Bug 1708808

Summary: Unable to upgrade ipa data: IPA version error: data needs to be upgraded (expected version '4.7.90.pre1-3.fc30', current version '4.7.2-8.fc30')
Product: [Fedora] Fedora Reporter: Chris Roadfeldt <chris>
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 30CC: abokovoy, contribs, fcami, ipa-maint, jcholast, jhrozek, pvoborni, rcritten, ssorce, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: freeipa-4.7.90.pre1-4.fc30 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1708873 1708874 (view as bug list) Environment:
Last Closed: 2019-05-20 01:03:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1708873, 1708874    
Attachments:
Description Flags
ipa-server-upgrade -v log none

Description Chris Roadfeldt 2019-05-10 22:23:46 UTC 
Created attachment 1566849 [details]
ipa-server-upgrade -v log

Description of problem:
After dnf upgrade of freeipa server to 4.7.90.pre1-3, I'm unable to restart freeipa using ipactl due to data upgrade failing.

Version-Release number of selected component (if applicable):
freeipa-common-4.7.90.pre1-3

How reproducible:
Everytime freeipa server is attempted to be started after rpm upgrade.

Steps to Reproduce:
1. Upgrade freeipa from 4.7.2-8-fc30 to 4.7.90.pre1-3.fc30.
2. Restart freeipa server using ipactl.
 or
2. Attempt manual data migration using ipa-server-upgrade.

Actual results:
Data migration fails with "RuntimeError: no matching entry found"
Reviewed attached spa-server-upgrade -v log.

Expected results:
Data migration process would successfully execute, data would be migrated and freeipa server suite would start.

Additional info:
Comment 1 Rob Crittenden 2019-05-11 00:52:23 UTC 
Code came from 18cb30d4638c0fecf5f02735f2b4794be5d97b67

This should let you get past the error (untested):

diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins
/adtrust.py
index 6b4e2ca..3415f08 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -609,11 +609,14 @@ class update_tdo_to_new_layout(Updater):
 
         trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn
 
-        trusts = ldap.get_entries(
-            base_dn=trusts_dn,
-            scope=ldap.SCOPE_ONELEVEL,
-            filter=self.trust_filter,
-            attrs_list=self.trust_attrs)
+        try:
+            trusts = ldap.get_entries(
+                base_dn=trusts_dn,
+                scope=ldap.SCOPE_ONELEVEL,
+                filter=self.trust_filter,
+                attrs_list=self.trust_attrs)
+        except errors.EmptyResult:
+            trusts = []
 
         # For every trust, retrieve its principals and convert
         for t_entry in trusts:


Or you can skip the upgrade check with: ipactl --skip-version-check start
Comment 2 Chris Roadfeldt 2019-05-11 01:27:10 UTC 
Appreciate the patch, I don't have time to duplicate the environment tonight to test this before running it on the "prod" instance. Won't have time until next week. If no one else has tested before I am able to, will do so. Otherwise, will wait for patched release version. For now, I've downgraded back to 4.7.2-8-fc30 and have everything back up and running.
Comment 3 Alexander Bokovoy 2019-05-11 08:48:54 UTC 
Rob,

I think your proposal is correct. It covers a case when FreeIPA is configured to serve trust but there are no established trusts to AD. I'll add this patch to Fedora release.
Comment 4 Fedora Update System 2019-05-11 09:26:29 UTC 
freeipa-4.7.90.pre1-4.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-70a413c82d
Comment 5 Chris Roadfeldt 2019-05-11 18:25:05 UTC 
Install pre1-4, made it past the ad-trust issue, encountered an unexpected error. Will open a new bugzilla ticket for that.
Comment 6 François Cami 2019-05-11 19:16:55 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/98b4c710d90f289322ebda457fdb84c2dd34aace
Comment 7 Fedora Update System 2019-05-12 00:45:09 UTC 
freeipa-4.7.90.pre1-4.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-70a413c82d
Comment 8 François Cami 2019-05-12 21:43:37 UTC 
Fixed upstream
ipa-4-7:
https://pagure.io/freeipa/c/81756c78b7760003d12d7c5e252446972f101258
Comment 9 François Cami 2019-05-12 21:44:31 UTC 
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/aa8b1b963d697b40178e2c762fbefb9762e84e14
Comment 10 Fedora Update System 2019-05-20 01:03:23 UTC 
freeipa-4.7.90.pre1-4.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.