|Summary:||IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using "yum update ipa* sssd"|
|Product:||Red Hat Enterprise Linux 7||Reporter:||Nikhil Dehadrai <ndehadra>|
|Component:||ipa||Assignee:||IPA Maintainers <ipa-maint>|
|Status:||CLOSED ERRATA||QA Contact:||Namita Soman <nsoman>|
|Severity:||urgent||Docs Contact:||Aneta Šteflová Petrová <apetrova>|
|Version:||7.2||CC:||ekeck, enewland, gparente, ksiddiqu, mbasti, mkosek, ndehadra, pspacek, pvoborni, rcritten|
|Fixed In Version:||ipa-4.2.0-16.el7||Doc Type:||Known Issue|
Upgrading the ipa packages fails if the required openssl version is not installed When the user attempts to upgrade the *ipa* packages, Identity Management (IdM) does not automatically install the required version of the *openssl* packages. Consequently, if the 1.0.1e-42 version of *openssl* is not installed before the user runs the "yum update ipa*" command, the upgrade fails during the DNSKeySync service configuration. To work around this problem, update *openssl* manually to version 1.0.1e-42 or later before updating *ipa*. This prevents the upgrade failure.
|:||1298097 (view as bug list)||Environment:|
|Last Closed:||2016-11-04 05:41:37 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1293340, 1364071, 1365572, 1373910|
Description Nikhil Dehadrai 2015-11-30 11:47:29 UTC
Description of problem: IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using "yum update ipa* sssd" Version-Release number of selected component (if applicable): ipa-server-4.2.0-15.el7_2.3.x86_64 How reproducible: Always Steps to Reproduce: 1. Setup RHEL7.0 host with IPA master 2. Add RHEl7.2 and RHEL 7.2 update repos on the system. 3. run yum update ipa* sssd 4. Verify the logs for yum update process along with ipaupgrade process. # tail -f /var/log/messages # tail -f /var/log/ipaupgrade.log # tail -f /var/log/yum.log Actual results: 1. After step4, Following error message is displayed during yum update process: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: Command ''/usr/bin/softhsm2-util' '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' XXXXXXXX '--so-pin' XXXXXXXX' returned non-zero exit status 1 2. ipa-upgrade is successful (rpm -qa | grep ipa-server*) 3. openssl version is not updated (remains as openssl-1.0.1e-34.el7.x86_64 in my case) Expected results: ipa-server upgrade should be successful without any errors. Additional info: 1. When the server is upgraded using "yum update" command, no error messages are observed and the server is upgraded successfully. 2. Also openssl is upgraded to latest version.(openssl-1.0.1e-42.el7_1.9.x86_64)
Comment 2 Martin Bašti 2015-11-30 11:59:35 UTC
Created attachment 1100487 [details] Workaround patch
Comment 3 Petr Vobornik 2015-11-30 12:09:34 UTC
Workaround: update openssl package first to version at least 1.0.1e-42. Then update ipa package.
Comment 4 Martin Kosek 2015-11-30 12:43:52 UTC
(In reply to Martin Bašti from comment #2) > Created attachment 1100487 [details] > Workaround patch Please just note that "Requires(pre)" does not supersede "Requires". You can for example delete such package after upgrade. So it may make sense to keep both Requires in the spec file.
Comment 6 Petr Spacek 2015-11-30 13:10:55 UTC
Okay, so we may want to add Requires to softhsm.spec and Requires(pre) to ipa.spec. Is it a reasonable idea? Should I open a bug against softhsm?
Comment 7 Martin Bašti 2016-01-04 11:39:14 UTC
Created attachment 1111451 [details] Workaround patch update 1
Comment 8 Petr Spacek 2016-01-04 11:46:49 UTC
Comment on attachment 1111451 [details] Workaround patch update 1 Looks good, but we can stick with the old version if bug 1293340 is solved at the same time.
Comment 9 Martin Bašti 2016-01-07 15:31:08 UTC
The patch has been acked
Comment 15 Nikhil Dehadrai 2016-08-10 13:03:35 UTC
IPA server version: ipa-server-4.4.0-7.el7.x86_64 Tested the bug on the basis of following steps: 1. Tested that IPA server configured on RHEL 7.0 is upgraded from 7.0 to 7.3. 2. Noticed that ipaupgrade.log file is created at /var/log/ipaupgrade.log. 3. Noticed that var/log/ipaupgrade.log file is not updated. See below: [root@vm-idm-011 log]# rpm -q ipa-server ipa-server-4.4.0-7.el7.x86_64 [root@vm-idm-011 log]# ls -al ipaupgrade.log -rw-r--r--. 1 root root 0 Aug 10 17:59 ipaupgrade.log [root@vm-idm-011 log]# cat ipaupgrade.log [root@vm-idm-011 log]# Thus on the basis of above observations, marking the status of bug to "ASSIGNED".
