Bug 1905919
| Summary: | ipa-server-upgrade fails with traceback "exception: KeyError: 'DOMAIN'" | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Mohammad Rizwan <myusuf> |
| Component: | ipa | Assignee: | Thomas Woerner <twoerner> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 8.4 | CC: | abokovoy, ndehadra, pcech, rcritten, tscherf |
| Target Milestone: | rc | Keywords: | Regression, Triaged |
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.9.0-0.5.rc3 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 15:48:23 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1569011, 1902727 | ||
|
Description
Mohammad Rizwan
2020-12-09 10:41:18 UTC
It is observed when upgrading the ipa packages from ipa-server-4.8.7-13 to ipa-server-4.9.0-0.3.rc2.module+el8.4.0+9015+e4c6695a.x86_64 Upstream PR: https://github.com/freeipa/freeipa/pull/5328 Tested the bug on the basis of following observations using Nightly Compose for RC3: IPA build: ipa-server-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.x86_64 TestCompose: Nightly Scenario: After Upgrade (RHEL83z > RHEL84-Nightly(rc3)): -------------------------------------------------------- root@master /]# rpm -q ipa-server ipa-server-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.x86_64 [root@master /]# ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/11]: stopping directory server [2/11]: saving configuration [3/11]: disabling listeners [4/11]: enabling DS global lock [5/11]: disabling Schema Compat [6/11]: starting directory server [7/11]: updating schema [8/11]: upgrading server [9/11]: stopping directory server [10/11]: restoring configuration [11/11]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services Disabled p11-kit-proxy [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] Nothing to do for configure_httpd_wsgi_conf [Migrating from mod_nss to mod_ssl] Already migrated to mod_ssl [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] dnssec-validation yes [Add missing CA DNS records] IPA CA DNS records already processed named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists [Upgrading CA schema] CA schema update complete [Update certmonger certificate renewal configuration] Certmonger certificate renewal configuration already up-to-date [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Disabling cert publishing] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] Profile 'AdminCert' is already in LDAP and enabled; skipping Profile 'DomainController' is already in LDAP and enabled; skipping Profile 'ECAdminCert' is already in LDAP and enabled; skipping Profile 'acmeServerCert' is already in LDAP and enabled; skipping Profile 'caAdminCert' is already in LDAP and enabled; skipping Profile 'caAgentFileSigning' is already in LDAP and enabled; skipping Profile 'caAgentServerCert' is already in LDAP and enabled; skipping Profile 'caAuditSigningCert' is already in LDAP and enabled; skipping Profile 'caCACert' is already in LDAP and enabled; skipping Profile 'caCMCECUserCert' is already in LDAP and enabled; skipping Profile 'caCMCECserverCert' is already in LDAP and enabled; skipping Profile 'caCMCECsubsystemCert' is already in LDAP and enabled; skipping Profile 'caCMCUserCert' is already in LDAP and enabled; skipping Profile 'caCMCauditSigningCert' is already in LDAP and enabled; skipping Profile 'caCMCcaCert' is already in LDAP and enabled; skipping Profile 'caCMCcaCert' is already in LDAP and enabled; skipping Profile 'caCMCkraStorageCert' is already in LDAP and enabled; skipping Profile 'caCMCkraTransportCert' is already in LDAP and enabled; skipping Profile 'caCMCocspCert' is already in LDAP and enabled; skipping Profile 'caCMCserverCert' is already in LDAP and enabled; skipping Profile 'caCMCsubsystemCert' is already in LDAP and enabled; skipping Profile 'caCrossSignedCACert' is already in LDAP and enabled; skipping Profile 'caDirBasedDualCert' is already in LDAP and enabled; skipping Profile 'caDirPinUserCert' is already in LDAP and enabled; skipping Profile 'caDirUserCert' is already in LDAP and enabled; skipping Profile 'caDirUserRenewal' is already in LDAP and enabled; skipping Profile 'caDualCert' is already in LDAP and enabled; skipping Profile 'caDualRAuserCert' is already in LDAP and enabled; skipping Profile 'caECAdminCert' is already in LDAP and enabled; skipping Profile 'caECAgentServerCert' is already in LDAP and enabled; skipping Profile 'caECDirPinUserCert' is already in LDAP and enabled; skipping Profile 'caECDirUserCert' is already in LDAP and enabled; skipping Profile 'caECFullCMCSharedTokenCert' is already in LDAP and enabled; skipping Profile 'caECFullCMCUserCert' is already in LDAP and enabled; skipping