Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/4904 Current FreeIPA upgrade method has several major drawbacks: * Upgrade process is split in 2 separate tools (ipa-upgradeconfig, ipa-ldap-update), where the order matters. Instead of the user, the tool itself should guarantee the right order of the steps * Updater is run as RPM transaction. This does not work in chrooted environment (FedUP) and can also stuck RPM transaction if e.g. DS deadlocks * Update is not always deterministic, thanks to the LDAP update files ordering The new joint upgrade tool should solve this and other biggest pain points of the updater. It should also start storing the current version of the data/configuration it updated to, so that by default it is not run several times when the version is the same. It should also not allow running newer data/configuration on older version of the bits.
Remove unused PRE_SCHEMA_UPDATE master: https://fedorahosted.org/freeipa/changeset/d3f5d5d1ff5a730d5c268456015fee36a7dc5bff
master: https://fedorahosted.org/freeipa/changeset/bb1d7a741c3e8c932e13e642adb1799957becb0c https://fedorahosted.org/freeipa/changeset/10bc6bd0bf96bda733500e12e7a8c2463ebf7fe4 https://fedorahosted.org/freeipa/changeset/144bc6c1ebc29cc0bbe54d8f8a6bc5a6cf026a90 https://fedorahosted.org/freeipa/changeset/0c7274ead8670951b1f07039b68014b06418024d https://fedorahosted.org/freeipa/changeset/a42fcfc18bb94fbf97ec310dbb920e045b0473a5
master: https://fedorahosted.org/freeipa/changeset/b5e941d49b3571a3f257be645dabb429754c94b0
master: https://fedorahosted.org/freeipa/changeset/b92136cba287e38d9c2f41c3163f5a6b0b62ca17
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3448
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3560
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4834
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4984
master: https://fedorahosted.org/freeipa/changeset/39426966063b3f3deced90ef3f5d0a87801d7eab https://fedorahosted.org/freeipa/changeset/9f049ca14403f3696d54d186e6b1b15181f055df https://fedorahosted.org/freeipa/changeset/3debc7b2b54b7926dcd2b26a37b3dc0677c3bc61
master: https://fedorahosted.org/freeipa/changeset/81df7b501e9adca119f671a6466a52a9e38503f2
master: https://fedorahosted.org/freeipa/changeset/5783d0c832a430f0f3b1a9b5ba083cda934d3397 https://fedorahosted.org/freeipa/changeset/520bbd001b68bc51a79c2b4a9684fb1c12a582cd
master: https://fedorahosted.org/freeipa/changeset/7660f40e2bedf6dce5c569f1be64a80934a952a3 https://fedorahosted.org/freeipa/changeset/6c438fff337794ac168a9b8aa7269b9afff7c95f https://fedorahosted.org/freeipa/changeset/f6e3088b87cce1e0aefa9afbfeaf00eaea02dff2 https://fedorahosted.org/freeipa/changeset/78baeeb77c867d00c9c1ceb41c58512e487abb0c https://fedorahosted.org/freeipa/changeset/99c0b918a7cdf4ea6f24b4cbe687d9cafd21de24
master: https://fedorahosted.org/freeipa/changeset/c43c5d1e437cffacc64220935ee6dd83a8e72a89
master: https://fedorahosted.org/freeipa/changeset/027515230a93a7a60983d3eca26a97a0d9c3610e
master: https://fedorahosted.org/freeipa/changeset/f903c2d5bff3e420519f7bbf026b9bfcc5460fb0
master: https://fedorahosted.org/freeipa/changeset/9eedffdfa62b4fa64244f048969b45b27a995c7a
Upstream work on the upgrader were done. The list of major changes can be retrieved for example from FreeIPA 4.2 Alpha release notes: http://www.freeipa.org/page/Releases/4.2.0.alpha1#Changes_to_upgrade
Verified upgrading master server: Installed 7.1 server (ipa-server-4.1.0-18.el7.x86_64) added user on this server yum installed 7.2 pkg - ipa-server-4.2.0-8.el7.x86_64 Ran ipa-server-upgrade to upgrade the server Upgrading IPA: [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: starting directory server [6/10]: updating schema [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] Failed to backup CS.cfg: Dogtag must be stopped when creating backup of /var/lib/pki/pki-tomcat/conf/ca/CS.cfg [Migrate CRL publish directory] CRL tree already moved [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating mod_nss protocol versions] Protocol versions already updated [Fixing trust flags in /etc/httpd/alias] Trust flags already processed [Removing self-signed CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Setting up Firefox extension] [Add missing CA DNS records] IPA CA DNS records already processed [Removing deprecated DNS configuration options] [Ensuring minimal number of connections] [Enabling serial autoincrement in DNS] [Updating GSSAPI configuration in DNS] [Updating pid-file configuration in DNS] Changes to named.conf have been made, restart named [Upgrading CA schema] CA schema update complete (no changes) [Verifying that CA audit signing cert has 2 year validity] [Update certmonger certificate renewal configuration to version 3] [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Ensuring CA is using LDAPProfileSubsystem] [Ensuring presence of included profiles] [Add default CA ACL] Default CA ACL already added The IPA services were upgraded The ipa-server-upgrade command was successful Upgrading IPA services and verified users added in 7.1 are available on upgraded server
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2362.html