Bug 1286635

Summary: IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using "yum update ipa* sssd"
Product: Red Hat Enterprise Linux 7 Reporter: Nikhil Dehadrai <ndehadra>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: urgent Docs Contact: Aneta Šteflová Petrová <apetrova>
Priority: urgent    
Version: 7.2CC: ekeck, enewland, gparente, ksiddiqu, mbasti, mkosek, ndehadra, pspacek, pvoborni, rcritten
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.2.0-16.el7 Doc Type: Known Issue
Doc Text:
Upgrading the ipa packages fails if the required openssl version is not installed When the user attempts to upgrade the *ipa* packages, Identity Management (IdM) does not automatically install the required version of the *openssl* packages. Consequently, if the 1.0.1e-42 version of *openssl* is not installed before the user runs the "yum update ipa*" command, the upgrade fails during the DNSKeySync service configuration. To work around this problem, update *openssl* manually to version 1.0.1e-42 or later before updating *ipa*. This prevents the upgrade failure.
 Story Points: ---
Clone Of:
: 1298097 (view as bug list) Environment:
Last Closed: 2016-11-04 05:41:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1293340, 1364071, 1365572, 1373910    
Bug Blocks: 1298097    
Attachments:
Description Flags
Workaround patch
none
Workaround patch update 1 pspacek: review+

Description Nikhil Dehadrai 2015-11-30 11:47:29 UTC 
Description of problem:
IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using "yum update ipa* sssd"

Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15.el7_2.3.x86_64


How reproducible: Always


Steps to Reproduce:
1. Setup RHEL7.0 host with IPA master
2. Add RHEl7.2 and RHEL 7.2 update repos on the system.
3. run yum update ipa* sssd
4. Verify the logs for yum update process along with ipaupgrade process.
# tail -f /var/log/messages
# tail -f /var/log/ipaupgrade.log
# tail -f /var/log/yum.log

Actual results:
1. After step4, Following error message is displayed during yum update process:
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: Command ''/usr/bin/softhsm2-util' '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' XXXXXXXX '--so-pin' XXXXXXXX' returned non-zero exit status 1

2. ipa-upgrade is successful (rpm -qa | grep ipa-server*)
3. openssl version is not updated (remains as openssl-1.0.1e-34.el7.x86_64 in my case)



Expected results:
ipa-server upgrade should be successful without any errors.

Additional info:
1. When the server is upgraded using "yum update" command, no error messages are observed and the server is upgraded successfully. 
2. Also openssl is upgraded to latest version.(openssl-1.0.1e-42.el7_1.9.x86_64)
Comment 2 Martin Bašti 2015-11-30 11:59:35 UTC 
Created attachment 1100487 [details]
Workaround patch
Comment 3 Petr Vobornik 2015-11-30 12:09:34 UTC 
Workaround: update openssl package first to version at least 1.0.1e-42. Then update ipa package.
Comment 4 Martin Kosek 2015-11-30 12:43:52 UTC 
(In reply to Martin Bašti from comment #2)
> Created attachment 1100487 [details]
> Workaround patch

Please just note that "Requires(pre)" does not supersede "Requires". You can for example delete such package after upgrade. So it may make sense to keep both Requires in the spec file.
Comment 6 Petr Spacek 2015-11-30 13:10:55 UTC 
Okay, so we may want to add Requires to softhsm.spec and Requires(pre) to ipa.spec. Is it a reasonable idea? Should I open a bug against softhsm?
Comment 7 Martin Bašti 2016-01-04 11:39:14 UTC 
Created attachment 1111451 [details]
Workaround patch update 1
Comment 8 Petr Spacek 2016-01-04 11:46:49 UTC 
Comment on attachment 1111451 [details]
Workaround patch update 1

Looks good, but we can stick with the old version if bug 1293340 is solved at the same time.
Comment 9 Martin Bašti 2016-01-07 15:31:08 UTC 
The patch has been acked
Comment 15 Nikhil Dehadrai 2016-08-10 13:03:35 UTC 
IPA server version: ipa-server-4.4.0-7.el7.x86_64

Tested the bug on the basis of following steps:
1. Tested that IPA server configured on RHEL 7.0 is upgraded from 7.0 to 7.3.
2. Noticed that ipaupgrade.log file is created at /var/log/ipaupgrade.log.
3. Noticed that var/log/ipaupgrade.log file is not updated.

