Bug 1369761

Summary: ipa-server must depend on a version of httpd that support mod_proxy with UDS
Product: Red Hat Enterprise Linux 7 Reporter: Nikhil Dehadrai <ndehadra>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: cheimes, jcholast, mbasti, mkolaja, pvoborni, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://fedorahosted.org/freeipa/ticket/6251
Whiteboard:
Fixed In Version: ipa-4.4.0-9.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 06:02:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1373910    
Bug Blocks: 1364071    

Description Nikhil Dehadrai 2016-08-24 10:49:25 UTC
Description of problem:
ipa-server must depend on a version of httpd that support mod_proxy with UDS, as a result noticed that ipa-server upgrade failed for upgrade path 7.0 > 7.3.

Version-Release number of selected component (if applicable):
ipa-server-4.4.0-8.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Setup IPA server on RHEL 7.0 (in my case ipa-server-3.3.3-28.el7.x86_64)
2. Use the latest repo links for RHEL 7.3
3. Now update the ipa server with command "yum -y update 'ipa*' sssd"

Actual results:
1. IPA-server upgrade fails.
2. After upgrade:
#  journalctl -l -u httpd.service
Aug 24 03:08:06 auto-hv-01-guest09.testrelm.test systemd[1]: Starting The Apache HTTP Server...
Aug 24 03:08:06 auto-hv-01-guest09.testrelm.test ipa-httpd-kdcproxy[13706]: ipa         : INFO     KDC proxy enabled
Aug 24 03:08:06 auto-hv-01-guest09.testrelm.test httpd[13707]: AH00526: Syntax error on line 113 of /etc/httpd/conf.d/ipa.conf:
Aug 24 03:08:06 auto-hv-01-guest09.testrelm.test httpd[13707]: ProxyPass URL must be absolute!
Aug 24 03:08:06 auto-hv-01-guest09.testrelm.test systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Aug 24 03:08:06 auto-hv-01-guest09.testrelm.test systemd[1]: Failed to start The Apache HTTP Server.
line 113 is:  ProxyPass "unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/"

3. # rpm -q httpd
httpd-2.4.6-17.el7.x86_64

4. # tail -f /var/log/ipaupgrade.log
    self.service.start(instance_name, capture_output=capture_output, wait=wait)
  File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 285, in start
    skip_output=not capture_output)
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 489, in run
    raise CalledProcessError(p.returncode, arg_string, str(output))

2016-08-24T07:08:06Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: Command '/bin/systemctl start httpd.service' returned non-zero exit status 1
2016-08-24T07:08:06Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: Command '/bin/systemctl start httpd.service' returned non-zero exit status 1
2016-08-24T07:08:06Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information

5.# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other services
ipa: INFO: The ipactl command was successful
[root@auto-hv-01-guest09 log]# ipactl restart
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Failed to start named Service
Shutting down
Hint: You can use --ignore-service-failure option for forced start in case that a non-critical service failed
Aborting ipactl
[root@auto-hv-01-guest09 log]# kinit admin
kinit: Generic error (see e-text) while getting initial credentials
[root@auto-hv-01-guest09 log]# ipactl start
Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Failed to start named Service
Shutting down
Hint: You can use --ignore-service-failure option for forced start in case that a non-critical service failed
Aborting ipactl
 


Expected results:
Ipa-server upgrade should be successful and no errors should be observed.

Additional info:
The upgrade was successful for 7.1 > 7.3

Comment 3 Petr Vobornik 2016-08-24 12:43:49 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6251

Comment 4 Martin Bašti 2016-08-24 15:24:02 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/17bb9b9a9ba983020c66f4b83a5918be636ef3bd

Comment 7 Nikhil Dehadrai 2016-09-22 13:29:42 UTC
IPA server version: ipa-server-4.4.0-12.el7.x86_64
Bind-ldap: bind-dyndb-ldap-10.0-5.el7.x86_64

Verified the bug on the basis of following points:
1. Verified that IPA server upgrade is successful for path RHEL 7.0 to RHEL 7.3.
2. "DNS timed out error" message is not displayed at the console.
3. "httpd.service" error message is not observed in ipaupgrade.log.
4.  No errors related to import of urllib3.exceptions are noticed in ipaupgarde.log
5. The dummy dns forwardzone details created at 7.0 are reflected after upgrade.

Thus on the basis of observations above, marking the status of bug to "VERIFIED".

Comment 10 errata-xmlrpc 2016-11-04 06:02:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html