'everyone' permission bits in the mode. This could be a security risk ...
Aug 29 18:16:58 hetzner6 kanidmd[3838821]: 00000000-0000-0000-0000-000000000000 INFO     ｉ [info]: Running in server mode ...
Aug 29 18:16:58 hetzner6 kanidmd[3838821]: 00000000-0000-0000-0000-000000000000 INFO     ｉ [info]: Starting kanidm with configuration: address: [::1]:18822, domain: erictapen.name, ldap address: [::1]:636, origin: https://auth.erictapen.name admin bind path: /run/kanidmd/sock, thread count: 8, dbpath: /var/lib/kanidm/kanidm.db, arcsize: AUTO, max request size: 262144b, trust X-Forwarded-For: false, with TLS: true, online_backup: enabled: true - schedule: 00 22 * * * versions: 0 path: /var/lib/kanidm/backups, integration mode: false, console output format: Text log_level: inforole: write replica, replication: disabled, otel_grpc_url: None
Aug 29 18:16:58 hetzner6 kanidmd[3838821]: 93ba5f63-102c-4ddc-9b41-b3f026bb3ee2 INFO     system_initialisation [ 41.5ms | 22.61% / 100.00% ]
Aug 29 18:16:58 hetzner6 kanidmd[3838821]: 93ba5f63-102c-4ddc-9b41-b3f026bb3ee2 INFO     ┝━ initialise_schema_core [ 30.7ms | 74.03% ]
Aug 29 18:16:58 hetzner6 kanidmd[3838821]: 93ba5f63-102c-4ddc-9b41-b3f026bb3ee2 INFO     ┕━ initialise_domain_info [ 1.39ms | 3.36% ]
Aug 29 18:16:58 hetzner6 kanidmd[3838821]: 93ba5f63-102c-4ddc-9b41-b3f026bb3ee2 ERROR       ┝━ 🚨 [error]: invalid attribute type refers | event_tag_id: 1 | e: InvalidAttributeName("refers")
Aug 29 18:16:58 hetzner6 kanidmd[3838821]: 93ba5f63-102c-4ddc-9b41-b3f026bb3ee2 INFO        ┝━ ｉ [info]: regenerating domain token encryption key | event_tag_id: 10
Aug 29 18:16:58 hetzner6 kanidmd[3838821]: 93ba5f63-102c-4ddc-9b41-b3f026bb3ee2 INFO        ┝━ ｉ [info]: regenerating domain es256 private key | event_tag_id: 10
Aug 29 18:16:58 hetzner6 kanidmd[3838821]: 93ba5f63-102c-4ddc-9b41-b3f026bb3ee2 INFO        ┝━ ｉ [info]: regenerating domain cookie key | event_tag_id: 10
Aug 29 18:16:58 hetzner6 kanidmd[3838821]: 93ba5f63-102c-4ddc-9b41-b3f026bb3ee2 ERROR       ┝━ 🚨 [error]: es256_private_key_der domain_local - not found in the list of valid attributes for this set of classes ["builtin", "domain_info", "key_object", "key_object_internal", "key_object_jwe_a128gcm", "key_object_jwt_es256", "object", "system"] - valid attributes are ["class", "description", "domain_development_taint", "domain_display_name", "domain_ldap_basedn", "domain_name", "domain_ssid", "domain_uuid", "entry_managed_by", "key_internal_data", "key_provider", "last_modified_cid", "ldap_allow_unix_pw_bind", "name", "patch_level", "uuid", "version"] | event_tag_id: 1
Aug 29 18:16:58 hetzner6 kanidmd[3838821]: 93ba5f63-102c-4ddc-9b41-b3f026bb3ee2 ERROR       ┝━ 🚨 [error]: Schema Violation in validation of modify_pre_apply AttributeNotValidForClass("es256_private_key_der") | event_tag_id: 1
Aug 29 18:16:58 hetzner6 kanidmd[3838821]: 93ba5f63-102c-4ddc-9b41-b3f026bb3ee2 ERROR       ┕━ 🚨 [error]: initialise_domain_info -> result Err(SchemaViolation(AttributeNotValidForClass("es256_private_key_der"))) | event_tag_id: 1
Aug 29 18:16:58 hetzner6 kanidmd[3838821]: 00000000-0000-0000-0000-000000000000 ERROR    🚨 [error]: Unable to setup query server or idm server -> SchemaViolation(AttributeNotValidForClass("es256_private_key_der"))
Aug 29 18:16:58 hetzner6 kanidmd[3838821]: 00000000-0000-0000-0000-000000000000 ERROR    🚨 [error]: Failed to start server core!
Aug 29 18:16:58 hetzner6 kanidmd[3838821]: Logging pipeline completed shutdown
Aug 29 18:16:58 hetzner6 systemd[1]: kanidm.service: Main process exited, code=exited, status=1/FAILURE
Aug 29 18:16:58 hetzner6 systemd[1]: kanidm.service: Failed with result 'exit-code'.

I don't really care, as it was just a dev setup, but I'm wondering wether this poses a bigger problem? Running on NixOS 24.05.

[mweinelt]

1.3.3 from nixos-24.05 runs fine here.

[adamcstephens]

That looks like an issue with your data. Probably ask upstream if the specific errors aren’t clear enough to allow you to move forward.

[erictapen]

Oops, my bad. I upgraded to 1.3.3 and then downgraded to 1.2.3 again. No wonder my installation crashed 🙈

[mweinelt]

Oops, my bad. I upgraded to 1.3.3 and then downgraded to 1.2.3 again. No wonder my installation crashed 🙈

Please file an issue for a clearer error message upstream!