Bug 1376043
Summary: | certmap.conf file is not backedup during ipa-server-upgrade | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Sudhir Menon <sumenon> | ||||||||
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | Nikhil Dehadrai <ndehadra> | ||||||||
Severity: | unspecified | Docs Contact: | |||||||||
Priority: | unspecified | ||||||||||
Version: | 7.3 | CC: | ndehadra, pvoborni, rcritten, sumenon | ||||||||
Target Milestone: | rc | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | ipa-4.5.0-1.el7 | Doc Type: | If docs needed, set a value | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2017-08-01 09:39:54 UTC | Type: | Bug | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Created attachment 1200831 [details]
ipa server upgrade log
It may be possible that there is "issue" only in debug messages. If the file doesn't exists then it will not be backed up. Could you check if the file exists before step 2. Also what is the IPA version in step 1? ipa-server-4.4.0-11.el7.x86_64? btw, attachment 1200831 [details] contains the same file as attachment 1200827 [details] I.e. upgrade log is missing. Created attachment 1200910 [details]
ipaupgrade.log
Petr,
I tried this with fresh install of IPA server and here are the observations.
1. certmap.conf is placed in /etc/dirsrv/slapd-TESTRELM-TEST post IPA server install. i.e file does exist before ipa-server-upgrade
2. ipa-server-4.4.0-11.el7.x86_64 is the version used.
3. Attaching the upgrade logs for reference.
both certmap file and template doesn't contain "VERSION" string. So upgrade.find_version will always return 0. In such case upgrade.upgrade_file logs the message above but given that it is called as: if subject_base: upgrade_file( sub_dict, os.path.join(ds_dirname, "certmap.conf"), os.path.join(ipautil.SHARE_DIR, "certmap.conf.template") ) I.e without "add=True", then the file is not backed up/upgraded: if old < new or (add and old == 0): backup_file(filename, new) update_conf(sub_dict, filename, template) root_logger.info("Upgraded %s to version %d", filename, new) This also means that the file won't upgraded unless a VERSION is set in it in next update. certmap file is created in DS instance since 2007 and lasted update of the template was in commit ffb9a09a0d63f7edae2b647b5c1d503d1d4d7a6e That commit removed the VERSION line - assuming by accident because it was changing license text. Conclusion: it is a bug which doesn't cause any harm but the version string MUST be changed back Upstream ticket: https://fedorahosted.org/freeipa/ticket/6354 Should be fixed in master: https://pagure.io/freeipa/c/c49320435ddc67210c0d95be273e971ea8ffad6d Meaning IPA 4.5, ipa-4.5.0-1.el7 Tested on RHEL7.4 ipa-server-4.5.0-13.el7.x86_64 krb5-server-1.15.1-8.el7.x86_64 selinux-policy-3.13.1-152.el7.noarch sssd-1.15.2-35.el7.x86_64 pki-server-10.4.1-4.el7.noarch pki-ca-10.4.1-4.el7.noarch 389-ds-base-1.3.6.1-14.el7.x86_64 Observations: 1. The below line is no more seen when ipa-server-upgrade is run '/etc/dirsrv/slapd-TESTRELM-TEST/certmap.conf is now managed by IPA. It will be overwritten. A backup of the original will be made' 2. certmap.conf contains the below lines now. [root@master]# cat certmap.conf # VERSION 3 - DO NOT REMOVE THIS LINE # # This file is managed by IPA and will be overwritten on upgrades. 3. If we remove the VERSION info from the file and try ipa-server-upgrade it is been added to the file after the command gets completed. The below message is displayed on the console. root@master slapd-TESTRELM-TEST]# ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: starting directory server [6/10]: updating schema [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved /etc/dirsrv/slapd-TESTRELM-TEST/certmap.conf is now managed by IPA. It will be overwritten. A backup of the original will be made. Upgraded /etc/dirsrv/slapd-TESTRELM-TEST/certmap.conf to version 3 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |
Created attachment 1200827 [details] ipa-server-upgrade Description of problem: certmap.conf file is not backedup during ipa-server-upgrade Version-Release number of selected component (if applicable): ipa-server-4.4.0-11.el7.x86_64 How reproducible:Always Steps to Reproduce: 1. Install ipa-server 2. Run ipa-server-upgrade 3. Check the message displayed on the console. Actual results: /etc/dirsrv/slapd-TESTRELM-TEST/certmap.conf is now managed by IPA. It will be overwritten. A backup of the original will be made. <====== /etc/dirsrv/slapd-TESTRELM-TEST [root@master slapd-TESTRELM-TEST]# ls -l total 1464 -rw-------. 1 dirsrv root 65536 Sep 14 18:01 cert8.db -rw-rw----. 1 dirsrv dirsrv 65536 Sep 14 16:03 cert8.db.orig -r--r-----. 1 dirsrv dirsrv 1623 Sep 14 15:59 certmap.conf -rw-------. 1 dirsrv dirsrv 185075 Sep 14 18:02 dse.ldif -rw-------. 2 dirsrv dirsrv 185075 Sep 14 18:02 dse.ldif.bak -rw-------. 1 dirsrv root 185075 Sep 14 17:57 dse.ldif.ipa.0c9848ee71a223f7 -rw-------. 1 dirsrv root 158036 Sep 14 16:03 dse.ldif.ipa.6caae511ef006046 -rw-------. 1 dirsrv root 185075 Sep 14 18:01 dse.ldif.ipa.9e97b50e5209c89f -rw-r--r--. 1 dirsrv root 185144 Sep 14 18:01 dse.ldif.modified.out -rw-------. 2 dirsrv dirsrv 185075 Sep 14 18:02 dse.ldif.startOK -r--r-----. 1 dirsrv dirsrv 36163 Sep 14 15:59 dse_original.ldif -rw-------. 1 dirsrv root 16384 Sep 14 18:01 key3.db -rw-rw----. 1 dirsrv dirsrv 16384 Sep 14 16:03 key3.db.orig -r--------. 1 dirsrv dirsrv 66 Sep 14 16:03 pin.txt -rw-------. 1 dirsrv dirsrv 40 Sep 14 16:03 pwdfile.txt drwxrwx---. 2 dirsrv dirsrv 4096 Sep 14 18:02 schema -rw-------. 1 dirsrv root 16384 Sep 14 18:02 secmod.db -rw-rw----. 1 dirsrv dirsrv 16384 Sep 14 15:59 secmod.db.orig -r--r-----. 1 dirsrv dirsrv 15142 Sep 14 15:59 slapd-collations.conf Expected results: The message displayed during the ipa-server-upgrade on the console says that '/etc/dirsrv/slapd-TESTRELM-TEST/certmap.conf' is now managed by IPA. It will be overwritten. A backup of the original will be made. Backup of the original file i.e certmap.conf is not present. Additional info: