Bug 1708874

Summary: Unable to upgrade ipa data: IPA version error: data needs to be upgraded (expected version '4.7.90.pre1-3.fc30', current version '4.7.2-8.fc30')
Product: Red Hat Enterprise Linux 8 Reporter: Alexander Bokovoy <abokovoy>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: ---CC: abokovoy, chris, extras-qa, fcami, fdc, ipa-maint, jcholast, jhrozek, ksiddiqu, ndehadra, pvoborni, rcritten, ssorce, tscherf, twoerner
Target Milestone: rc   
Target Release: 8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.8.0-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1708808 Environment:
Last Closed: 2019-11-05 20:53:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1708808    
Bug Blocks: 1708873    

Description Alexander Bokovoy 2019-05-11 09:13:53 UTC 
This bug will also affect RHEL 8.1

+++ This bug was initially created as a clone of Bug #1708808 +++

Description of problem:
After dnf upgrade of freeipa server to 4.7.90.pre1-3, I'm unable to restart freeipa using ipactl due to data upgrade failing.

Version-Release number of selected component (if applicable):
freeipa-common-4.7.90.pre1-3

How reproducible:
Everytime freeipa server is attempted to be started after rpm upgrade.

Steps to Reproduce:
1. Upgrade freeipa from 4.7.2-8-fc30 to 4.7.90.pre1-3.fc30.
2. Restart freeipa server using ipactl.
 or
2. Attempt manual data migration using ipa-server-upgrade.

Actual results:
Data migration fails with "RuntimeError: no matching entry found"
Reviewed attached spa-server-upgrade -v log.

Expected results:
Data migration process would successfully execute, data would be migrated and freeipa server suite would start.

Additional info:

--- Additional comment from Rob Crittenden on 2019-05-11 03:52:23 EEST ---

Code came from 18cb30d4638c0fecf5f02735f2b4794be5d97b67

This should let you get past the error (untested):

diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins
/adtrust.py
index 6b4e2ca..3415f08 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -609,11 +609,14 @@ class update_tdo_to_new_layout(Updater):
 
         trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn
 
-        trusts = ldap.get_entries(
-            base_dn=trusts_dn,
-            scope=ldap.SCOPE_ONELEVEL,
-            filter=self.trust_filter,
-            attrs_list=self.trust_attrs)
+        try:
+            trusts = ldap.get_entries(
+                base_dn=trusts_dn,
+                scope=ldap.SCOPE_ONELEVEL,
+                filter=self.trust_filter,
+                attrs_list=self.trust_attrs)
+        except errors.EmptyResult:
+            trusts = []
 
         # For every trust, retrieve its principals and convert
         for t_entry in trusts:


Or you can skip the upgrade check with: ipactl --skip-version-check start

--- Additional comment from Chris Roadfeldt on 2019-05-11 04:27:10 EEST ---

Appreciate the patch, I don't have time to duplicate the environment tonight to test this before running it on the "prod" instance. Won't have time until next week. If no one else has tested before I am able to, will do so. Otherwise, will wait for patched release version. For now, I've downgraded back to 4.7.2-8-fc30 and have everything back up and running.

--- Additional comment from Alexander Bokovoy on 2019-05-11 11:48:54 EEST ---

Rob,

I think your proposal is correct. It covers a case when FreeIPA is configured to serve trust but there are no established trusts to AD. I'll add this patch to Fedora release.
Comment 1 Alexander Bokovoy 2019-05-11 09:14:51 UTC 
Upstream pull request: https://github.com/freeipa/freeipa/pull/3130
Comment 2 François Cami 2019-05-12 21:45:44 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/98b4c710d90f289322ebda457fdb84c2dd34aace

Fixed upstream
ipa-4-7:
https://pagure.io/freeipa/c/81756c78b7760003d12d7c5e252446972f101258

Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/aa8b1b963d697b40178e2c762fbefb9762e84e14
Comment 5 Nikhil Dehadrai 2019-08-21 09:06:47 UTC 
Verified the bug on the basis of following observations:

