Bug 1465472

Summary: Error at open session: 0x3 when installling IPA server in F26
Product: [Fedora] Fedora Reporter: Oliver Gutiérrez <ogutierr>
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 26CC: abokovoy, awilliam, ipa-maint, jcholast, jhrozek, mbasti, ogutierr, pvoborni, rcritten, robatino, ssorce, tkrizek
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: RejectedBlocker
Fixed In Version: freeipa-4.4.4-4.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-13 14:50:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Full install log none

Description Oliver Gutiérrez 2017-06-27 13:43:28 UTC 
Created attachment 1292340 [details]
Full install log

Description of problem:

IPA server installation command fails almost finishing with this error:

The ipa-server-install command failed, exception: Error: Error at open session: 0x3

Version-Release number of selected component (if applicable):


How reproducible: Suposedly always (I did it 2 times in a row in clean F26 virtual machines)

Steps to Reproduce:
1. I am using this script for installation: https://github.com/olivergs/fleet-commander-freeipa-environment/blob/master/ipamaster.sh
2. Configured IPA server installation leaving default values except the DNS forwarding that I set to NO
3. Installation begins and fails when it is almost finishing.

Actual results:

Server not installed. Failing with error: The ipa-server-install command failed, exception: Error: Error at open session: 0x3

Las part of log:

https://paste.fedoraproject.org/paste/kfsUTVtUE2kdgZ4cAXJAoQ

full log file in attachments.

Expected results:

IPA server install finishing

Additional info:

I noticed resol.conf got modified and shows the following contents:

search fc.ipa
nameserver 127.0.0.1
Comment 1 Martin Bašti 2017-06-27 15:18:03 UTC 
Thank you for reporting this.

Tomas we have to backport this patch to FreeIPA in F26 07df61b7814db08d81e1ff92f58b24e5d852fdf8
Comment 2 Fedora Blocker Bugs Application 2017-06-29 08:45:18 UTC 
Proposed as a Blocker for 26-beta by Fedora user ogutierrez using the blocker tracking app because:

 Latest FreeIPA server in F26 Beta is not installable. During the execution of freeipa-server-install it fails the installation with a reproducible error.
Comment 3 Andre Robatino 2017-06-29 08:57:57 UTC 
Beta is out, if you want this to be a blocker it has to be against F26 Final.
Comment 4 Oliver Gutiérrez 2017-06-29 09:02:46 UTC 
Thanks for fixing the mistake Andre.
Comment 5 Fedora Update System 2017-06-29 09:26:00 UTC 
freeipa-4.4.4-3.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-1dabaf8ee1
Comment 6 Oliver Gutiérrez 2017-06-29 10:08:17 UTC 
Tested in a clean/updated Fedora 26 and seems working now.
Comment 7 Adam Williamson 2017-06-29 15:40:54 UTC 
The openQA FreeIPA server test has been working fine for weeks; is there some specific circumstance which triggers this bug?
Comment 8 Adam Williamson 2017-06-29 15:57:29 UTC 
Ah, now I see what the issue is:

https://pagure.io/freeipa/issue/6692

"ipa-dnskeysyncd: is failing with softhsm 2.2.0"

softhsm 2.2.0 is in updates-testing, not in stable. So the openQA nightly test is passing because it doesn't use u-t.

That means this doesn't need to be a release blocker unless softhsm 2.2.0 gets pushed stable for some reason (it doesn't seem to be proposed for a blocker or FE bug, so there's no reason why it would at present).

Note that softhsm 2.2.0 is queued for F25 as well as F26:

https://bodhi.fedoraproject.org/updates/FEDORA-2017-30c570630b (F25)
https://bodhi.fedoraproject.org/updates/FEDORA-2017-12359c53e8 (F26)

Instead of having separate freeipa updates (as is currently the case), the fixed freeipa packages should be added to the softhsm updates, as per the packaging guidelines (so softhsm doesn't get pushed without freeipa, resulting in freeipa breaking until the freeipa update is pushed). I'm trying to do this at present, but running into Bodhi issues; trying to get releng to help with that.
Comment 9 Fedora Update System 2017-06-29 16:54:03 UTC 
freeipa-4.4.4-4.fc26 softhsm-2.2.0-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-12359c53e8
Comment 10 Fedora Update System 2017-06-29 16:54:28 UTC 
freeipa-4.4.4-4.fc26 softhsm-2.2.0-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-12359c53e8
Comment 11 Adam Williamson 2017-06-29 19:01:51 UTC 
Discussed at 2017-06-29 blocker review meeting: https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-06-29/f26-blocker-review.2017-06-29-16.00.html . Rejected as a blocker, as the update that causes the problem is not in stable and is not queued as a blocker or FE fix, so the frozen package set should not have the problem.

I've now edited the F25 and F26 updates such that the softhsm and freeipa updates are together, so it should not be possible for the softhsm update to go to stable without the freeipa build that works with it.
Comment 12 Alexander Bokovoy 2017-06-29 19:03:36 UTC 
Thanks, Adam. This should work fine.
Comment 13 Fedora Update System 2017-06-30 20:25:00 UTC 
freeipa-4.4.4-4.fc26, softhsm-2.2.0-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-12359c53e8
Comment 14 Fedora Update System 2017-07-13 14:50:27 UTC 
freeipa-4.4.4-4.fc26, softhsm-2.2.0-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.