See below:
[root@vm-idm-011 log]# rpm -q ipa-server
ipa-server-4.4.0-7.el7.x86_64
[root@vm-idm-011 log]# ls -al ipaupgrade.log 
-rw-r--r--. 1 root root 0 Aug 10 17:59 ipaupgrade.log
[root@vm-idm-011 log]# cat ipaupgrade.log 
[root@vm-idm-011 log]# 

Thus on the basis of above observations, marking the status of bug to "ASSIGNED".
Comment 16 Martin Bašti 2016-08-10 13:36:58 UTC 
Can you provide more info?

Any output from yum upgrade?
Can you re-run ipa-server-upgrade?
Comment 17 Nikhil Dehadrai 2016-08-10 14:01:33 UTC 
Hi Martin,

Please find the details as below:

[root@vm-idm-011 log]# cat yum.log | grep ipa-server
Aug 10 13:25:33 Installed: ipa-tests-ipa-server-rhel70-shared-sgoveas.20150107141511-0.noarch
Aug 10 13:26:21 Installed: ipa-tests-ipa-server-rhel70-quickinstall-spoore.20140812195047-0.noarch
Aug 10 13:28:29 Installed: ipa-server-3.3.3-28.el7.x86_64
Aug 10 17:59:03 Installed: ipa-server-common-4.4.0-7.el7.noarch
Aug 10 17:59:05 Installed: ipa-server-4.4.0-7.el7.x86_64
Aug 10 17:59:06 Installed: ipa-server-dns-4.4.0-7.el7.noarch

On running ipa-server-upgrade I notice following:
[root@vm-idm-011 ~]# ipa-server-upgrade
Traceback (most recent call last):
  File "/usr/sbin/ipa-server-upgrade", line 10, in <module>
    from ipaserver.install.ipa_server_upgrade import ServerUpgrade
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 9, in <module>
    from ipaserver.install import server
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 5, in <module>
    from .install import Server
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 35, in <module>
    from ipaserver.install import (
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 9, in <module>
    from ipaserver.install import cainstance, dsinstance, bindinstance
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 72, in <module>
    from ipaserver.install.dogtaginstance import (export_kra_agent_pem,
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 30, in <module>
    from pki.client import PKIConnection
  File "/usr/lib/python2.7/site-packages/pki/client.py", line 28, in <module>
    from requests.packages.urllib3.exceptions import InsecureRequestWarning
ImportError: No module named packages.urllib3.exceptions


Let me know if you need access to the machine.
Comment 18 Martin Bašti 2016-08-10 14:15:55 UTC 
This is a dogtag issue

  File "/usr/lib/python2.7/site-packages/pki/client.py", line 28, in <module>
    from requests.packages.urllib3.exceptions import InsecureRequestWarning
ImportError: No module named packages.urllib3.exceptions

There are already several bugs for that.
Comment 19 Martin Bašti 2016-08-10 14:30:56 UTC 
here: https://bugzilla.redhat.com/show_bug.cgi?id=1364071

I don't know how to handle this, but we cannot fix it on IPA side :)
Comment 20 Martin Kosek 2016-08-11 06:34:25 UTC 
If this is fixed with pki-core-10.3.3-5.el7, you can simply bump Requires in ipa and move this bug to ON_QA. No?
Comment 21 Martin Bašti 2016-08-11 07:20:33 UTC 
I don't know if it was fixed, bz1364071 is still ON_QA
Comment 23 Petr Vobornik 2016-08-23 12:04:52 UTC 
The issue will be fixed in bug 1364071 and bug 1365572. Temporary workaround: update:  python-requests to version >= 2.6.0
Comment 24 Petr Vobornik 2016-09-05 14:51:54 UTC 
Both bug 1364071 and bug 1365572  are on QA which should fix the issue in comment 17.
Comment 25 Nikhil Dehadrai 2016-09-22 13:30:25 UTC 
IPA server version: ipa-server-4.4.0-12.el7.x86_64
Bind-ldap: bind-dyndb-ldap-10.0-5.el7.x86_64

Verified the bug on the basis of following points:
1. Verified that IPA server upgrade is successful for path RHEL 7.0 to RHEL 7.3.
2. "DNS timed out error" message is not displayed at the console.
3. "httpd.service" error message is not observed in ipaupgrade.log.
4.  No errors related to import of urllib3.exceptions are noticed in ipaupgarde.log
5. The dummy dns forwardzone details created at 7.0 are reflected after upgrade.

Thus on the basis of observations above, marking the status of bug to "VERIFIED".
Comment 28 errata-xmlrpc 2016-11-04 05:41:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html