Bug 1469246

Summary: Replica install fails to configure IPA-specific temporary files/directories
Product: Red Hat Enterprise Linux 7 Reporter: Martin Babinsky <mbabinsk>
Component: ipaAssignee: Petr Vobornik <pvoborni>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.4CC: abokovoy, enewland, ipa-maint, jreznik, ksiddiqu, mkosek, ndehadra, pasik, pvoborni, rcritten, salmy, slaznick, tscherf
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-21.el7 Doc Type: If docs needed, set a value
Doc Text:
Previously, when installing IdM replica, the installer incorrectly set the location and permissions of temporary directories. The IdM management framework requires these temporary directories to operate correctly. As a consequence, after rebooting the newly configured replica, the services tied to the management framework did not work and displayed non-specific error messages. To fix this bug, the installer now additionally adds a drop-in configuration file that re-creates the directory structure after rebooting. As a result, the IdM replica continues to work correctly after reboot.
 Story Points: ---
Clone Of: 1467675
: 1470125 (view as bug list) Environment:
Last Closed: 2018-04-10 16:42:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1467675    
Bug Blocks: 1470125    
Attachments:
Description Flags
RHEL75-Replica-Plain install-after-reboot
none
RHEL74z_to_RHEL75_Replica_upgrade none

Comment 3 Martin Babinsky 2017-07-10 17:59:48 UTC 
This issue can be reproduced also on RPM based installs (no containers):

1.) install a master
2.) install a replica
3.) reboot a replica
4.) try to login to WebUI on the replica

Actual outcome:

login fails due to missing /var/run/ipa directory

Expected outcome:

login works and WebUI is fully functional.

Moreover, upon replica VM restart only directory server is running, all other services are stopped. When running `ipactl restart` I see the following error:

```
ipactl restart
Failed to get service list from file: Unknown error when retrieving list of services from file: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
```

This is also caused by the missing configuration in /etc/tmpfiles.d. A proper solution would be to ship a ipa-specific configuration to /usr/lib/tmpfiles.d/ (where vendor-provided configuration should be placed anyway) via spec file instead of runtime shenanigans. We are adding ipaapi user in spec anyway so we should not encounter issues with missing directory owners anymore.
Comment 6 Alexander Bokovoy 2017-07-10 20:10:49 UTC 
Note that the code in 38c66896de1769077cd5b057133606ec5eeaf62b first creates the temporary directory, then runs client installation, and then configures systemd-tmpfiles to re-create temporary directories on reboot.

However, in the case of replica, we do not configure systemd-tmpfiles to re-create temporary directories. Instead, we expect upgrade code to handle this.

It looks like in the case of a replica installation we never run upgrade routine at all.

So a potential workaround would be to explicitly run ipa-server-upgrade before rebooting a replica, with or without containers.
Comment 7 Martin Babinsky 2017-07-11 10:50:50 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7053
Comment 12 Pavel Vomacka 2017-07-12 12:17:36 UTC 
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/76cc115c53c3a9c5f594083ff4c4452479070021
Comment 14 Standa Laznicka 2017-08-30 11:07:12 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/a2de6a17c56ab86b0f4f22f63406bfff131155cf
Comment 16 Nikhil Dehadrai 2018-01-05 13:25:14 UTC 
ipa-server version: ipa-server-4.5.4-7.el7.x86_64

Verified the bug on the basis of following observations:
1) Log in to webui of replica is successful after reboot when REPLICA is setup on RHEL 75 as fresh install.
2) Log in to webui of replica is successful after reboot when REPLICA is setup as upgraded from RHEL74z to RHEL75.
3) Verified that '/var/run/ipa' directory exists on Replica.
4) Similar behavior is observed with IPA-master after reboot.

Replica:
------------
[root@ibm-x3650m4-01-vm-01 ~]# tail -1 /var/log/ipareplica-install.log 
2018-01-05T11:57:21Z INFO The ipa-replica-install command was successful
[root@ibm-x3650m4-01-vm-01 ~]# rpm -q ipa-server nss
ipa-server-4.5.4-7.el7.x86_64
nss-3.34.0-1.el7.x86_64
[root@ibm-x3650m4-01-vm-01 ~]# ls -l /var/run/ipa/
total 8
drwxrwx---. 2 ipaapi ipaapi  60 Jan  5 08:13 ccaches
-rw-------. 1 root   root    19 Jan  5 07:58 renewal.lock
-rw-r--r--. 1 root   root   104 Jan  5 08:04 services.list
[root@ibm-x3650m4-01-vm-01 ~]# 


Thus on the basis of above observations , marking the status of bug to "VERIFIED".
Comment 17 Nikhil Dehadrai 2018-01-05 13:28:26 UTC 
Created attachment 1377493 [details]
RHEL75-Replica-Plain install-after-reboot

RHEL75-Replica-Plain install-after-reboot
Comment 18 Nikhil Dehadrai 2018-01-05 13:29:56 UTC 
Created attachment 1377496 [details]
RHEL74z_to_RHEL75_Replica_upgrade

RHEL74z_to_RHEL75_Replica_upgrade
Comment 21 errata-xmlrpc 2018-04-10 16:42:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0918