Bug 1161128

Summary:	Upgrade 3.3.5 to 4.1 failed
Product:	Red Hat Enterprise Linux 7	Reporter:	Martin Kosek <mkosek>
Component:	ipa	Assignee:	IPA Maintainers <ipa-maint>
Status:	CLOSED ERRATA	QA Contact:	Namita Soman <nsoman>
Severity:	unspecified	Docs Contact:
Priority:	medium
Version:	7.0	CC:	jcholast, mkosek, pvoborni, rcritten, spoore
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ipa-4.1.0-6.el7	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2015-03-05 10:14:29 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Martin Kosek 2014-11-06 13:04:14 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4670

{{{
2014-10-30T13:39:06Z ERROR Upgrade failed with cannot connect to 'ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket': 
2014-10-30T13:39:06Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 152, in __upgrade
    self.modified = (ld.update(self.files, ordered=True) or
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 874, in update
    updates = api.Backend.updateclient.update(POST_UPDATE, self.dm_password, self.ldapi, self.live_run)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", line 131, in update
    ld.update_from_dict(updates)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 889, in update_from_dict
    self._run_updates(updates)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 799, in _run_updates
    self._update_record(update)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 661, in _update_record
    e = self._get_entry(new_entry.dn)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 544, in _get_entry
    return self.conn.get_entries(dn, scope, searchfilter, sattrs)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1421, in get_entries
    base_dn=base_dn, scope=scope, filter=filter, attrs_list=attrs_list)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1527, in find_entries
    break
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1206, in error_handler
    error=info)
NetworkError: cannot connect to 'ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket': 
}}}

Entries are not updated. Upgrade has to be done manually.
{{{
# ipactl restart
# ipa-ldap-updater --upgrade
# ipa-upgradeconfig
}}}
after manual update IPA works as expected

Comment 1 Petr Vobornik 2014-11-06 13:56:16 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/730f33680b7254622659eec2e48399ef7033a477
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/5d65a2a3058aadff29e9af2a6fd3aab91607674f
ipa-4-0:
https://fedorahosted.org/freeipa/changeset/d6697b683d3f3517c41e5bbb4b9033fa860fd9d0

Comment 3 Petr Vobornik 2014-11-11 16:52:50 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4708

Comment 4 Jan Cholasta 2014-11-13 12:14:25 UTC

Fixed upstream
ipa-4-0:
https://fedorahosted.org/freeipa/changeset/e5ec47992cd641def024cc77c07f98ca66b7b673
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/1b22a53717cd2ead8a8f3fec84d04dac698d8925
master:
https://fedorahosted.org/freeipa/changeset/40ea328a78bec511377b464700e3add09cedc2b9

Comment 5 Martin Kosek 2014-11-13 12:26:49 UTC

I will also link this bug to
https://fedorahosted.org/freeipa/ticket/4622

which fixes another upgrade issue.

Comment 6 Petr Vobornik 2014-11-13 12:29:43 UTC

#4622 Fixed upstream
ipa-4-0:
https://fedorahosted.org/freeipa/changeset/9a9eccb94bcade97edb8aa877aedc35c191745e5
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/65624c9d61ba0bf8a1e5e040357406712dd42245
master:
https://fedorahosted.org/freeipa/changeset/f62c7843ffeda1e841719cb35f9f773f186780a6

Comment 7 Martin Kosek 2014-11-13 12:33:11 UTC

Linking another upstream upgrade issue related to cn=ADTrust Agents,cn=privileges update tracked in
https://fedorahosted.org/freeipa/ticket/4680

Comment 8 Petr Vobornik 2014-11-13 12:34:42 UTC

#4680 Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/2712b609cb1edb478aa6a55da1f6529befaa2edb
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/60ff57b644e34b80784bd75c6c2da7a04d248b2c
ipa-4-0:
https://fedorahosted.org/freeipa/changeset/ae9e6842736f785b8b6e24493540c520a89e95a8

Comment 9 Scott Poore 2015-01-13 02:09:23 UTC

Martin, 

Did this one affect upgrades from 3.3.3 to 4.1.0 also?  or just 3.3.5?

Thanks,
Scott

Comment 10 Martin Kosek 2015-01-13 11:19:06 UTC

Upgrade from 3.3.3 was also affected. Given the nature of the bugs, I think that simply testing if RHEL-7.0 cleanly upgrades to RHEL-7.1 is sufficient.