Profile 'caECFullCMCUserSignedCert' is already in LDAP and enabled; skipping Profile 'caECInternalAuthServerCert' is already in LDAP and enabled; skipping Profile 'caECInternalAuthSubsystemCert' is already in LDAP and enabled; skipping Profile 'caECServerCert' is already in LDAP and enabled; skipping Profile 'caECServerCertWithSCT' is already in LDAP and enabled; skipping Profile 'caECSimpleCMCUserCert' is already in LDAP and enabled; skipping Profile 'caECSubsystemCert' is already in LDAP and enabled; skipping Profile 'caECUserCert' is already in LDAP and enabled; skipping Profile 'caEncUserCert' is already in LDAP and enabled; skipping Profile 'caFullCMCSharedTokenCert' is already in LDAP and enabled; skipping Profile 'caFullCMCUserCert' is already in LDAP and enabled; skipping Profile 'caFullCMCUserSignedCert' is already in LDAP and enabled; skipping Profile 'caIPAserviceCert' is already in LDAP and enabled; skipping Profile 'caInstallCACert' is already in LDAP and enabled; skipping Profile 'caInternalAuthAuditSigningCert' is already in LDAP and enabled; skipping Profile 'caInternalAuthDRMstorageCert' is already in LDAP and enabled; skipping Profile 'caInternalAuthOCSPCert' is already in LDAP and enabled; skipping Profile 'caInternalAuthServerCert' is already in LDAP and enabled; skipping Profile 'caInternalAuthSubsystemCert' is already in LDAP and enabled; skipping Profile 'caInternalAuthTransportCert' is already in LDAP and enabled; skipping Profile 'caJarSigningCert' is already in LDAP and enabled; skipping Profile 'caManualRenewal' is already in LDAP and enabled; skipping Profile 'caOCSPCert' is already in LDAP and enabled; skipping Profile 'caOtherCert' is already in LDAP and enabled; skipping Profile 'caRACert' is already in LDAP and enabled; skipping Profile 'caRARouterCert' is already in LDAP and enabled; skipping Profile 'caRAagentCert' is already in LDAP and enabled; skipping Profile 'caRAserverCert' is already in LDAP and enabled; skipping Profile 'caRouterCert' is already in LDAP and enabled; skipping Profile 'caSSLClientSelfRenewal' is already in LDAP and enabled; skipping Profile 'caServerCert' is already in LDAP and enabled; skipping Profile 'caServerCertWithSCT' is already in LDAP and enabled; skipping Profile 'caServerKeygen_DirUserCert' is already in LDAP and enabled; skipping Profile 'caServerKeygen_UserCert' is already in LDAP and enabled; skipping Profile 'caSignedLogCert' is already in LDAP and enabled; skipping Profile 'caSigningUserCert' is already in LDAP and enabled; skipping Profile 'caSimpleCMCUserCert' is already in LDAP and enabled; skipping Profile 'caStorageCert' is already in LDAP and enabled; skipping Profile 'caSubsystemCert' is already in LDAP and enabled; skipping Profile 'caTPSCert' is already in LDAP and enabled; skipping Profile 'caTempTokenDeviceKeyEnrollment' is already in LDAP and enabled; skipping Profile 'caTempTokenUserEncryptionKeyEnrollment' is already in LDAP and enabled; skipping Profile 'caTempTokenUserSigningKeyEnrollment' is already in LDAP and enabled; skipping Profile 'caTokenDeviceKeyEnrollment' is already in LDAP and enabled; skipping Profile 'caTokenMSLoginEnrollment' is already in LDAP and enabled; skipping Profile 'caTokenUserAuthKeyRenewal' is already in LDAP and enabled; skipping Profile 'caTokenUserDelegateAuthKeyEnrollment' is already in LDAP and enabled; skipping Profile 'caTokenUserDelegateSigningKeyEnrollment' is already in LDAP and enabled; skipping Profile 'caTokenUserEncryptionKeyEnrollment' is already in LDAP and enabled; skipping Profile 'caTokenUserEncryptionKeyRenewal' is already in LDAP and enabled; skipping Profile 'caTokenUserSigningKeyEnrollment' is already in LDAP and enabled; skipping Profile 'caTokenUserSigningKeyRenewal' is already in LDAP and enabled; skipping Profile 'caTransportCert' is already in LDAP and enabled; skipping Profile 'caUUIDdeviceCert' is already in LDAP and enabled; skipping Profile 'caUserCert' is already in LDAP and enabled; skipping Profile 'caUserSMIMEcapCert' is already in LDAP and enabled; skipping [Ensuring presence of included profiles] Profile 'KDCs_PKINIT_Certs' is already in LDAP; skipping Profile 'caIPAserviceCert' is already in LDAP; skipping Profile 'IECUserRoles' is already in LDAP; skipping Profile 'acmeIPAServerCert' is already in LDAP; skipping [Add default CA ACL] Default CA ACL already added [Migrating to authselect profile] Already migrated to authselect profile [Create systemd-user hbac service and rule] hbac service systemd-user already exists [Add root alias to admin account] Alias already exists [Setup SPAKE] [Setup PKINIT] [Enable server krb5.conf snippet] [Adding ipa-ca alias to HTTP