Bug 895298
Summary: | IPA upgrade error restarting named when dirsrv off before upgrade | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Scott Poore <spoore> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | high | ||
Version: | 6.4 | CC: | cpelland, dpal, jgalipea, mkosek |
Target Milestone: | rc | Keywords: | Regression |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-3.0.0-22.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-21 09:32:25 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 902691 |
Description
Scott Poore
2013-01-15 01:44:54 UTC
I assume this would happen if one also did ipactl stop before upgrading. Upstream ticket: https://fedorahosted.org/freeipa/ticket/3350 Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/476aacd69963dd94de3af3d640fca783d77b4eb8 ipa-3-1: https://fedorahosted.org/freeipa/changeset/cab85b7c9a7e8b7c82915512f7d4718c4cbcbef9 ipa-3-0: https://fedorahosted.org/freeipa/changeset/a89d96fa473c70bb2c89d7a120713fcfb9463263 hmm....I'm still seeing this (and more now): Updating : ipa-server-3.0.0-22.el6.x86_64 52/95 Failed to restart named: Command '/sbin/service named restart ' returned non-zero exit status 7 certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n auditSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" -P XXXXXXXX' returned non-zero exit status 1 certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n ocspSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" -P XXXXXXXX' returned non-zero exit status 1 certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n subsystemCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" -P XXXXXXXX' returned non-zero exit status 1 certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /etc/httpd/alias -n ipaCert -c dogtag-ipa-renew-agent -C /usr/lib64/ipa/certmonger/renew_ra_cert -p /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 1 certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n Server-Cert cert-pki-ca -c dogtag-ipa-renew-agent -P XXXXXXXX' returned non-zero exit status 1 Unable to find certmonger request ID for auditSigning Cert Updating : ipa-server-selinux-3.0.0-22.el6.x86_64 53/95 This make any sense? Do you need me to send logs? The failure to restart named will be seen, and is fine. We just don't want to blow up the rest of the upgrade. The other errors should be fixed by selinux-policy 3.7.19-193. Can you see if you have any AVCs? No AVC and I've got that version of selinux-policy (after the ugprade at least): [root@rhel6-1 log]# ausearch -m avc <no matches> [root@rhel6-1 log]# rpm -q selinux-policy selinux-policy-3.7.19-193.el6.noarch I do see this in the /var/log/ipaupgrade.log file though: 2013-01-18T04:07:06Z DEBUG args=/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n auditSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" -P XXXXXXXX 2013-01-18T04:07:06Z DEBUG stdout=No CA with name "dogtag-ipa-renew-agent" found. 2013-01-18T04:07:06Z DEBUG stderr= 2013-01-18T04:07:06Z ERROR certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n auditSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" -P XXXXXXXX' returned non-zero exit status 1 Is this the first master installed or a replica of the first master? First master. There's also a second and a client in the env. My current guess is this is an rpm ordering issue. I think that the IPA upgrade is happening before the updated certmonger is installed, and certmonger provides this CA. Ok, we moved certmonger upgrade issue to bug #902474 Verified. Version :: ipa-server-3.0.0-23.el6.x86_64 Automated Test Results :: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: upgrade_bz_895298_check_master: IPA upgrade error restarting named when dirsrv off before upgrade :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [17:03:38] :: Machine in recipe is MASTER :: [17:03:38] :: Backing up and submitting /var/log/ipaupgrade.log :: [ PASS ] :: File '/var/log/ipaupgrade.log' should not contain 'The ipa-upgradeconfig command failed.*named restart' :: [ PASS ] :: BZ 895298 not found 2013-01-23T21:58:17Z ERROR Failed to restart named: Command '/sbin/service named restart ' returned non-zero exit status 7 :: [ PASS ] :: Running 'grep 'ERROR Failed to restart named' /var/log/ipaupgrade.log' :: [17:03:42] :: workaround: restarting everything Shutting down dirsrv: PKI-IPA...[ OK ] TESTRELM-COM... MARK-LWD-LOOP -- 2013-01-23 17:03:45 -- [ OK ] Starting dirsrv: PKI-IPA...[ OK ] TESTRELM-COM...[ OK ] Stopping Kerberos 5 KDC: [FAILED] Starting Kerberos 5 KDC: [ OK ] Stopping Kerberos 5 Admin Server: [FAILED] Starting Kerberos 5 Admin Server: [ OK ] Stopping named: [ OK ] Starting named: [ OK ] Stopping ipa_memcached: [ OK ] Starting ipa_memcached: [ OK ] Stopping httpd: [ OK ] Starting httpd: [ OK ] Stopping pki-ca: [ OK ] Starting pki-ca: [ OK ] Restarting Directory Service Restarting KDC Service Restarting KPASSWD Service Restarting DNS Service Restarting MEMCACHE Service Restarting HTTP Service Restarting CA Service :: [ PASS ] :: Running 'ipactl restart' Stopping sssd: [ OK ] Starting sssd: [ OK ] [ OK ] :: [ PASS ] :: Running 'service sssd restart' :: [17:04:27] :: Backing up and submitting /var/log/ipaupgrade.log :: [ PASS ] :: Running 'rhts-sync-set -s 'upgrade_bz_895298_check_master.83' -m 10.16.76.37' Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html |