Bug 2005795

Summary:

bind-9.16.20-4.fc36 breaks ipa server installation

Product:

[Fedora] Fedora

Reporter:

Florence Blanc-Renaud <frenaud>

Component:

bind

Assignee:

Petr Menšík <pemensik>

Status:

CLOSED RAWHIDE

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

urgent

Docs Contact:

Priority:

unspecified

Version:

rawhide

CC:

aegorenk, anon.amish, dns-sig, mruprich, msehnout, pavel, pemensik, vonsch, zdohnal

Target Milestone:

---

Target Release:

---

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

openssl-pkcs11-0.4.11-6.fc36

Doc Type:

If docs needed, set a value

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2021-09-21 20:37:59 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

2005832

Bug Blocks:

Attachments:

Description	Flags
Output of journalctl -xeu named.service	none

Description Florence Blanc-Renaud 2021-09-20 07:57:07 UTC

Created attachment 1824526 [details]
Output of journalctl -xeu named.service

Description of problem:
ipa-server-install --setup-dns is broken with the recent rawhide update bind-9.16.21-1.fc36

Version-Release number of selected component (if applicable):
bind-9.16.21-1.fc36

How reproducible:
Always

Steps to Reproduce:
1. reproduced on 1minutetup rawhide machine: 1MT-Fedora-36
2. dnf update -y
3. dnf install -y freeipa-server freeipa-server-dns
4. ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 -U

Actual results:
ipa-server-install fails with an error starting named service

Expected results:
ipa-server-install should complete successfully

Additional info:
Extract of the journal:
Sep 20 03:49:08 server.ipa.test named[47048]: BIND 9 is maintained by Internet Systems Consortium,
Sep 20 03:49:08 server.ipa.test named[47048]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Sep 20 03:49:08 server.ipa.test named[47048]: corporation.  Support and training for BIND 9 are
Sep 20 03:49:08 server.ipa.test named[47048]: available at https://www.isc.org/support
Sep 20 03:49:08 server.ipa.test named[47048]: ----------------------------------------------------
Sep 20 03:49:08 server.ipa.test named[47048]: adjusted limit on open files from 524288 to 1048576
Sep 20 03:49:08 server.ipa.test named[47048]: found 1 CPU, using 1 worker thread
Sep 20 03:49:08 server.ipa.test named[47048]: using 1 UDP listener per interface
Sep 20 03:49:08 server.ipa.test named[47048]: using up to 21000 sockets
Sep 20 03:49:08 server.ipa.test named[47048]: initializing DST: no engine
Sep 20 03:49:08 server.ipa.test named[47048]: exiting (due to fatal error)
Sep 20 03:49:08 server.ipa.test systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE

Comment 3 Petr Menšík 2021-09-20 09:54:30 UTC

Hmm, confirmed it does not work. Not issue on bind side however. No pkcs11 engine exists after switch to OpenSSL 3. Build of openssl-pkcs11 failed [1] on Fedora, yet it does not have own bug yet. It is still in side-tag and installed openssl-pkcs11-0.4.11-4.fc35.x86_64 is linked to OpenSSL 1.1.

# openssl engine -vv pkcs11
00AC0538E57F0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:118:filename(/usr/lib64/engines-3/pkcs11.so): /usr/lib64/engines-3/pkcs11.so: cannot open shared object file: No such file or directory
00AC0538E57F0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:162:
00AC0538E57F0000:error:13000084:engine routines:dynamic_load:dso not found:crypto/engine/eng_dyn.c:422:
00AC0538E57F0000:error:13000074:engine routines:ENGINE_by_id:no such engine:crypto/engine/eng_list.c:343:id=pkcs11

Cannot fix it until we have working openssl-pkcs11 for OpenSSL 3.

1. https://koji.fedoraproject.org/koji/taskinfo?taskID=75717780

Comment 4 Petr Menšík 2021-09-20 10:13:14 UTC

It is not the new version, it did not change anything related. It was OpenSSL 3.0 rebuild, which was responsible. Version bind-9.16.20-4.fc36 has the same problem, it was just discovered when testing bind-dyndb-ldap plugin rebuild was tested.

Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: starting BIND 9.16.20-RH (Extended Support Version>
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: running on Linux x86_64 5.14.0-0.rc5.20210813gitf8>
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: built with '--build=x86_64-redhat-linux-gnu' '--ho>
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: running as: named -u named -c /etc/named.conf -E p>
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: compiled by GCC 11.2.1 20210728 (Red Hat 11.2.1-1)
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: compiled with OpenSSL version: OpenSSL 3.0.0 7 sep>
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: linked to OpenSSL version: OpenSSL 3.0.0 7 sep 2021
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: compiled with libxml2 version: 2.9.12
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: linked to libxml2 version: 20912
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: compiled with json-c version: 0.15
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: linked to json-c version: 0.15
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: compiled with zlib version: 1.2.11
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: linked to zlib version: 1.2.11
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: -------------------------------------------------->
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: BIND 9 is maintained by Internet Systems Consortiu>
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: corporation.  Support and training for BIND 9 are
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: available at https://www.isc.org/support
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: -------------------------------------------------->
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: adjusted limit on open files from 524288 to 1048576
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: found 1 CPU, using 1 worker thread
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: using 1 UDP listener per interface
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: using up to 21000 sockets
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: initializing DST: no engine
Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: exiting (due to fatal error)

Comment 5 Petr Menšík 2021-09-21 20:37:59 UTC

It seems after installation of openssl-pkcs11 built for OpenSSL 3.0, it works again just fine. Need only to wait until new package is in repositories.