Bug 1403352
| Summary: | FreeIPA server install fails (and existing servers probably fail to start) due to changes in 'dyndb' feature on merge to upstream BIND | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
| Component: | freeipa | Assignee: | Tomas Krizek <tkrizek> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | urgent | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 26 | CC: | abokovoy, gmarr, ipa-maint, jcholast, jhrozek, jonstanley, jpazdziora, mbasti, pspacek, pvoborni, rcritten, robatino, sgallagh, ssorce, tkrizek |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | freeipa-4.4.3-5.fc26 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-09-05 22:35:16 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1404409, 1410433, 1432149, 1452866 | ||
| Bug Blocks: | |||
|
Description
Adam Williamson
2016-12-09 19:14:29 UTC
At this point, unless Petr and other DNS maintainers can provide a plan for migrating dyndb backend to the new API, we will have to back out the use of BIND 9.11. The plugin is ready for quite some time, the missing part is just FreeIPA-generated named.conf. Let's fix this ASAP. While attempting to fix new installations of IPA in rawhide, I encountered bug 1404409. It prevents named to start, because it fails to connect to LDAP. Upstream ticket: https://fedorahosted.org/freeipa/ticket/6565 Discussed during the 2017-01-09 blocker review meeting: [1] The decision to classify this bug as an "AcceptedBlocker" was made as it violates the following criteria: "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried" (domain controller is a blocking role) [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-01-09/f26-blocker-review.2017-01-09-17.00.txt Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c26dd805bdb020b12346d8cb66638883c1f46b9e https://fedorahosted.org/freeipa/changeset/e8a2abd548b594e6f22f38445ee32bcaa7f27303 https://fedorahosted.org/freeipa/changeset/5de7065fe5769e5c3d90205b0ecc963d96f4db58 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/52582ae9284b80c22a272f0793f0cddfb761f6dc https://fedorahosted.org/freeipa/changeset/2f4442fff52090bad95a9b1f4f078e4d9acc8069 This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'. According to the package changelog, this should be fixed since 4.4.3-5: * Wed Feb 15 2017 Tomas Krizek <tkrizek> - 4.4.3-5 - Fixes #1403352 - bind-dyndb-ldap: support new named.conf API in BIND 9.11 - Fixes #1412739 - ipa-kdb: support DAL version 6.1 but we've had various other issues since then which prevent verification. Setting to ON_QA; I'm hoping the next compose should have the certmonger and system-python bugs fixed and we can see if this one is fixed. This does indeed look to be fixed; in recent openQA tests, FreeIPA server deployment finally works again. Client enrolment is failing, so it looks like there's still a blocker bug, but we're at least moving forward... bind-dyndb-ldap-11.1-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f6f66523b8 I've submitted a build that has two minor fixes related to this bug. It correctly converts named.conf of existing FreeIPA installations and also bumps the required version of BIND. bind-dyndb-ldap-11.1-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f6f66523b8 Then I'll move this to Beta blocker, as upgrades block Beta, not Alpha. Discussed during the 2017-03-20 blocker review meeting: [1] The decision was made to classify this bug as an AcceptedBlocker (Beta) as it violates the following criteria: "For each one of the release-blocking package sets, it must be possible to successfully complete a direct upgrade from fully updated installations of the last two stable Fedora releases with that..." [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-03-20/f26-blocker-review.2017-03-20-16.06.txt bind-dyndb-ldap-11.1-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. So, should upgrades of FreeIPA servers to F26 be working now so far as anyone knows? tkrizek, is anything still outstanding here? I guess I can try and set up a test for it. FreeIPA upgrade with DNS should work with bind-dyndb-ldap-11.1-2.fc26 When bind-dyndb-ldap is upgraded, it should pull in the new version of bind that has the new API (>9.11.0-6.P2) and transform /etc/named.conf to conform with the new API. As of now, I'm not aware of any bugs that would be blocking FreeIPA server upgrade. Stephen, I think you were gonna test an upgrade to F26 from an existing FreeIPA install, right? Did you do that? I forget. (In reply to Adam Williamson from comment #24) > Stephen, I think you were gonna test an upgrade to F26 from an existing > FreeIPA install, right? Did you do that? I forget. I have not done so and I unfortunately don't see myself having the time in the next week before Beta Freeze. OK. I'll try and get to doing it myself, then. So I've been working on getting openQA to test FreeIPA upgrade scenarios, and I *think* I've got it to the point where the test is valid and it's finding problems. I'm not sure yet if the problems are related to this bug; I'll file a new one and leave this open a bit longer while we figure out if they're related. https://bugzilla.redhat.com/show_bug.cgi?id=1452866 is the new bug, logs are available there. So ths bug effectively depends on 1452866 now, for the upgrade case; FreeIPA upgrade process currently doesn't work properly at all. I'm gonna drop the blocker metadata from this bug, though, as we decided in review of 1452866 that FreeIPA upgrades in general don't block Beta, so the Alpha/Beta-blocking aspect of this is fixed already. If this turns out to be a problem on upgrade after the general upgrade bug is fixed, we can propose it as a Final blocker. I'm pretty sure this turned out to be fine in testing. |