Bug 1376043

Summary: certmap.conf file is not backedup during ipa-server-upgrade
Product: Red Hat Enterprise Linux 7 Reporter: Sudhir Menon <sumenon>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Nikhil Dehadrai <ndehadra>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: ndehadra, pvoborni, rcritten, sumenon
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:39:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ipa-server-upgrade
none
ipa server upgrade log
none
ipaupgrade.log none

Description Sudhir Menon 2016-09-14 13:51:57 UTC 
Created attachment 1200827 [details]
ipa-server-upgrade

Description of problem: certmap.conf file is not backedup during ipa-server-upgrade


Version-Release number of selected component (if applicable):
ipa-server-4.4.0-11.el7.x86_64

How reproducible:Always


Steps to Reproduce:
1. Install ipa-server
2. Run ipa-server-upgrade
3. Check the message displayed on the console.

Actual results:
/etc/dirsrv/slapd-TESTRELM-TEST/certmap.conf is now managed by IPA. It will be overwritten. A backup of the original will be made.  <======

/etc/dirsrv/slapd-TESTRELM-TEST
[root@master slapd-TESTRELM-TEST]# ls -l
total 1464
-rw-------. 1 dirsrv root    65536 Sep 14 18:01 cert8.db
-rw-rw----. 1 dirsrv dirsrv  65536 Sep 14 16:03 cert8.db.orig
-r--r-----. 1 dirsrv dirsrv   1623 Sep 14 15:59 certmap.conf
-rw-------. 1 dirsrv dirsrv 185075 Sep 14 18:02 dse.ldif
-rw-------. 2 dirsrv dirsrv 185075 Sep 14 18:02 dse.ldif.bak
-rw-------. 1 dirsrv root   185075 Sep 14 17:57 dse.ldif.ipa.0c9848ee71a223f7
-rw-------. 1 dirsrv root   158036 Sep 14 16:03 dse.ldif.ipa.6caae511ef006046
-rw-------. 1 dirsrv root   185075 Sep 14 18:01 dse.ldif.ipa.9e97b50e5209c89f
-rw-r--r--. 1 dirsrv root   185144 Sep 14 18:01 dse.ldif.modified.out
-rw-------. 2 dirsrv dirsrv 185075 Sep 14 18:02 dse.ldif.startOK
-r--r-----. 1 dirsrv dirsrv  36163 Sep 14 15:59 dse_original.ldif
-rw-------. 1 dirsrv root    16384 Sep 14 18:01 key3.db
-rw-rw----. 1 dirsrv dirsrv  16384 Sep 14 16:03 key3.db.orig
-r--------. 1 dirsrv dirsrv     66 Sep 14 16:03 pin.txt
-rw-------. 1 dirsrv dirsrv     40 Sep 14 16:03 pwdfile.txt
drwxrwx---. 2 dirsrv dirsrv   4096 Sep 14 18:02 schema
-rw-------. 1 dirsrv root    16384 Sep 14 18:02 secmod.db
-rw-rw----. 1 dirsrv dirsrv  16384 Sep 14 15:59 secmod.db.orig
-r--r-----. 1 dirsrv dirsrv  15142 Sep 14 15:59 slapd-collations.conf

Expected results: The message displayed during the ipa-server-upgrade on the console says that '/etc/dirsrv/slapd-TESTRELM-TEST/certmap.conf' is now managed by IPA. It will be overwritten. A backup of the original will be made.

Backup of the original file i.e certmap.conf is not present.


Additional info:
Comment 1 Sudhir Menon 2016-09-14 14:01:49 UTC 
Created attachment 1200831 [details]
ipa server upgrade log
Comment 2 Petr Vobornik 2016-09-14 14:36:22 UTC 
It may be possible that there is "issue" only in debug messages.

If the file doesn't exists then it will not be backed up.

Could you check if the file exists before step 2.

