Bug 1956991
Summary: | During ipa-server-upgrade, CA tries to connect to ns-slapd right after directory server is restarted, and fails | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Paul Nickerson <pnickerson> | ||||
Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> | ||||
Status: | CLOSED WONTFIX | QA Contact: | ipa-qe <ipa-qe> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 8.3 | CC: | abokovoy, fcami, frenaud, ftrivino, ipa-maint, jcholast, jhrozek, mhjacks, msauton, pvoborni, rcritten, sjansen, ssorce, tbordaz, tscherf, twoerner | ||||
Target Milestone: | beta | Keywords: | Triaged | ||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2022-11-04 07:27:47 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Paul Nickerson
2021-05-04 19:49:48 UTC
I figured out a workaround that works on my system. Edit this file: /usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py Near the top, add this: import time Find this line: logger.info('[Verifying that KDC configuration is using ipa-kdb backend]') And add this right afterword: logger.info('But first, I sleep so that I don\'t stop 389 Directory Server LDAP ns-slapd while PKI Tomcat CA is trying to use it.') time.sleep(20) logger.info('I have woken.') Save your changes, and run "ipactl restart" (or maybe ipa-server-upgrade would work). On my system, 20 seconds worked, and 4 was not enough. The idea is that "systemctl stop dirsrv" should not run until "[main] INFO: CA subsystem started" shows up in the ca debug log. And waiting 20 seconds is one dirty way to get it done. I can confirm this issue on several installations, after latest IPA server update (RHEL 8.5 and also on some clones) the CA is dead after an upgrade. Web GUI "show Unable to communicate with CMS (403)" (In reply to sjansen from comment #6) > I can confirm this issue on several installations, after latest IPA server > update (RHEL 8.5 and also on some clones) the CA is dead after an upgrade. > Web GUI "show Unable to communicate with CMS (403)" In your specific case, the error may be related to a different issue. Can you check which version of pki-servlet-engine is installed on your system + the content of /etc/pki/pki-tomcat/server.xml? You will find more information in https://access.redhat.com/solutions/6632811, but in short the update to RHEL 8.5 may have updated the file /etc/pki/pki-tomcat/server.xml while it should not. With pki-servlet-engine-9.0.30 and below: /etc/pki/pki-tomcat/server.xml should contain requiredSecret=xxx in the section defining the AJP connector. With pki-servlet-engine-9.0.31 and above: /etc/pki/pki-tomcat/server.xml should contain secret=xxx This is already tracked in BZ #2029023 and BZ #2061458. The issue described in this bugzilla is different and related to the startup of services and timeouts. (In reply to Florence Blanc-Renaud from comment #7) > In your specific case, the error may be related to a different issue. Can > you check which version of pki-servlet-engine is installed on your system + > the content of /etc/pki/pki-tomcat/server.xml? You will find more > information in https://access.redhat.com/solutions/6632811, but in short the > update to RHEL 8.5 may have updated the file /etc/pki/pki-tomcat/server.xml > while it should not. > With pki-servlet-engine-9.0.30 and below: /etc/pki/pki-tomcat/server.xml > should contain requiredSecret=xxx in the section defining the AJP connector. > With pki-servlet-engine-9.0.31 and above: /etc/pki/pki-tomcat/server.xml > should contain secret=xxx > This is already tracked in BZ #2029023 and BZ #2061458. > > The issue described in this bugzilla is different and related to the startup > of services and timeouts. Hi Florance, i am suprised i got tagged for this issue because its quite some time ago. Looks like this issue got moved around a bit, my orignal issue was in 2029023. From my side the issue got solved in 2029023 by editing server.xml to remove auth, it never reappeared on any of my freeipa servers or i never got another pki update since i changed server.xml. After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened. |