certificate] Certificate is OK; nothing to do The IPA services were upgraded The ipa-server-upgrade command was successful [root@master /]# tail -1 /var/log/ipaupgrade.log 2020-12-17T12:28:58Z INFO The ipa-server-upgrade command was successful [root@master /]# Scenario2: Plain installation -------------------------------- [root@master ~]# rpm -qa ipa-server ipa-server-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.x86_64 [root@master ~]# [root@master ~]# ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/11]: stopping directory server [2/11]: saving configuration [3/11]: disabling listeners [4/11]: enabling DS global lock [5/11]: disabling Schema Compat [6/11]: starting directory server [7/11]: updating schema [8/11]: upgrading server [9/11]: stopping directory server [10/11]: restoring configuration [11/11]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services Disabled p11-kit-proxy [Verifying that root certificate is published] [Migrate CRL publish directory] Publish directory already set to new location [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] [Removing RA cert from DS NSS database] [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] Nothing to do for configure_httpd_wsgi_conf [Migrating from mod_nss to mod_ssl] Already migrated to mod_ssl [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] dnssec-validation yes [Add missing CA DNS records] Updating DNS system records named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists [Upgrading CA schema] CA schema update complete [Update certmonger certificate renewal configuration] Certmonger certificate renewal configuration already up-to-date [Enable PKIX certificate path discovery and validation] [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Disabling cert publishing] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] Profile 'acmeServerCert' is already in LDAP and enabled; skipping Profile 'caCMCserverCert' is already in LDAP and enabled; skipping Profile 'caCMCECserverCert' is already in LDAP and enabled; skipping Profile 'caCMCECsubsystemCert' is already in LDAP and enabled; skipping Profile 'caCMCsubsystemCert' is already in LDAP and enabled; skipping Profile 'caCMCauditSigningCert' is already in LDAP and enabled; skipping Profile 'caCMCcaCert' is already in LDAP and enabled; skipping Profile 'caCMCocspCert' is already in LDAP and enabled; skipping Profile 'caCMCkraTransportCert' is already in LDAP and enabled; skipping Profile 'caCMCkraStorageCert' is already in LDAP and enabled; skipping Profile 'caServerKeygen_UserCert' is already in LDAP and enabled; skipping Profile 'caServerKeygen_DirUserCert' is already in LDAP and enabled; skipping Profile 'caUserCert' is already in LDAP and enabled; skipping Profile 'caECUserCert' is already in LDAP and enabled; skipping Profile 'caUserSMIMEcapCert' is already in LDAP and enabled; skipping Profile 'caDualCert' is already in LDAP and enabled; skipping Profile 'caDirBasedDualCert' is already in LDAP and disabled; skipping Profile 'AdminCert' is already in LDAP and enabled; skipping Profile 'ECAdminCert' is already in LDAP and enabled; skipping Profile 'caSignedLogCert' is already in LDAP and enabled; skipping Profile 'caTPSCert' is already in LDAP and enabled; skipping Profile 'caRARouterCert' is already in LDAP and enabled; skipping Profile 'caRouterCert' is already in LDAP and enabled; skipping Profile 'caServerCert' is already in LDAP and enabled; skipping Profile 'caECServerCert' is already in LDAP and enabled; skipping Profile 'caServerCertWithSCT' is already in LDAP and enabled; skipping Profile 'caECServerCertWithSCT' is already in LDAP and enabled; skipping Profile 'caSubsystemCert' is already in LDAP and enabled; skipping Profile 'caECSubsystemCert' is already in LDAP and enabled; skipping Profile 'caOtherCert' is already in LDAP and enabled; skipping Profile 'caCACert' is already in LDAP and enabled; skipping Profile 'caCMCcaCert' is already in LDAP and enabled; skipping Profile 'caCrossSignedCACert' is already in LDAP and disabled; skipping Profile 'caInstallCACert' is already in LDAP and enabled; skipping Profile 'caRACert' is already in LDAP and disabled; skipping Profile 'caOCSPCert' is already in LDAP and enabled; skipping Profile 'caStorageCert' is already in LDAP and enabled; skipping Profile 'caTransportCert' is already in LDAP and enabled; skipping Profile 'caDirPinUserCert' is already in LDAP and disabled; skipping Profile 'caECDirPinUserCert' is already in LDAP and disabled; skipping Profile 'caDirUserCert' is already in LDAP and enabled; skipping Profile 'caECDirUserCert' is already in LDAP and enabled; skipping Profile 'caAgentServerCert' is already in LDAP