Bug 1957768
| Summary: | ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4 | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Mohammad Rizwan <myusuf> | |
| Component: | ipa | Assignee: | Thomas Woerner <twoerner> | |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
| Severity: | urgent | Docs Contact: | lmcgarry | |
| Priority: | unspecified | |||
| Version: | 8.4 | CC: | lmcgarry, pcech, pvoborni, rcritten, ssidhaye, toneata, tscherf, twoerner | |
| Target Milestone: | beta | Keywords: | Triaged, ZStream | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | ipa-4.9.5-1 | Doc Type: | If docs needed, set a value | |
| Doc Text: |
.Upgrading an IdM server from RHEL 8.3 to RHEL 8.4 fails if pki-ca package version is earlier than 10.10.5
The IdM server upgrade program, `ipa-server-upgrade`, fails if the `pki-ca` package version is earlier than 10.10.5. As the required files do not exist in these versions, the IdM server upgrade does not complete successfully both at package installation and when `ipa-server-upgrade` or `ipactl` are executed.
To resolve this issue, upgrade the `pki-*` packages to version 10.10.5 or higher and run the `ipa-server-upgrade` command again.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1959984 (view as bug list) | Environment: | ||
| Last Closed: | 2021-11-09 18:29:22 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1959984 | |||
This is upgrading a non-ACME-capable installation to an ACME-capable one. A file existence check needs to be added. Upstream ticket: https://pagure.io/freeipa/issue/8832 Upstream PR https://github.com/freeipa/freeipa/pull/5756 Fixed upstream master: https://pagure.io/freeipa/c/8dac8ad834164062ef0a49d20c7bfcdf1773fbe5 Fixed upstream ipa-4-9: https://pagure.io/freeipa/c/1aa3f7a7fd24c651aafde150351328148fd517be Kaleem discovered an important point. The version of pki-ca matters. The failing test uses pki-ca-10.9.4-1.module+el8.3.0+8058+d5cd4219.noarch which lacks ACME support. Kaleem tested with pki-ca-10.10.5-2.module+el8.4.0+10466+9830f79e.noarch which works because it is ACME-capable so ACME was deployed and the missing directory and files exist. So the workaround if this happens is to upgrade the pki-* packages and re-run ipa-server-upgrade. We need to bump the Requires in ipa.spec from 10.9.0-0.4 to 10.10.5 and ideally include the upstream patch as well for correctness. Build used for verification: ipa-client-4.9.5-1.module+el8.5.0+11410+91a33fe4.x86_64 ipa-client-common-4.9.5-1.module+el8.5.0+11410+91a33fe4.noarch ipa-common-4.9.5-1.module+el8.5.0+11410+91a33fe4.noarch ipa-healthcheck-0.7-6.module+el8.5.0+11410+91a33fe4.noarch ipa-healthcheck-core-0.7-6.module+el8.5.0+11410+91a33fe4.noarch ipa-selinux-4.9.2-4.module+el8.4.0+11156+94d209c1.noarch ipa-server-4.9.5-1.module+el8.5.0+11410+91a33fe4.x86_64 ipa-server-common-4.9.5-1.module+el8.5.0+11410+91a33fe4.noarch ipa-server-dns-4.9.5-1.module+el8.5.0+11410+91a33fe4.noarch ipa-server-trust-ad-4.9.5-1.module+el8.5.0+11410+91a33fe4.x86_64 Repo Used: http://download.eng.bos.redhat.com/rhel-8/nightly/RHEL-8/latest-RHEL-8.5.0/compose/AppStream/x86_64/os/Packages/ Test Results: 2021-07-02T04:27:53 collecting ... collected 5 items 2021-07-02T04:27:53 2021-07-02T04:37:46 src/ipa_upgrade/test_upgrade.py::TestExternalCA::test_upgrade_external_ca PASSED [ 20%] 2021-07-02T04:37:47 src/ipa_upgrade/test_upgrade.py::TestExternalCA::test_upgrade_logs PASSED [ 40%] 2021-07-02T04:38:42 src/ipa_upgrade/test_upgrade.py::TestExternalCA::test_upgrade_services PASSED [ 60%] 2021-07-02T04:38:44 src/ipa_upgrade/test_upgrade.py::TestExternalCA::test_user_verification PASSED [ 80%] 2021-07-02T04:39:12 src/ipa_upgrade/test_upgrade.py::TestExternalCA::test_upgrade_teardown PASSED [100%] 2021-07-02T04:39:12 2021-07-02T04:39:12 - generated xml file: /home/jenkins/workspace/trigger-test-suite-tool/test-suite/junit.xml - 2021-07-02T04:39:12 - generated html file: file:///home/jenkins/workspace/trigger-test-suite-tool/test-suite/report.html - 2021-07-02T04:39:12 ========================== 5 passed in 679.00 seconds ========================== Attaching report.html for reference. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ipa bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4230 |
Description of problem: While preforming upgrade from rhel8.3 to rhel8.4, it is failing. Version-Release number of selected component (if applicable): before upgrade : ipa-server-4.8.7-14.module+el8.3.0+9419+8502777d after upgrade: ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64 How reproducible: always Steps to Reproduce: 1. install ipa server on rhel8.3 $ ipa-server-install -a Secret123 -n testrelm.test -p Secret123 --setup-dns -r TESTRELM.TEST -N --allow-zone-overlap --no-dnssec-validation --forwarder=xx.xx.xx.xx --mkhomedir --no-host-dns --auto-reverse -U 2. add the repos for rhel8.4 and update the packages $ dnf module install idm:DL1/dns -y 3. ipa-server-upgrade Actual results: [root@master ~]# ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [..] [Add default CA ACL] Default CA ACL already added IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/acme/issuer.conf' The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information Expected results: ipa-server-upgrade command success Additional info: