Bug 1913089

Summary: ipaupgrade failed due to set incorrect location of ldif
Product: Red Hat Enterprise Linux 8 Reporter: Takahiro HASHIMOTO <thashimo>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED CURRENTRELEASE QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: CentOS StreamCC: abokovoy, bstinson, carl, frenaud, jens-peter.kubsch, jwboyer, ksiddiqu, rcritten, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-15 07:23:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ipactl restart command output none

Description Takahiro HASHIMOTO 2021-01-05 23:17:21 UTC 
Created attachment 1744731 [details]
ipactl restart command output

Created attachment 1744731 [details]
ipactl restart command output

Created attachment 1744731 [details]
ipactl restart command output

Description of problem:

"ipaupgrade" failed on CentOS Stream recent update. freeipa has been rebased from 4.8 to 4.9.

Version-Release number of selected component (if applicable):

Before: ipa-server-* 4.8.7-12.module_el8.3.0+511+8a502f20
Upgrade to: ipa-server-* 4.9.0rc3-0.5.rc3.module_el8.4.0+591+30f359c9

How reproducible:

Always

Steps to Reproduce:
1.  Set up FreeIPA sever 4.8.x on CentOS Stream
2. run "dnf update" to latest CentOS release and confirm ipa-server-* is upgraded to 4.9.x
3. run ipactl restart to run "ipaupgrade automatically"

Actual results:

ipaupgrade fails with log in /var/log/ipaupgrade.log

Expected results:

ipaupgrade succeeds and launch ipa-server successfully.

Additional info:

The ipaupgrade process specifying the directory

"/usr/share/pki/acme/database/ds/schema.ldif"

In my environment it is located to

"/usr/share/pki/acme/database/ldap/schema.ldif"

Tempolaly workaround: just create symlink of "ldap" directory named as "ds" and run ipaupgrade again. Then upgrade has been ended successfully.
Comment 1 Rob Crittenden 2021-01-05 23:30:53 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/8634
Comment 2 Rob Crittenden 2021-01-06 00:31:17 UTC 
It is failing trying to deploy the ACME service.

I think that is a relatively safe workaround. The downside is that ACME will be deployed but it will not work with that version of dogtag.

This affects new installations as well.

Once a version of dogtag that provides the distributed ACME service (10.10.0+) then I believe it will just start working.
Comment 3 Rob Crittenden 2021-01-06 16:36:46 UTC 
I'd also strongly recommend to remove the symlink after installation/upgrade. It is only used once and when the pki-10.10.x packages land if it still exists then rpm may overwrite files.
Comment 4 Takahiro HASHIMOTO 2021-01-07 05:23:29 UTC 
(In reply to Rob Crittenden from comment #3)
> I'd also strongly recommend to remove the symlink after
> installation/upgrade. It is only used once and when the pki-10.10.x packages
> land if it still exists then rpm may overwrite files.

Rob, thanks for your quick response and advice!!  I've removed it on my environment.
Comment 5 Alexander Bokovoy 2021-01-12 14:01:39 UTC 
A new pki-core build is coming to CentOS Stream, it will bring pki 10.10 in a couple days -- dist-git already updated but the compose does not yet contain the builds.

Once it is done, this bug will fix itself as FreeIPA will properly require pki-acme for pki-core 10.10.

We also have a tightening PR on FreeIPA side to not configure ACME if pki-core version is below 10.10.