and enabled; skipping Profile 'caECAgentServerCert' is already in LDAP and enabled; skipping Profile 'caAgentFileSigning' is already in LDAP and enabled; skipping Profile 'caCMCUserCert' is already in LDAP and enabled; skipping Profile 'caCMCECUserCert' is already in LDAP and enabled; skipping Profile 'caFullCMCUserCert' is already in LDAP and enabled; skipping Profile 'caECFullCMCUserCert' is already in LDAP and enabled; skipping Profile 'caFullCMCUserSignedCert' is already in LDAP and disabled; skipping Profile 'caECFullCMCUserSignedCert' is already in LDAP and disabled; skipping Profile 'caFullCMCSharedTokenCert' is already in LDAP and disabled; skipping Profile 'caECFullCMCSharedTokenCert' is already in LDAP and disabled; skipping Profile 'caSimpleCMCUserCert' is already in LDAP and enabled; skipping Profile 'caECSimpleCMCUserCert' is already in LDAP and enabled; skipping Profile 'caTokenDeviceKeyEnrollment' is already in LDAP and enabled; skipping Profile 'caTokenUserEncryptionKeyEnrollment' is already in LDAP and enabled; skipping Profile 'caTokenUserSigningKeyEnrollment' is already in LDAP and enabled; skipping Profile 'caTempTokenDeviceKeyEnrollment' is already in LDAP and enabled; skipping Profile 'caTempTokenUserEncryptionKeyEnrollment' is already in LDAP and enabled; skipping Profile 'caTempTokenUserSigningKeyEnrollment' is already in LDAP and enabled; skipping Profile 'caAdminCert' is already in LDAP and enabled; skipping Profile 'caECAdminCert' is already in LDAP and enabled; skipping Profile 'caInternalAuthServerCert' is already in LDAP and enabled; skipping Profile 'caECInternalAuthServerCert' is already in LDAP and enabled; skipping Profile 'caInternalAuthTransportCert' is already in LDAP and enabled; skipping Profile 'caInternalAuthDRMstorageCert' is already in LDAP and enabled; skipping Profile 'caInternalAuthSubsystemCert' is already in LDAP and enabled; skipping Profile 'caECInternalAuthSubsystemCert' is already in LDAP and enabled; skipping Profile 'caInternalAuthOCSPCert' is already in LDAP and enabled; skipping Profile 'caInternalAuthAuditSigningCert' is already in LDAP and enabled; skipping Profile 'DomainController' is already in LDAP and enabled; skipping Profile 'caDualRAuserCert' is already in LDAP and enabled; skipping Profile 'caRAagentCert' is already in LDAP and enabled; skipping Profile 'caRAserverCert' is already in LDAP and enabled; skipping Profile 'caUUIDdeviceCert' is already in LDAP and disabled; skipping Profile 'caSSLClientSelfRenewal' is already in LDAP and enabled; skipping Profile 'caDirUserRenewal' is already in LDAP and enabled; skipping Profile 'caManualRenewal' is already in LDAP and enabled; skipping Profile 'caTokenMSLoginEnrollment' is already in LDAP and enabled; skipping Profile 'caTokenUserSigningKeyRenewal' is already in LDAP and enabled; skipping Profile 'caTokenUserEncryptionKeyRenewal' is already in LDAP and enabled; skipping Profile 'caTokenUserAuthKeyRenewal' is already in LDAP and enabled; skipping Profile 'caJarSigningCert' is already in LDAP and enabled; skipping Profile 'caIPAserviceCert' is already in LDAP and enabled; skipping Profile 'caAuditSigningCert' is already in LDAP and enabled; skipping Profile 'caEncUserCert' is already in LDAP and enabled; skipping Profile 'caSigningUserCert' is already in LDAP and enabled; skipping Profile 'caTokenUserDelegateAuthKeyEnrollment' is already in LDAP and enabled; skipping Profile 'caTokenUserDelegateSigningKeyEnrollment' is already in LDAP and enabled; skipping [Ensuring presence of included profiles] Profile 'KDCs_PKINIT_Certs' is already in LDAP; skipping Profile 'IECUserRoles' is already in LDAP; skipping Profile 'acmeIPAServerCert' is already in LDAP; skipping Profile 'caIPAserviceCert' is already in LDAP; skipping [Add default CA ACL] [Migrating to authselect profile] [Create systemd-user hbac service and rule] hbac service systemd-user already exists [Add root alias to admin account] Alias already exists [Setup SPAKE] [Setup PKINIT] [Enable server krb5.conf snippet] [Adding ipa-ca alias to HTTP certificate] Certificate is OK; nothing to do The IPA services were upgraded The ipa-server-upgrade command was successful [root@master ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful [root@master ~]# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting pki-tomcatd Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful [root@master ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful # tail -1 /var/log/ipaupgrade.log The ipa-server-upgrade command was successful Thus on the basis ob above observations, marking the status of bug to "VERIFIED" Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:1846 |