Comment 16 Martin Bašti 2016-08-10 13:36:58 UTC
Can you provide more info? Any output from yum upgrade? Can you re-run ipa-server-upgrade?
Comment 17 Nikhil Dehadrai 2016-08-10 14:01:33 UTC
Hi Martin, Please find the details as below: [root@vm-idm-011 log]# cat yum.log | grep ipa-server Aug 10 13:25:33 Installed: ipa-tests-ipa-server-rhel70-shared-sgoveas.20150107141511-0.noarch Aug 10 13:26:21 Installed: ipa-tests-ipa-server-rhel70-quickinstall-spoore.20140812195047-0.noarch Aug 10 13:28:29 Installed: ipa-server-3.3.3-28.el7.x86_64 Aug 10 17:59:03 Installed: ipa-server-common-4.4.0-7.el7.noarch Aug 10 17:59:05 Installed: ipa-server-4.4.0-7.el7.x86_64 Aug 10 17:59:06 Installed: ipa-server-dns-4.4.0-7.el7.noarch On running ipa-server-upgrade I notice following: [root@vm-idm-011 ~]# ipa-server-upgrade Traceback (most recent call last): File "/usr/sbin/ipa-server-upgrade", line 10, in <module> from ipaserver.install.ipa_server_upgrade import ServerUpgrade File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 9, in <module> from ipaserver.install import server File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 5, in <module> from .install import Server File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 35, in <module> from ipaserver.install import ( File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 9, in <module> from ipaserver.install import cainstance, dsinstance, bindinstance File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 72, in <module> from ipaserver.install.dogtaginstance import (export_kra_agent_pem, File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 30, in <module> from pki.client import PKIConnection File "/usr/lib/python2.7/site-packages/pki/client.py", line 28, in <module> from requests.packages.urllib3.exceptions import InsecureRequestWarning ImportError: No module named packages.urllib3.exceptions Let me know if you need access to the machine.
Comment 18 Martin Bašti 2016-08-10 14:15:55 UTC
This is a dogtag issue File "/usr/lib/python2.7/site-packages/pki/client.py", line 28, in <module> from requests.packages.urllib3.exceptions import InsecureRequestWarning ImportError: No module named packages.urllib3.exceptions There are already several bugs for that.
Comment 19 Martin Bašti 2016-08-10 14:30:56 UTC
here: https://bugzilla.redhat.com/show_bug.cgi?id=1364071 I don't know how to handle this, but we cannot fix it on IPA side :)
Comment 20 Martin Kosek 2016-08-11 06:34:25 UTC
If this is fixed with pki-core-10.3.3-5.el7, you can simply bump Requires in ipa and move this bug to ON_QA. No?
Comment 21 Martin Bašti 2016-08-11 07:20:33 UTC
I don't know if it was fixed, bz1364071 is still ON_QA
Comment 23 Petr Vobornik 2016-08-23 12:04:52 UTC
The issue will be fixed in bug 1364071 and bug 1365572. Temporary workaround: update: python-requests to version >= 2.6.0
Comment 24 Petr Vobornik 2016-09-05 14:51:54 UTC
Both bug 1364071 and bug 1365572 are on QA which should fix the issue in comment 17.
Comment 25 Nikhil Dehadrai 2016-09-22 13:30:25 UTC
IPA server version: ipa-server-4.4.0-12.el7.x86_64 Bind-ldap: bind-dyndb-ldap-10.0-5.el7.x86_64 Verified the bug on the basis of following points: 1. Verified that IPA server upgrade is successful for path RHEL 7.0 to RHEL 7.3. 2. "DNS timed out error" message is not displayed at the console. 3. "httpd.service" error message is not observed in ipaupgrade.log. 4. No errors related to import of urllib3.exceptions are noticed in ipaupgarde.log 5. The dummy dns forwardzone details created at 7.0 are reflected after upgrade. Thus on the basis of observations above, marking the status of bug to "VERIFIED".
Comment 28 errata-xmlrpc 2016-11-04 05:41:37 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html