Bug 1298097

Summary: IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using "yum update ipa* sssd"
Product: Red Hat Enterprise Linux 7 Reporter: Jan Kurik <jkurik>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.2CC: ekeck, enewland, gparente, ipa-maint, jcholast, ksiddiqu, mbasti, mkosek, ndehadra, pspacek, pvoborni, rcritten
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.2.0-15.el7_2.5 Doc Type: Bug Fix
Doc Text:
The ipa packages require openssl packages of version 1.0.1e-42 or later. Previously, this requirement was missing from the spec file. As a consequence, upgrade of an IdM server could fail upon creating a SoftHSM database. With this update, the dependency on the correct version of openssl has been added to the spec file. As a result, the SoftHSM database is created and the upgrade is successful.
 Story Points: ---
Clone Of: 1286635 Environment:
Last Closed: 2016-02-16 10:58:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1286635    
Bug Blocks:    
Attachments:
Description Flags
Verification steps / logs for bug 1298097 none

Description Jan Kurik 2016-01-13 09:00:51 UTC 
This bug has been copied from bug #1286635 and has been proposed
to be backported to 7.2 z-stream (EUS).
Comment 5 Nikhil Dehadrai 2016-01-25 18:09:03 UTC 
IPA server 7.0: ipa-server-3.3.3-28.el7.x86_64
IPA server 7.2 update 2: ipa-server-4.2.0-15.el7_2.4.x86_64

Tested the bug with following steps for RHEL 7.2 update 2:
1. Setup RHEL7.0 host with IPA master
2. Add RHEl7.2 and RHEL 7.2 update repos on the system.
3. Run command #yum update ipa* sssd
4. Verify the logs for yum update process along with ipaupgrade process.
# tail -f /var/log/messages
# tail -f /var/log/ipaupgrade.log
# tail -f /var/log/yum.log

Actual results:
1. After step4, Following error message is displayed at the screen:
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: Command ''/usr/bin/softhsm2-util' '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' XXXXXXXX '--so-pin' XXXXXXXX' returned non-zero exit status 1

2. ipa-upgrade is successful (rpm -qa | grep ipa-server*)
3. openssl version is not updated (remains as openssl-1.0.1e-34.el7.x86_64 in my case)

On the basis of above observations, the error message is still observed while upgrade ipa-server from RHEL 7.0 to RHEL 7.2 update 2, thus marking the status of bug to "ASSIGNED".
Comment 6 Martin Bašti 2016-01-25 18:11:56 UTC 
We investigated it, and it requires to have specified epoch in specfile for opnssl, otherwise yum will not update openssl package.


Requires(pre): openssl >= 1:1.0.1e-42
Requires: openssl >= 1:1.0.1e-42
Comment 8 Nikhil Dehadrai 2016-01-27 11:08:24 UTC 
IPA server 7.0: ipa-server-3.3.3-28.el7.x86_64
IPA server 7.2 update 2: ipa-server-4.2.0-15.el7_2.5.x86_64

Verified the bug with following steps for RHEL 7.2 update 2:
1. Setup RHEL7.0 host with IPA master
2. Add RHEl7.2 and RHEL 7.2 update repos on the system.
3. Run command #yum update ipa* sssd
4. Once the update process is complete, Verified that upgrade of ipa-server to 4.2.0-15.el7_2.5 is successful.
5. Verified that no failure messages related to IPA update process are reported inside following log files:
# tail -f /var/log/messages
# tail -f /var/log/ipaupgrade.log
# tail -f /var/log/yum.log
6. Also verified that ipa server is updated successfully even when command #yum update is used.

Thus on the basis of above observations, marking the status of bug to "VERIFIED".

Please refer the attachment for logs related to this upgrade process.
Comment 9 Nikhil Dehadrai 2016-01-27 11:09:49 UTC 
Created attachment 1118757 [details]
Verification steps / logs for bug 1298097
Comment 11 errata-xmlrpc 2016-02-16 10:58:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0211.html