Bug 1199520 - [RFE] Introduce single upgrade tool - ipa-server-upgrade
Summary: [RFE] Introduce single upgrade tool - ipa-server-upgrade
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
Depends On:
Blocks: 1181710 1199516
TreeView+ depends on / blocked
Reported: 2015-03-06 14:44 UTC by Martin Kosek
Modified: 2015-11-19 12:01 UTC (History)
4 users (show)

Fixed In Version: ipa-4.2.0-1.el7
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2015-11-19 12:01:49 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2362 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2015-11-19 10:40:46 UTC

Description Martin Kosek 2015-03-06 14:44:36 UTC
This bug is created as a clone of upstream ticket:

Current FreeIPA upgrade method has several major drawbacks:
* Upgrade process is split in 2 separate tools (ipa-upgradeconfig, ipa-ldap-update), where the order matters. Instead of the user, the tool itself should guarantee the right order of the steps
* Updater is run as RPM transaction. This does not work in chrooted environment (FedUP) and can also stuck RPM transaction if e.g. DS deadlocks
* Update is not always deterministic, thanks to the LDAP update files ordering

The new joint upgrade tool should solve this and other biggest pain points of the updater. It should also start storing the current version of the data/configuration it updated to, so that by default it is not run several times when the version is the same. It should also not allow running newer data/configuration on older version of the bits.

Comment 1 Tomas Babej 2015-03-19 11:35:38 UTC

Comment 5 Petr Vobornik 2015-04-14 15:41:17 UTC
Upstream ticket:

Comment 6 Petr Vobornik 2015-04-14 15:41:23 UTC
Upstream ticket:

Comment 7 Petr Vobornik 2015-04-14 15:41:27 UTC
Upstream ticket:

Comment 8 Petr Vobornik 2015-04-21 14:43:46 UTC
Upstream ticket:

Comment 17 Martin Kosek 2015-07-07 07:41:17 UTC
Upstream work on the upgrader were done. The list of major changes can be retrieved for example from FreeIPA 4.2 Alpha release notes:


Comment 19 Namita Soman 2015-09-21 20:46:42 UTC
Verified upgrading master server:
Installed 7.1 server (ipa-server-4.1.0-18.el7.x86_64)
added user on this server
yum installed 7.2 pkg - ipa-server-4.2.0-8.el7.x86_64
Ran ipa-server-upgrade to upgrade the server
Upgrading IPA:
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: starting directory server
  [6/10]: updating schema
  [7/10]: upgrading server
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server
Update complete
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
Failed to backup CS.cfg: Dogtag must be stopped when creating backup of /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating mod_nss protocol versions]
Protocol versions already updated
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Removing self-signed CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Setting up Firefox extension]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Enabling serial autoincrement in DNS]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
Changes to named.conf have been made, restart named
[Upgrading CA schema]
CA schema update complete (no changes)
[Verifying that CA audit signing cert has 2 year validity]
[Update certmonger certificate renewal configuration to version 3]
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Ensuring CA is using LDAPProfileSubsystem]
[Ensuring presence of included profiles]
[Add default CA ACL]
Default CA ACL already added
The IPA services were upgraded
The ipa-server-upgrade command was successful
Upgrading IPA services

and verified users added in 7.1 are available on upgraded server

Comment 20 errata-xmlrpc 2015-11-19 12:01:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.