Bug 1367022

Summary: The ipa-server-upgrade command failed when named-pkcs11 does not happen to run during dnf upgrade
Product: Red Hat Enterprise Linux 7 Reporter: Jan Pazdziora <jpazdziora>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.3CC: abokovoy, extras-qa, ipa-maint, jcholast, jhrozek, jpazdziora, mbasti, mkosek, ndehadra, nsoman, pspacek, pvoborni, rcritten, ssorce
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.4.0-8.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1365669 Environment:
Last Closed: 2016-11-04 06:01:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1365669    
Bug Blocks:    

Comment 6 Nikhil Dehadrai 2016-09-19 14:58:17 UTC
IPA-server version: ipa-server-4.4.0-12.el7.x86_64
---------------------

Verified the bug on the basis of following observations:
1. Verified that after stoping "named-pkcs11" using "downloadonly" option updates are downloaded successfully. 
# systemctl stop named-pkcs11

# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: STOPPED
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

# yum --downloadonly update 'ipa*' sssd

2. Noticed that on running update again , following message is observed at console

# yum -y update 'ipa*' sssd

  Cleanup    : libini_config-1.2.0-25.el7.x86_64                                                               141/141 
DNS query for vm-idm-016.testrelm.test. A failed: The DNS operation timed out after 30.0005340576 seconds
Skipping update of global DNS forwarder in LDAP: Unable to determine if local server is using an IP address belonging to an automatic empty zone. Consider changing forwarding policy to "only". DNS exception: The DNS operation timed out after 30.0005340576 seconds
  Verifying  : sssd-1.14.0-42.el7.x86_64                                                                         1/141 

3. Verified that ipa-server install task was run successfully within ipaupgrade.log and also the ipa-server package was updated.

# tail -10 /var/log/ipaupgrade.log 
2016-09-19T13:33:38Z DEBUG response status 200
2016-09-19T13:33:38Z DEBUG response headers {'date': 'Mon, 19 Sep 2016 13:33:38 GMT', 'content-length': '168', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'}
2016-09-19T13:33:38Z DEBUG response body '<?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>1</State><Type>CA</Type><Status>running</Status><Version>10.3.3-10.el7</Version></XMLResponse>'
2016-09-19T13:33:38Z DEBUG Starting external process
2016-09-19T13:33:38Z DEBUG args=/bin/systemctl stop pki-tomcatd@pki-tomcat.service
2016-09-19T13:33:39Z DEBUG Process finished, return code=0
2016-09-19T13:33:39Z DEBUG stdout=
2016-09-19T13:33:39Z DEBUG stderr=
2016-09-19T13:33:39Z INFO The IPA services were upgraded
2016-09-19T13:33:39Z INFO The ipa-server-upgrade command was successful

# rpm -q ipa-server
ipa-server-4.4.0-12.el7.x86_64

# kinit admin
Password for admin@TESTRELM.TEST: 

# cat /var/log/ipaupgrade.log | grep "DNS operation"
2016-09-19T13:32:07Z ERROR DNS query for vm-idm-016.testrelm.test. A failed: The DNS operation timed out after 30.0005340576 seconds
2016-09-19T13:32:07Z ERROR Skipping update of global DNS forwarder in LDAP: Unable to determine if local server is using an IP address belonging to an automatic empty zone. Consider changing forwarding policy to "only". DNS exception: The DNS operation timed out after 30.0005340576 seconds

# ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

Thus on the basis of above observations, marking the status of bug to "VERIFIED".

Comment 8 errata-xmlrpc 2016-11-04 06:01:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html