Bug 1929940

Summary: FreeIPA server deployment fails in current F34 and Rawhide composes
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: dogtag-pkiAssignee: Matthew Harmsen <mharmsen>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 34CC: abokovoy, alee, ascheel, bcotton, edewata, gmarr, kwright, mharmsen, mkdineshprasanth, robatino
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: openqa AcceptedBlocker
Fixed In Version: dogtag-pki-10.10.5-1.fc34 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-05 02:12:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1829022    
Description Flags
log tarball from a failure on F34 none

Description Adam Williamson 2021-02-18 01:33:51 UTC
In current F34 and Rawhide, FreeIPA server deployment is failing in the same way as it is on F32 and F33 with the pending 389-ds-base updates:


See this comment from ab with some details:


I'm filing a bug to track this from openQA and also to propose it as a 34 Beta blocker, because it is one, per "It must be possible to configure a Fedora Server system installed according to the above criteria as a FreeIPA domain controller, using the official deployment tools provided in the distribution FreeIPA packages" - https://fedoraproject.org/wiki/Basic_Release_Criteria#FreeIPA_server_requirements

Comment 1 Adam Williamson 2021-02-18 01:41:10 UTC
Created attachment 1757673 [details]
log tarball from a failure on F34

Comment 2 Geoffrey Marr 2021-02-22 19:49:45 UTC
Discussed during the 2021-02-22 blocker review meeting: [0]

The decision to classify this bug as an "AcceptedBlocker (Beta)" was made as it violates the following Basic criterion:

"It must be possible to configure a Fedora Server system installed according to the above criteria as a FreeIPA domain controller, using the official deployment tools provided in the distribution FreeIPA packages"

[0] https://meetbot.fedoraproject.org/fedora-blocker-review/2021-02-22/f34-blocker-review.2021-02-22-17.07.txt

Comment 3 Adam Williamson 2021-02-26 17:05:12 UTC
Any word on a fix for this? It's been broken for some time.

Comment 4 Alex Scheel 2021-03-01 14:27:22 UTC
This has been rebuilt into a side-tag for Fedora on Thursday:

 Side tag 'f35-build-side-37912' (id 37912) created.
 Side tag 'f34-build-side-37914' (id 37914) created.
 Side tag 'f33-build-side-37916' (id 37916) created.
 Side tag 'f32-build-side-37918' (id 37918) created.

It includes a rebuilt 389ds package where applicable and I believe a IPA update as well.

I'll let Bokovoy communicate overall state of side tag and when it will be merged.

I believe there's still some discussion as to whether or not we should rebuild f34 and rawhide pki-core inside the side tag to pick up an ELN fix.

Comment 5 Adam Williamson 2021-03-01 23:10:57 UTC
I think I actually saw an update where the tests passed. Now I have to find it again. :D

Comment 6 Fedora Update System 2021-03-02 00:08:30 UTC
FEDORA-2021-263244c071 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-263244c071

Comment 7 Alexander Bokovoy 2021-03-02 07:55:19 UTC
There are four Bodhi updates which include dogtag, 389-ds, and freeipa, all rebuilt with dependencies enforced in such a way that 389-ds CVE fix will not break them.

F32: https://bodhi.fedoraproject.org/updates/FEDORA-2021-dc1a4934a5
F33: https://bodhi.fedoraproject.org/updates/FEDORA-2021-7458e2d835
F34: https://bodhi.fedoraproject.org/updates/FEDORA-2021-263244c071
F35: https://bodhi.fedoraproject.org/updates/FEDORA-2021-c95b836c2f

Comment 8 Fedora Update System 2021-03-03 21:06:13 UTC
FEDORA-2021-263244c071 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 9 Ben Cotton 2021-03-03 21:27:28 UTC
Setting to ON_QA since this is an accepted blocker and we want to make sure the openQA tests pass with these updates.

Comment 10 Adam Williamson 2021-03-05 02:12:45 UTC
They did, it's fixed.