Bug 33463 - Ошибка обновления FreeIPA Server
Summary: Ошибка обновления FreeIPA Server
Status: CLOSED FIXED
Alias: None
Product: Branch p8
Classification: Distributions
Component: freeipa-server (show other bugs)
Version: не указана
Hardware: all Linux
: P3 blocker
Assignee: Andrey Cherepanov
QA Contact: qa-p8@altlinux.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-10 16:34 MSK by Sergey Novikov
Modified: 2017-05-16 16:07 MSK (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sergey Novikov 2017-05-10 16:34:13 MSK 
Обновление сервера FreeIPA падает с ошибкой:
# ipa-server-upgrade
session memcached servers not running
Upgrading IPA:
  [1/8]: saving configuration
  [2/8]: disabling listeners
  [3/8]: enabling DS global lock
  [4/8]: starting directory server
  [5/8]: updating schema
  [6/8]: upgrading server
  [7/8]: stopping directory server
  [8/8]: restoring configuration
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
Publish directory already set to new location
/etc/dirsrv/slapd-IPA-BASEALT-RU/certmap.conf is now managed by IPA. It will be overwritten. A backup of the original will be made.
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
[Removing RA cert from DS NSS database]
[Enable sidgen and extdom plugins by default]
[Updating mod_nss protocol versions]
[Updating mod_nss cipher suite]
[Fixing trust flags in /etc/httpd2/conf/nss]
[Exporting KRA agent PEM file]
KRA is not enabled
[Removing self-signed CA]
[Removing Dogtag 9 CA]
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/7]: checking status
  [error] RuntimeError: OpenDNSSEC UID not found
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
OpenDNSSEC UID not found
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information

Версия до обновления:
# rpm -qa |grep freeipa
python-module-freeipa-4.3.2-alt8.M80P.1
freeipa-server-common-4.3.2-alt8.M80P.1
freeipa-client-4.3.2-alt8.M80P.1
freeipa-server-4.3.2-alt8.M80P.1
freeipa-client-common-4.3.2-alt8.M80P.1
freeipa-admintools-4.3.2-alt8.M80P.1
freeipa-common-4.3.2-alt8.M80P.1
freeipa-server-dns-4.3.2-alt8.M80P.1

Версия после обновления:
# rpm -qa |grep freeipa
freeipa-client-4.3.3-alt1.M80P.1
freeipa-client-common-4.3.3-alt1.M80P.1
freeipa-server-4.3.3-alt1.M80P.1
freeipa-server-common-4.3.3-alt1.M80P.1
python-module-freeipa-4.3.3-alt1.M80P.1
freeipa-server-dns-4.3.3-alt1.M80P.1
freeipa-common-4.3.3-alt1.M80P.1
freeipa-admintools-4.3.3-alt1.M80P.1
Comment 1 Anton Farygin 2017-05-10 16:45:18 MSK 
Воспроизводится на стенде.
Comment 2 Mikhail Efremov 2017-05-10 18:13:30 MSK 
Я вообще не пробовал запускать эту команду и не думаю, что она необходима при данном обновлении. Там нет изменений конфигурации, которые бы требовалось как-то обрабатывать, что и пытается делать этот скрипт.
DNSSEC я там тоже оторву, конечно, но это никак не блокер.
Comment 3 Sergey Novikov 2017-05-10 18:14:54 MSK 
После обновления сервис IPA не стартует и просит выполнить команду ipa-server-upgrade
Comment 4 Mikhail Efremov 2017-05-10 21:03:08 MSK 
Да, он проверяет версию при старте, похоже. Можно конечно пока оторвать проверку, но тогда уж лучше сразу чинить ipa-server-upgrade, в будущем все равно понадобится.
Comment 5 Repository Robot 2017-05-16 16:07:58 MSK 
freeipa-4.3.3-alt3 -> sisyphus:

Tue May 16 2017 Mikhail Efremov <sem@altlinux.org> 4.3.3-alt3
- server: Require pki-kra.
- Run ipa-server-upgrade at package update.
- Add ipa_configured script.
- Fix ipa-server-upgrade (closes: #33463).
- Set JAVA_STACK_SIZE to 8m.