Bug 2079400

Summary:	upgrade from Fedora 35 fails
Product:	[Fedora] Fedora	Reporter:	Dennis Gilmore <dgilmore>
Component:	dogtag-pki	Assignee:	Chris Kelley <ckelley>
Status:	CLOSED EOL	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	36	CC:	abokovoy, alee, alexander.m.scheel, awilliam, bcotton, cdorney, cfu, ckelley, edewata, jmagne, kwright, mharmsen, mkdineshprasanth, pcech, robatino
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:	RejectedBlocker
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-05-25 15:45:57 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Dennis Gilmore 2022-04-27 13:37:11 UTC

Description of problem:
Upgrading my freeipa servers from Fedora 35 to 36 I hit an issue with dogtag

ERROR: [Errno 13] Permission denied: 'ca'
Apr 27 13:09:21 martouf.ausil.us pki-server[170272]: Traceback (most recent call last):
Apr 27 13:09:21 martouf.ausil.us pki-server[170272]:   File "/usr/lib64/python3.10/shutil.py", line 813, in move
Apr 27 13:09:21 martouf.ausil.us pki-server[170272]:     os.rename(src, real_dst)
Apr 27 13:09:21 martouf.ausil.us pki-server[170272]: PermissionError: [Errno 13] Permission denied: '/var/lib/pki/pki-tomcat/ca/profiles' -> '/etc/pki/pki-tomcat/ca/profiles/profiles'

was in the output from the first attempt from running ipa-server-upgrade. subsequent attempts the pki process failed with an error saying that /etc/pki/pki-tomcat/ca/profiles/profiles already existed. removing /etc/pki/pki-tomcat/ca/profiles/profiles and running "pki-server upgrade" allowed everything to run and then the ipa-server-upgrade process completed 

Version-Release number of selected component (if applicable):
dogtag-pki-symkey-11.0.2-1.fc35.aarch64
krb5-pkinit-1.19.2-6.fc36.aarch64
pki-resteasy-jackson2-provider-3.0.26-15.fc36.noarch
pki-resteasy-core-3.0.26-15.fc36.noarch
pki-resteasy-client-3.0.26-15.fc36.noarch
python3-dogtag-pki-11.1.0-1.fc36.noarch
dogtag-pki-base-11.1.0-1.fc36.noarch
dogtag-pki-java-11.1.0-1.fc36.noarch
dogtag-pki-tools-11.1.0-1.fc36.aarch64
dogtag-pki-server-11.1.0-1.fc36.noarch
dogtag-pki-acme-11.1.0-1.fc36.noarch
dogtag-pki-ca-11.1.0-1.fc36.noarch
dogtag-pki-kra-11.1.0-1.fc36.noarch


How reproducible:

always
Steps to Reproduce:
1. upgrade from f35 to f36
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Fedora Blocker Bugs Application 2022-04-27 13:45:27 UTC

Proposed as a Blocker for 36-final by Fedora user ausil using the blocker tracking app because:

 freeipa fails to function after upgrade from fedora 35

Comment 2 Chris Kelley 2022-04-27 14:19:44 UTC

Could you please provide more comprehensive log output, so we can see where in the process is/what command produced the first error?

Comment 6 Dennis Gilmore 2022-04-27 17:29:56 UTC

logs provided privately, for a bit more detail I went from dogtag-pki 11.0.2-1.fc35 to 11.1.0-1.fc36 as part of the upgrade freeipa went from 4.9.8-1.fc35 to 4.9.8-3.fc36

Comment 7 Adam Williamson 2022-04-28 16:37:50 UTC

For the record, we do have an automated test for this, and it passes regularly. It deploys a clean Fedora 35 install as a FreeIPA server, deploys another clean F35 install as a client, checks everything works, then upgrades both systems to F36 and checks that things work again. It works fine:

https://openqa.fedoraproject.org/tests/1245377 (server)
https://openqa.fedoraproject.org/tests/1245401 (client)

...well, OK, there's an apparent packaging error in sssd which requires `--allowerasing` for the upgrade, I should've spotted that earlier. But aside from that, it works fine. :)

Comment 8 Adam Williamson 2022-04-28 16:41:27 UTC

ah, that issue is because sssd in f35 is newer than in f36. When the 2.7.0 in updates-testing goes stable for f36 it should go away.

Comment 9 Chris Kelley 2022-04-28 16:50:29 UTC

Interesting, thanks for that!

Comment 10 Ben Cotton 2022-04-28 19:14:38 UTC

In today's Go/No-Go meeting, we agreed to reject this as a blocker because the openQA tests succeed and there's insufficient information to call this a blocker.
https://meetbot.fedoraproject.org/fedora-meeting/2022-04-28/f36-final-go_no_go-meeting.2022-04-28-17.01.log.html#l-76

Comment 13 Dennis Gilmore 2022-06-02 14:26:18 UTC

both masters do not have a log file at  /var/log/ipaserver-upgrade.log

Comment 14 Ben Cotton 2023-04-25 17:03:03 UTC

This message is a reminder that Fedora Linux 36 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 36 on 2023-05-16.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '36'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version. Note that the version field may be hidden.
Click the "Show advanced fields" button if you do not see it.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 36 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Comment 15 Ludek Smid 2023-05-25 15:45:57 UTC

Fedora Linux 36 entered end-of-life (EOL) status on 2023-05-16.

Fedora Linux 36 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of Fedora Linux
please feel free to reopen this bug against that version. Note that the version
field may be hidden. Click the "Show advanced fields" button if you do not see
the version field.

If you are unable to reopen this bug, please file a new report against an
active release.

Thank you for reporting this bug and we are sorry it could not be fixed.