Bug 893722

Summary: ipa-server upgrade ERROR Cannot move CRL file to new directory
Product: Red Hat Enterprise Linux 6 Reporter: Scott Poore <spoore>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: high    
Version: 6.4CC: jgalipea, mkosek, tlavigne
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.0.0-21.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:31:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 895654    

Description Scott Poore 2013-01-09 18:58:42 UTC 
Description of problem:

During the yum update from 2.2.0-16 to 3.0.0-20 I'm seeing this:

  Updating   : ipa-server-3.0.0-20.el6.x86_64                                                    43/86
Cannot move CRL file to new directory: [Errno 2] No such file or directory: '/var/lib/ipa/pki-ca/publish/MasterCRL.bin'
  Updating   : ipa-server-selinux-3.0.0-20.el6.x86_64                                            44/86

But, afterwards, I do see that:

[root@rhel6-1 ipa-upgrade]# ls -ld /var/lib/ipa/pki-ca/publish/MasterCRL.bin
lrwxrwxrwx. 1 root root 57 Jan  9 11:55 /var/lib/ipa/pki-ca/publish/MasterCRL.bin -> /var/lib/ipa/pki-ca/publish/MasterCRL-20130109-113944.der

[root@rhel6-1 ipa-upgrade]# file /var/lib/ipa/pki-ca/publish/MasterCRL-20130109-113944.der
/var/lib/ipa/pki-ca/publish/MasterCRL-20130109-113944.der: data

Looking at the /var/log/ipaupgrade.log file: 

2013-01-09T17:55:42Z DEBUG copy_crl_file: /var/lib/pki-ca/publish/MasterCRL.bin -> /var/lib/ipa/pki-ca/publish/MasterCRL.bin
2013-01-09T17:55:42Z DEBUG copy_crl_file: Create symlink /var/lib/ipa/pki-ca/publish/MasterCRL.bin -> /var/lib/ipa/pki-ca/publish/MasterCRL-20130109-113944.der
2013-01-09T17:55:42Z ERROR Cannot move CRL file to new directory: [Errno 2] No such file or directory: '/var/lib/ipa/pki-ca/publish/MasterCRL.bin'
2013-01-09T17:55:42Z DEBUG copy_crl_file: /var/lib/pki-ca/publish/MasterCRL-20130109-113944.der -> /var/lib/ipa/pki-ca/publish/MasterCRL-20130109-113944.der

It looks like it's failing because it tries to create the symlink before copying the .der file to the new location?


Version-Release number of selected component (if applicable):
2.2.0 to 3.0.0 yum update 'ipa*'

How reproducible:
always


Steps to Reproduce:
1. setup rhel 6.3 IPA master server
2. point to rhel 6.4 repos for yum
3. yum update 'ipa*'
  
Actual results:
works but see this error:

  Updating   : ipa-server-3.0.0-20.el6.x86_64                                                    43/86
Cannot move CRL file to new directory: [Errno 2] No such file or directory: '/var/lib/ipa/pki-ca/publish/MasterCRL.bin'
  Updating   : ipa-server-selinux-3.0.0-20.el6.x86_64                                            44/86


Expected results:

Files copied in appropriate order and no error should be seen here?

Additional info:

see above in description.
Comment 2 Martin Kosek 2013-01-10 12:43:39 UTC 
This bug could lead to unreachable CRL file as exactly this symlink is read served by httpd to clients and mentioned in published certificates.

I would rather see this included in RHEL-6.4 (if possible) - I will create a patch.
Comment 3 Martin Kosek 2013-01-10 13:21:49 UTC 
I just found when reproducing the issue in real server that this error message is actually benign and is reported not in the copy phase, but when we try to do `chown' on the copied symlink. This should still be fixed, but it is not a blocker for RHEL 6.4.
Comment 4 Martin Kosek 2013-01-10 13:22:11 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3336
Comment 5 Martin Kosek 2013-01-11 09:55:36 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/79bcf904a50aff704819134a58d09ba688b285e8
ipa-3-1: https://fedorahosted.org/freeipa/changeset/d9114842f62b465306ecbba40bda5c57f581260b
ipa-3-0: https://fedorahosted.org/freeipa/changeset/1fc0d1256bba3358017f4cd8b214a2497489e500
Comment 8 Namita Soman 2013-01-15 18:15:31 UTC 
Upgraded to ipa-server-3.0.0-21.el6.x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: upgrade_bz_893722: ipa-server upgrade ERROR Cannot move CRL file to new directory
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [00:19:14] ::  Machine in recipe is MASTER
:: [   PASS   ] :: File '/var/log/ipaupgrade.log' should not contain 'Cannot move CRL file to new directory'
:: [   PASS   ] :: BZ 893722 not found
:: [   PASS   ] :: Running 'rhts-sync-set -s 'upgrade_bz_893722.110' -m 10.16.76.43'
'5f3b3f80-a389-4196-aadc-01df5830a2da'
upgrade-bz-893722 result: PASS
Comment 10 errata-xmlrpc 2013-02-21 09:31:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html