Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1475946

Summary: ipactl restart command fails to start named-pkcs11 service for ipa-server-docker image after IPA upgrade
Product: Red Hat Enterprise Linux 7 Reporter: Nikhil Dehadrai <ndehadra>
Component: ipa-server-containerAssignee: Petr Vobornik <pvoborni>
Status: CLOSED ERRATA QA Contact: Nikhil Dehadrai <ndehadra>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: fbarreto, mbasti, slaznick
Target Milestone: rcKeywords: Extras, Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rhel7/ipa-server:4.5.0-8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:20:32 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1476156    
Bug Blocks: 1405325    

Description Nikhil Dehadrai 2017-07-27 11:24:45 EDT
Description of problem:
ipactl restart command fails to start named-pkcs11 service for ipa-server-docker image after IPA upgraded from RHEL 7.3.z to RHEL 7.4.z.

Version-Release number of selected component (if applicable):
bind-9.9.4-51.el7.x86_64
bind-dyndb-ldap-11.1-4.el7.x86_64
ipa-server-4.5.0-21.el7.x86_64

IPA-DOCKER image: 4.5.0.7
atomic host version:
-bash-4.2# atomic host status
State: idle
Deployments:
● atomic-host:rhel-atomic-host/7/x86_64/standard
                Version: 7.4.0 (2017-07-26 21:02:12)
                 Commit: 59c94e1776ecc877c59ca22c1a3f655b40ce13b67187284b733372b44a655211



How reproducible:
Always

Steps to Reproduce:
1. Setup IPA using IPA docker image from RHEL 7.3.z.
# atomic install --name ipadocker rhel7/ipa-server net-host --hostname=`hostname` --setup-dns --ip-address=x.x.x.x --forwarder=x.x.x.x -r TESTRELM.TEST -a Secret123 -p Secret123 --no-ntp -U
2. Start the IPA container and run ipactl restart command.
# atomic run --name ipadocker rhel7/ipa-server
# docker exec -it ipadocker ipactl restart
3. Now load the latest ipa-server-docker image to atomic host
# docker load -i <ipa-server-docker image>
4. Run the following command to initiate the upgrade process
# atomic run --name ipadocker rhel7/ipa-server
5. Re-run the ipactl restart command
# docker exec -it ipadocker ipactl restart

Actual results:
1. After step2, the ipactl restart command runs successfully.
2. After step5, the ipactl restart command fails to restart.


Expected results:
The ipactl restart command should run successfully after ipa-docker image upgrade.
Comment 4 Martin Bašti 2017-07-28 03:28:40 EDT
Root cause is that bind-dyndb-ldap package does update in RPM post scriptlet which is not done in containers. This causes invalid /etc/named.conf for newer bind (in RHEL7.4). Upgrade must be extracted from RPM to executable binary that must be called explicitly in IPA container.
Comment 5 Martin Bašti 2017-07-28 04:35:36 EDT
Proposed fix: add bind-dyndb-ldap package to ipa-server-configure-first:upgrade_server function
Comment 7 Nikhil Dehadrai 2017-07-28 09:16:59 EDT
ipa-docker image: 4.5.0.8

BIND:
bind-dyndb-ldap-11.1-4.el7.x86_64
bind-9.9.4-51.el7.x86_64
IPA-VERSION:
ipa-server-4.5.0-21.el7.x86_64
Atomic host version:
-bash-4.2# atomic host status
State: idle
Deployments:
● atomic-host:rhel-atomic-host/7/x86_64/standard
                Version: 7.4.0 (2017-07-28 00:26:01)
                 Commit: 846fb0e18e65bd9a62fc9d952627413c6467c33c2d726449a1d7ad7690bbb93a


Verified the bug on the basis of following observations:
1. Verified that IPA server and REPLICA server setup using ipa-docker image can be successfully upgraded to latest version using latest ipa-docker image. (In my case from rhel 7.3.z to rhel 7.4.z)
2. Verified that "ipactl restart" command runs successfully both on IPA master and Replica setup using ipa-docker image after the upgrade.

Thus on the basis of above observations marking status of bug to "VERIFIED".
Comment 10 errata-xmlrpc 2017-08-01 09:20:32 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2373