Tested the upgrade from RHEL 80 > RHEL 8.1

MASTER:
-----------
[root@vm-idm-019 ~]# tail -1 /var/log/ipaupgrade.log
2019-08-20T09:28:19Z INFO The ipa-server-upgrade command was successful
[root@vm-idm-019 ~]# rpm -q ipa-server
ipa-server-4.8.0-9.module+el8.1.0+4011+fd4be199.x86_64
[root@vm-idm-019 ~]# ipactl restart
Restarting Directory Service
debugging enabled, suppressing output.
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@vm-idm-019 ~]# ipa-server-upgrade
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/11]: stopping directory server
[2/11]: saving configuration
[3/11]: disabling listeners
[4/11]: enabling DS global lock
[5/11]: disabling Schema Compat
[6/11]: starting directory server
[7/11]: updating schema
[8/11]: upgrading server
[9/11]: stopping directory server
[10/11]: restoring configuration
[11/11]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
Disabled p11-kit-proxy
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Ensuring ephemeralRequest is enabled in KRA]
ephemeralRequest is already enabled
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating HTTPD service IPA WSGI configuration]
Nothing to do for configure_httpd_wsgi_conf
[Migrating from mod_nss to mod_ssl]
Already migrated to mod_ssl
[Moving HTTPD service keytab to gssproxy]
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Remove FILE: prefix from 'dedicated keytab file' in Samba configuration]
[Update 'max smbd processes' in Samba configuration to prevent unlimited SMBLoris attack amplification]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Checking global forwarding policy in named.conf to avoid conflicts with automatic empty zones]
Changes to named.conf have been made, restart named
[Upgrading CA schema]
CA schema update complete (no changes)
[Verifying that CA audit signing cert has 2 year validity]
[Update certmonger certificate renewal configuration]
Certmonger certificate renewal configuration updated
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
pki-tomcat configuration changed, restart pki-tomcat
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
[Ensuring presence of included profiles]
[Add default CA ACL]
Default CA ACL already added
[Migrating to authselect profile]
Already migrated to authselect profile
[Create systemd-user hbac service and rule]
hbac service systemd-user already exists
[Setup SPAKE]
[Setup PKINIT]
[Enable certauth]
The IPA services were upgraded
The ipa-server-upgrade command was successful

REPLICA:
------------
[root@vm-idm-030 ~]# tail -1 /var/log/ipaupgrade.log
2019-08-20T10:22:59Z INFO The ipa-server-upgrade command was successful
[root@vm-idm-030 ~]# rpm -q ipa-server
ipa-server-4.8.0-9.module+el8.1.0+4011+fd4be199.x86_64
[root@vm-idm-030 ~]# ipactl restart
Restarting Directory Service
debugging enabled, suppressing output.
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@vm-idm-030 ~]# ipa-server-upgrade
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/11]: stopping directory server
[2/11]: saving configuration
[3/11]: disabling listeners
[4/11]: enabling DS global lock
[5/11]: disabling Schema Compat
[6/11]: starting directory server
[7/11]: updating schema
[8/11]: upgrading server
[9/11]: stopping directory server
[10/11]: restoring configuration
[11/11]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
Disabled p11-kit-proxy
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating HTTPD service IPA WSGI configuration]
Nothing to do for configure_httpd_wsgi_conf
[Migrating from mod_nss to mod_ssl]
Already migrated to mod_ssl
[Moving HTTPD service keytab to gssproxy]
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Checking global forwarding policy in named.conf to avoid conflicts with automatic empty zones]
Changes to named.conf have been made, restart named
[Upgrading CA schema]
CA schema update complete (no changes)
[Verifying that CA audit signing cert has 2 year validity]
[Update certmonger certificate renewal configuration]
Certmonger certificate renewal configuration updated
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
pki-tomcat configuration changed, restart pki-tomcat
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
[Ensuring presence of included profiles]
[Add default CA ACL]
Default CA ACL already added
[Migrating to authselect profile]
Already migrated to authselect profile
[Create systemd-user hbac service and rule]
hbac service systemd-user already exists
[Setup SPAKE]
[Setup PKINIT]
[Enable certauth]
The IPA services were upgraded
The ipa-server-upgrade command was successful


Thus on the basis of below observations marking the status of bug to 'VERIFIED'
Comment 7 errata-xmlrpc 2019-11-05 20:53:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3348