Comment 11 Scott Poore 2015-01-13 16:29:04 UTC

Verified.

Version ::
---> Package ipa-server.x86_64 0:3.3.3-28.el7 will be updated
---> Package ipa-server.x86_64 0:4.1.0-13.el7 will be an update

Results ::

# Confirm older RPM version (3.3.3):

[root@rhel7-3 ~]# rpm -q ipa-server
ipa-server-3.3.3-28.el7.x86_64

# Configure IPA:

[root@rhel7-3 ~]# ipa-server-install --setup-dns --forwarder=192.168.122.1 -r EXAMPLE.COM -a Secret123 -p Secret123 -U

...

# Check basic functionality:

[root@rhel7-3 ~]# kinit admin
Password for admin: 

[root@rhel7-3 ~]# ipa user-find
--------------
1 user matched
--------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 1242000000
  GID: 1242000000
  Account disabled: False
  Password: True
  Kerberos keys available: True
----------------------------
Number of entries returned 1
----------------------------

[root@rhel7-3 ~]# ipa host-find
--------------
1 host matched
--------------
  Host name: rhel7-3.example.com
  Principal name: host/rhel7-3.example.com
  Password: False
  Keytab: True
  Managed by: rhel7-3.example.com
  SSH public key fingerprint: 09:08:0E:9C:B1:31:B4:9C:BA:9A:CB:A4:C7:59:38:C0 (ecdsa-sha2-nistp256),
                              3B:1D:A4:75:73:86:11:35:51:0D:2A:B6:18:17:0B:C8 (ssh-rsa)
----------------------------
Number of entries returned 1
----------------------------

[root@rhel7-3 ~]# ipa dnszone-find
  Zone name: 122.168.192.in-addr.arpa.
  Authoritative nameserver: rhel7-3.example.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1421164465
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;

  Zone name: example.com
  Authoritative nameserver: rhel7-3.example.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1421164471
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: none;
----------------------------
Number of entries returned 2
----------------------------

# Upgrade:

[root@rhel7-3 ~]# cat > /etc/yum.repos.d/beaker-rhel-7.1-server.repo << EOF1
...
EOF1

[root@rhel7-3 ~]# cat > /etc/yum.repos.d/beaker-rhel-7.1-server-optional.repo << EOF1
...
EOF1

[root@rhel7-3 ~]# yum -y update ipa-server sssd
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package ipa-server.x86_64 0:3.3.3-28.el7 will be updated
---> Package ipa-server.x86_64 0:4.1.0-13.el7 will be an update
...
Complete!

# Check some basics after upgrade:

[root@rhel7-3 ~]# ipa user-find
--------------
1 user matched
--------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 1242000000
  GID: 1242000000
  Account disabled: False
  Password: True
  Kerberos keys available: True
----------------------------
Number of entries returned 1
----------------------------

[root@rhel7-3 ~]# ipa host-find
--------------
1 host matched
--------------
  Host name: rhel7-3.example.com
  Principal name: host/rhel7-3.example.com
  Password: False
  Keytab: True
  Managed by: rhel7-3.example.com
  SSH public key fingerprint: 09:08:0E:9C:B1:31:B4:9C:BA:9A:CB:A4:C7:59:38:C0 (ecdsa-sha2-nistp256),
                              3B:1D:A4:75:73:86:11:35:51:0D:2A:B6:18:17:0B:C8 (ssh-rsa)
----------------------------
Number of entries returned 1
----------------------------

[root@rhel7-3 ~]# ipa dnszone-find
  Zone name: example.com
  Active zone: TRUE
  Authoritative nameserver: rhel7-3.example.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1421166102
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Allow query: any;
  Allow transfer: none;

  Zone name: 122.168.192.in-addr.arpa.
  Active zone: TRUE
  Authoritative nameserver: rhel7-3.example.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1421166102
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Allow query: any;
  Allow transfer: none;
----------------------------
Number of entries returned 2
----------------------------

# And just to confirm, make sure we've got the new version of IPA:

[root@rhel7-3 ~]# rpm -q ipa-server
ipa-server-4.1.0-13.el7.x86_64
[root@rhel7-3 ~]#

Comment 14 errata-xmlrpc 2015-03-05 10:14:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html