Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1695063 - IPA upgrade fails for latest ipa package with error "Job for ipa.service failed because the control process exited with error code"
Summary: IPA upgrade fails for latest ipa package with error "Job for ipa.service fail...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-04-02 12:16 UTC by Nikhil Dehadrai
Modified: 2019-04-03 11:50 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-03 11:50:29 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Nikhil Dehadrai 2019-04-02 12:16:25 UTC
Description of problem:
IPA upgrade fails for latest ipa package with error "Job for ipa.service failed because the control process exited with error code"

Version-Release number of selected component (if applicable):
ipa-4.6.5-3.el7

How reproducible:
Always

Steps to Reproduce:
1. Setup IPA-MASTER server at version RHEL 75z
2. Use the latest repo for RHEL 7.7
3. Update the IPA server in step1, to latest version using:
# yum -y update 'ipa*' sssd

Actual results:
IPA server upgrade FAILS

Console output:
  Cleanup    : libsss_sudo-1.16.0-19.el7_5.8.x86_64                     160/162 
  Cleanup    : libipa_hbac-1.16.0-19.el7_5.8.x86_64                     161/162 
  Cleanup    : 389-ds-base-libs-1.3.7.5-28.el7_5.x86_64                 162/162
Job for ipa.service failed because the control process exited with error code. See "systemctl status ipa.service" and "journalctl -xe" for details.
warning: %posttrans(ipa-server-4.6.5-3.el7.x86_64) scriptlet failed, exit status 1
Non-fatal POSTTRANS scriptlet failure in rpm package ipa-server-4.6.5-3.el7.x86_64
  Verifying  : sssd-dbus-1.16.4-8.el7.x86_64                              1/162 
  Verifying  : python-magic-5.11-35.el7.noarch                            2/162 


Ipa upgrade log snippet:
-------------------------
2019-04-02T09:40:01Z DEBUG Waiting for CA to start...
2019-04-02T09:40:02Z DEBUG request POST http://sparks.nd2aprnor.pnq:8080/ca/admin/ca/getStatus
2019-04-02T09:40:02Z DEBUG request body ''
2019-04-02T09:40:02Z DEBUG response status 500
2019-04-02T09:40:02Z DEBUG response headers Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 2208
Date: Tue, 02 Apr 2019 09:40:02 GMT
Connection: close

2019-04-02T09:40:02Z DEBUG response body '<html><head><title>Apache Tomcat/7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - Subsystem unavailable</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>Subsystem unavailable</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:500)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/7.0.76 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.76</h3></body></html>'
2019-04-02T09:40:02Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500
2019-04-02T09:40:02Z DEBUG Waiting for CA to start...
2019-04-02T09:40:03Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2019-04-02T09:40:03Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 56, in run
    raise admintool.ScriptError(str(e))

2019-04-02T09:40:03Z DEBUG The ipa-server-upgrade command failed, exception: ScriptError: CA did not start in 300.0s
2019-04-02T09:40:03Z ERROR CA did not start in 300.0s
2019-04-02T09:40:03Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information



Expected results:
IPA upgrade should be successful

Additional info:
Similar issue is observed with following upgrade paths:
RHEL 73z> RHEL 77
RHEL 72z> RHEL 77
RHEL 71z> RHEL 77
RHEL 70> RHEL 77

This issue is not observed with upgrade path:
RHEL76z > RHEL77
RHEL74z > RHEL77

Comment 5 Florence Blanc-Renaud 2019-04-03 11:50:29 UTC
1. According to Linux Domain Identity, Authentication, and Policy Guide, chapter 8.1.1. Considerations for Updating Identity Management (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/updating-migrating#update-ipa-prereqs), upgrade should be done one version at a time:

----8<----
Red Hat recommends upgrading to the next version only. For example, if you want to upgrade to Identity Management for Red Hat Enterprise Linux 7.4, we recommend upgrading from Identity Management for Red Hat Enterprise Linux 7.3. Upgrading from earlier versions can cause problems. 
---->8----


2. If all the packages are updated with "yum update -y" instead of "yum update -y sssd 'ipa-*'", ipa-server-upgrade succeeds.

Hence closing as NOT A BUG


Note You need to log in before you can comment on or make changes to this bug.