Also what is the IPA version in step 1? ipa-server-4.4.0-11.el7.x86_64?

btw, attachment 1200831 [details] contains the same file as attachment 1200827 [details] I.e. upgrade log is missing.
Comment 4 Sudhir Menon 2016-09-14 16:27:07 UTC 
Created attachment 1200910 [details]
ipaupgrade.log

Petr,

I tried this with fresh install of IPA server and here are the observations.

1. certmap.conf is placed in /etc/dirsrv/slapd-TESTRELM-TEST post IPA server install. i.e file does exist before ipa-server-upgrade

2. ipa-server-4.4.0-11.el7.x86_64 is the version used.

3. Attaching the upgrade logs for reference.
Comment 5 Petr Vobornik 2016-09-23 16:49:33 UTC 
both certmap file and template doesn't contain "VERSION" string. So upgrade.find_version will always return 0. 

In such case upgrade.upgrade_file logs the message above but given that 

it is called as:
          if subject_base:
            upgrade_file(
                sub_dict,
                os.path.join(ds_dirname, "certmap.conf"),
                os.path.join(ipautil.SHARE_DIR, "certmap.conf.template")
            )

I.e without "add=True", then the file is not backed up/upgraded:

    if old < new or (add and old == 0):
        backup_file(filename, new)
        update_conf(sub_dict, filename, template)
        root_logger.info("Upgraded %s to version %d", filename, new)

This also means that the file won't upgraded unless a VERSION is set in it in next update.

certmap file is created in DS instance since 2007 and lasted update of the template was in commit ffb9a09a0d63f7edae2b647b5c1d503d1d4d7a6e That commit removed the VERSION line - assuming by accident because it was changing license text.


Conclusion: it is a bug which doesn't cause any harm but the version string MUST be changed back
Comment 6 Petr Vobornik 2016-09-23 16:52:18 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6354
Comment 7 Petr Vobornik 2017-04-06 16:56:12 UTC 
Should be fixed in
Comment 8 Petr Vobornik 2017-04-06 17:02:09 UTC 
master:
    https://pagure.io/freeipa/c/c49320435ddc67210c0d95be273e971ea8ffad6d

Meaning IPA 4.5, ipa-4.5.0-1.el7
Comment 10 Sudhir Menon 2017-05-25 12:45:30 UTC 
Tested on RHEL7.4
     
ipa-server-4.5.0-13.el7.x86_64
krb5-server-1.15.1-8.el7.x86_64
selinux-policy-3.13.1-152.el7.noarch
sssd-1.15.2-35.el7.x86_64
pki-server-10.4.1-4.el7.noarch
pki-ca-10.4.1-4.el7.noarch
389-ds-base-1.3.6.1-14.el7.x86_64
     
Observations:
1. The below line is no more seen when ipa-server-upgrade is run
'/etc/dirsrv/slapd-TESTRELM-TEST/certmap.conf is now managed by IPA. It will be overwritten. A backup of the original will be made'
     
2. certmap.conf contains the below lines now.
[root@master]# cat certmap.conf
# VERSION 3 - DO NOT REMOVE THIS LINE
#
# This file is managed by IPA and will be overwritten on upgrades.
     
3. If we remove the VERSION info from the file and try ipa-server-upgrade it is been added to the file after the command gets completed. The below message is displayed on the console.
     
root@master slapd-TESTRELM-TEST]# ipa-server-upgrade
Upgrading IPA:. Estimated time: 1 minute 30 seconds
      [1/10]: stopping directory server
      [2/10]: saving configuration
      [3/10]: disabling listeners
      [4/10]: enabling DS global lock
      [5/10]: starting directory server
      [6/10]: updating schema
      [7/10]: upgrading server
      [8/10]: stopping directory server
      [9/10]: restoring configuration
      [10/10]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
/etc/dirsrv/slapd-TESTRELM-TEST/certmap.conf is now managed by IPA. It will be overwritten. A backup of the original will be made.
Upgraded /etc/dirsrv/slapd-TESTRELM-TEST/certmap.conf to version 3
Comment 11 errata-xmlrpc 2017-08-01 09:39:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304