Bug 1708874
Summary: | Unable to upgrade ipa data: IPA version error: data needs to be upgraded (expected version '4.7.90.pre1-3.fc30', current version '4.7.2-8.fc30') | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Alexander Bokovoy <abokovoy> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
Severity: | urgent | Docs Contact: | |
Priority: | unspecified | ||
Version: | --- | CC: | abokovoy, chris, extras-qa, fcami, fdc, ipa-maint, jcholast, jhrozek, ksiddiqu, ndehadra, pvoborni, rcritten, ssorce, tscherf, twoerner |
Target Milestone: | rc | ||
Target Release: | 8.0 | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.8.0-1 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | 1708808 | Environment: | |
Last Closed: | 2019-11-05 20:53:20 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1708808 | ||
Bug Blocks: | 1708873 |
Description
Alexander Bokovoy
2019-05-11 09:13:53 UTC
Upstream pull request: https://github.com/freeipa/freeipa/pull/3130 Fixed upstream master: https://pagure.io/freeipa/c/98b4c710d90f289322ebda457fdb84c2dd34aace Fixed upstream ipa-4-7: https://pagure.io/freeipa/c/81756c78b7760003d12d7c5e252446972f101258 Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/aa8b1b963d697b40178e2c762fbefb9762e84e14 Verified the bug on the basis of following observations: Tested the upgrade from RHEL 80 > RHEL 8.1 MASTER: ----------- [root@vm-idm-019 ~]# tail -1 /var/log/ipaupgrade.log 2019-08-20T09:28:19Z INFO The ipa-server-upgrade command was successful [root@vm-idm-019 ~]# rpm -q ipa-server ipa-server-4.8.0-9.module+el8.1.0+4011+fd4be199.x86_64 [root@vm-idm-019 ~]# ipactl restart Restarting Directory Service debugging enabled, suppressing output. Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting pki-tomcatd Service Restarting smb Service Restarting winbind Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful [root@vm-idm-019 ~]# ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/11]: stopping directory server [2/11]: saving configuration [3/11]: disabling listeners [4/11]: enabling DS global lock [5/11]: disabling Schema Compat [6/11]: starting directory server [7/11]: updating schema [8/11]: upgrading server [9/11]: stopping directory server [10/11]: restoring configuration [11/11]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services Disabled p11-kit-proxy [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Ensuring ephemeralRequest is enabled in KRA] ephemeralRequest is already enabled [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] Nothing to do for configure_httpd_wsgi_conf [Migrating from mod_nss to mod_ssl] Already migrated to mod_ssl [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Remove FILE: prefix from 'dedicated keytab file' in Samba configuration] [Update 'max smbd processes' in Samba configuration to prevent unlimited SMBLoris attack amplification] [Add missing CA DNS records] IPA CA DNS records already processed [Removing deprecated DNS configuration options] [Ensuring minimal number of connections] [Updating GSSAPI configuration in DNS] [Updating pid-file configuration in DNS] [Checking global forwarding policy in named.conf to avoid conflicts with automatic empty zones] Changes to named.conf have been made, restart named [Upgrading CA schema] CA schema update complete (no changes) [Verifying that CA audit signing cert has 2 year validity] [Update certmonger certificate renewal configuration] Certmonger certificate renewal configuration updated [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] [Ensuring presence of included profiles] [Add default CA ACL] Default CA ACL already added [Migrating to authselect profile] Already migrated to authselect profile [Create systemd-user hbac service and rule] hbac service systemd-user already exists [Setup SPAKE] [Setup PKINIT] [Enable certauth] The IPA services were upgraded The ipa-server-upgrade command was successful REPLICA: ------------ [root@vm-idm-030 ~]# tail -1 /var/log/ipaupgrade.log 2019-08-20T10:22:59Z INFO The ipa-server-upgrade command was successful [root@vm-idm-030 ~]# rpm -q ipa-server ipa-server-4.8.0-9.module+el8.1.0+4011+fd4be199.x86_64 [root@vm-idm-030 ~]# ipactl restart Restarting Directory Service debugging enabled, suppressing output. Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting pki-tomcatd Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful [root@vm-idm-030 ~]# ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/11]: stopping directory server [2/11]: saving configuration [3/11]: disabling listeners [4/11]: enabling DS global lock [5/11]: disabling Schema Compat [6/11]: starting directory server [7/11]: updating schema [8/11]: upgrading server [9/11]: stopping directory server [10/11]: restoring configuration [11/11]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services Disabled p11-kit-proxy [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] Nothing to do for configure_httpd_wsgi_conf [Migrating from mod_nss to mod_ssl] Already migrated to mod_ssl [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Add missing CA DNS records] IPA CA DNS records already processed [Removing deprecated DNS configuration options] [Ensuring minimal number of connections] [Updating GSSAPI configuration in DNS] [Updating pid-file configuration in DNS] [Checking global forwarding policy in named.conf to avoid conflicts with automatic empty zones] Changes to named.conf have been made, restart named [Upgrading CA schema] CA schema update complete (no changes) [Verifying that CA audit signing cert has 2 year validity] [Update certmonger certificate renewal configuration] Certmonger certificate renewal configuration updated [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] [Ensuring presence of included profiles] [Add default CA ACL] Default CA ACL already added [Migrating to authselect profile] Already migrated to authselect profile [Create systemd-user hbac service and rule] hbac service systemd-user already exists [Setup SPAKE] [Setup PKINIT] [Enable certauth] The IPA services were upgraded The ipa-server-upgrade command was successful Thus on the basis of below observations marking the status of bug to 'VERIFIED' Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3348 |