Bug 1629935

Summary: freeipa-server cannot be installed on aarch64
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: pki-coreAssignee: Matthew Harmsen <mharmsen>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 29CC: abokovoy, alee, edewata, gmarr, ipa-maint, jcholast, jhrozek, kwright, mharmsen, pvoborni, rcritten, robatino, sgallagh, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: aarch64   
OS: Linux   
Whiteboard: AcceptedBlocker
Fixed In Version: pki-core-10.6.6-2.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-19 00:35:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1517011    

Description Adam Williamson 2018-09-17 16:10:37 UTC 
I just noticed last night that FreeIPA tests are failing on aarch64, e.g.:

https://openqa.stg.fedoraproject.org/tests/361168

this appears to be because the freeipa-server package is not installable at all, presumably due to dependencies. After the test runs 'dnf groupinstall freeipa-server', this happens:

2018-09-16T17:41:36Z DEBUG Adding packages from group 'freeipa-server': {<libcomps.Package object 'freeipa-server-dns'
 at 0xffff8f49c3a8>, <libcomps.Package object 'freeipa-server-trust-ad' at 0xffff8f49c3c0>, <libcomps.Package object '
opendnssec' at 0xffff8f49c3d8>, <libcomps.Package object 'freeipa-server' at 0xffff8f49c378>, <libcomps.Package object
 'bind-dyndb-ldap' at 0xffff8f49c390>}
2018-09-16T17:41:36Z DEBUG --> Starting dependency resolution
2018-09-16T17:41:37Z DEBUG ---> Package bind.aarch64 32:9.11.4-5.P1.fc29 will be installed
2018-09-16T17:41:37Z DEBUG ---> Package bind-dyndb-ldap.aarch64 11.1-12.fc29 will be installed
2018-09-16T17:41:37Z DEBUG ---> Package bind-pkcs11.aarch64 32:9.11.4-5.P1.fc29 will be installed
2018-09-16T17:41:37Z DEBUG ---> Package bind-pkcs11-libs.aarch64 32:9.11.4-5.P1.fc29 will be installed
2018-09-16T17:41:37Z DEBUG ---> Package bind-pkcs11-utils.aarch64 32:9.11.4-5.P1.fc29 will be installed
2018-09-16T17:41:37Z DEBUG ---> Package checkpolicy.aarch64 2.8-2.fc29 will be installed
2018-09-16T17:41:37Z DEBUG ---> Package ldns.aarch64 1.7.0-21.fc29 will be installed
2018-09-16T17:41:37Z DEBUG ---> Package libitm.aarch64 8.2.1-2.fc29 will be installed
2018-09-16T17:41:37Z DEBUG ---> Package libxslt.aarch64 1.1.32-3.fc29 will be installed
2018-09-16T17:41:37Z DEBUG ---> Package nss-tools.aarch64 3.38.0-4.fc29 will be installed
2018-09-16T17:41:37Z DEBUG ---> Package opencryptoki.aarch64 3.10.0-2.fc29 will be installed
2018-09-16T17:41:37Z DEBUG ---> Package opencryptoki-icsftok.aarch64 3.10.0-2.fc29 will be installed
2018-09-16T17:41:37Z DEBUG ---> Package opencryptoki-libs.aarch64 3.10.0-2.fc29 will be installed
2018-09-16T17:41:37Z DEBUG ---> Package opendnssec.aarch64 1.4.14-3.fc29 will be installed
2018-09-16T17:41:37Z DEBUG ---> Package policycoreutils-python-utils.noarch 2.8-6.fc29 will be installed
2018-09-16T17:41:37Z DEBUG ---> Package python3-IPy.noarch 0.81-23.fc29 will be installed
2018-09-16T17:41:37Z DEBUG ---> Package python3-audit.aarch64 3.0-0.2.20180808git77fbcf3.fc29 will be installed
2018-09-16T17:41:37Z DEBUG ---> Package python3-libsemanage.aarch64 2.8-3.fc29 will be installed
2018-09-16T17:41:37Z DEBUG ---> Package python3-policycoreutils.noarch 2.8-6.fc29 will be installed
2018-09-16T17:41:37Z DEBUG ---> Package python3-setools.aarch64 4.1.1-12.1.fc29 will be installed
2018-09-16T17:41:37Z DEBUG ---> Package softhsm.aarch64 2.4.0-1.fc29 will be installed

note it tries to pull in various freeipa-server-* packages, but none of them actually winds up in the transaction.

I haven't yet figured out what the problem is and why it's aarch64-only, but wanted to get this filed and proposed as a blocker quickly. It seems like a clear blocker per Basic criterion "It must be possible to configure a Fedora Server system installed according to the above criteria as a FreeIPA domain controller..." - if the package doesn't install, we can't do any of that or the other FreeIPA-related criteria. https://fedoraproject.org/wiki/Basic_Release_Criteria#FreeIPA_server_requirements
Comment 1 Adam Williamson 2018-09-17 16:13:59 UTC 
From the Branched depcheck log, this seems to be the problem:

[freeipa]
	freeipa-server-4.7.0-1.fc29.aarch64 requires pki-symkey >= 0:10.6.0-0.2
	freeipa-server-4.7.0-1.fc29.aarch64 requires pki-kra >= 0:10.6.0-0.2
	freeipa-server-4.7.0-1.fc29.aarch64 requires pki-ca >= 0:10.6.0-0.2
	python3-ipaserver-4.7.0-1.fc29.noarch requires python3-pki >= 0:10.6.0-0.2

it seems pki-core dropped aarch64 at some point (which *absolutely* should never have happened). dgilmore added it back in https://koji.fedoraproject.org/koji/buildinfo?buildID=1143645 , we need to pull that in.
Comment 2 Fedora Update System 2018-09-17 16:16:28 UTC 
pki-core-10.6.6-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-84a758e93b
Comment 3 Stephen Gallagher 2018-09-17 18:22:29 UTC 
+1 blocker
Comment 4 Dennis Gilmore 2018-09-17 18:35:26 UTC 
+1 blocker
Comment 5 Geoffrey Marr 2018-09-17 20:03:13 UTC 
Discussed during the 2018-09-17 blocker review meeting: [1]

The decision to classify this bug as an "AcceptedBlocker" was made as it violates all the FreeIPA-related criteria for aarch64, which is a release-blocking arch for Server.

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2018-09-17/f29-blocker-review.2018-09-17-16.02.txt
Comment 6 Fedora Update System 2018-09-19 00:35:15 UTC 
pki-core-10.6.6-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.