So please close this bug once you are able to verify that an updated pki-core 10.10 build landed in CentOS Stream.

https://git.centos.org/modules/pki-core/c/1dbc0e3ce47cccbbb08738701ea8a7f3fba41cfc?branch=c8s-stream-10.6
Comment 6 Florence Blanc-Renaud 2021-01-15 09:09:34 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/85d4f2d9c6f8ef7a9bd9a016d894ad273c58b6d2
Comment 7 Florence Blanc-Renaud 2021-01-15 13:02:23 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/3aeb9b8e40cc526fd5c5162158b9cc5755670f66
Comment 8 Rob Crittenden 2021-01-18 14:55:55 UTC 
*** Bug 1917476 has been marked as a duplicate of this bug. ***
Comment 9 Alexander Bokovoy 2021-02-15 07:17:17 UTC 
$ podman run -ti  quay.io/centos/centos:stream8 /bin/bash
[root@171ba42fee31 /]# dnf module info pki-core:10.6
Last metadata expiration check: 0:00:10 ago on Mon Feb 15 07:16:33 2021.
Name             : pki-core
Stream           : 10.6
Version          : 8040020210121175224
Context          : d4d99205
Architecture     : x86_64
Profiles         : 
Default profiles : 
Repo             : appstream
Summary          : PKI Core module for PKI 10.6 or later
Description      : A module for PKI Core packages for PKI version 10.6 or later.
Requires         : pki-deps:[10.6]
                 : platform:[el8]
Artifacts        : jss-0:4.8.1-1.module_el8.4.0+651+f152bdd4.src
                 : jss-0:4.8.1-1.module_el8.4.0+651+f152bdd4.x86_64
                 : jss-debuginfo-0:4.8.1-1.module_el8.4.0+651+f152bdd4.x86_64
                 : jss-debugsource-0:4.8.1-1.module_el8.4.0+651+f152bdd4.x86_64
                 : jss-javadoc-0:4.8.1-1.module_el8.4.0+651+f152bdd4.x86_64
                 : ldapjdk-0:4.22.0-1.module_el8.4.0+627+e8937f0b.noarch
                 : ldapjdk-0:4.22.0-1.module_el8.4.0+627+e8937f0b.src
                 : ldapjdk-javadoc-0:4.22.0-1.module_el8.4.0+627+e8937f0b.noarch
                 : pki-acme-0:10.10.3-1.module_el8.4.0+651+f152bdd4.noarch
                 : pki-base-0:10.10.3-1.module_el8.4.0+651+f152bdd4.noarch
                 : pki-base-java-0:10.10.3-1.module_el8.4.0+651+f152bdd4.noarch
                 : pki-ca-0:10.10.3-1.module_el8.4.0+651+f152bdd4.noarch
                 : pki-core-0:10.10.3-1.module_el8.4.0+651+f152bdd4.src
                 : pki-core-debuginfo-0:10.10.3-1.module_el8.4.0+651+f152bdd4.x86_64
                 : pki-core-debugsource-0:10.10.3-1.module_el8.4.0+651+f152bdd4.x86_64
                 : pki-kra-0:10.10.3-1.module_el8.4.0+651+f152bdd4.noarch
                 : pki-server-0:10.10.3-1.module_el8.4.0+651+f152bdd4.noarch
                 : pki-symkey-0:10.10.3-1.module_el8.4.0+651+f152bdd4.x86_64
                 : pki-symkey-debuginfo-0:10.10.3-1.module_el8.4.0+651+f152bdd4.x86_64
                 : pki-tools-0:10.10.3-1.module_el8.4.0+651+f152bdd4.x86_64
                 : pki-tools-debuginfo-0:10.10.3-1.module_el8.4.0+651+f152bdd4.x86_64
                 : python3-pki-0:10.10.3-1.module_el8.4.0+651+f152bdd4.noarch
                 : tomcatjss-0:7.6.1-1.module_el8.4.0+627+e8937f0b.noarch
                 : tomcatjss-0:7.6.1-1.module_el8.4.0+627+e8937f0b.src

Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled, [a]ctive
[root@171ba42fee31 /]#
Comment 10 Kaleem 2021-02-15 07:23:35 UTC 
Based on the comments in https://bugzilla.redhat.com/show_bug.cgi?id=1913089#c9 and package existence in following centos 8 stream repo, moving this to closed now.

http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/pki-ca-10.10.3-1.module_el8.4.0+651+f152bdd4.noarch.rpm