RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1199520 - [RFE] Introduce single upgrade tool - ipa-server-upgrade
Summary: [RFE] Introduce single upgrade tool - ipa-server-upgrade
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks: 1181710 1199516
TreeView+ depends on / blocked
 
Reported: 2015-03-06 14:44 UTC by Martin Kosek
Modified: 2015-11-19 12:01 UTC (History)
4 users (show)

Fixed In Version: ipa-4.2.0-1.el7
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-19 12:01:49 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2362 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2015-11-19 10:40:46 UTC

Description Martin Kosek 2015-03-06 14:44:36 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4904

Current FreeIPA upgrade method has several major drawbacks:
* Upgrade process is split in 2 separate tools (ipa-upgradeconfig, ipa-ldap-update), where the order matters. Instead of the user, the tool itself should guarantee the right order of the steps
* Updater is run as RPM transaction. This does not work in chrooted environment (FedUP) and can also stuck RPM transaction if e.g. DS deadlocks
* Update is not always deterministic, thanks to the LDAP update files ordering

The new joint upgrade tool should solve this and other biggest pain points of the updater. It should also start storing the current version of the data/configuration it updated to, so that by default it is not run several times when the version is the same. It should also not allow running newer data/configuration on older version of the bits.
Comment 1 Tomas Babej 2015-03-19 11:35:38 UTC 
Remove unused PRE_SCHEMA_UPDATE
master:
https://fedorahosted.org/freeipa/changeset/d3f5d5d1ff5a730d5c268456015fee36a7dc5bff
Comment 2 Tomas Babej 2015-03-19 11:39:47 UTC 
master:
https://fedorahosted.org/freeipa/changeset/bb1d7a741c3e8c932e13e642adb1799957becb0c
https://fedorahosted.org/freeipa/changeset/10bc6bd0bf96bda733500e12e7a8c2463ebf7fe4
https://fedorahosted.org/freeipa/changeset/144bc6c1ebc29cc0bbe54d8f8a6bc5a6cf026a90
https://fedorahosted.org/freeipa/changeset/0c7274ead8670951b1f07039b68014b06418024d
https://fedorahosted.org/freeipa/changeset/a42fcfc18bb94fbf97ec310dbb920e045b0473a5
Comment 3 Jan Cholasta 2015-04-02 08:53:33 UTC 
master:
https://fedorahosted.org/freeipa/changeset/b5e941d49b3571a3f257be645dabb429754c94b0
Comment 4 Jan Cholasta 2015-04-02 12:28:04 UTC 
master:
https://fedorahosted.org/freeipa/changeset/b92136cba287e38d9c2f41c3163f5a6b0b62ca17
Comment 5 Petr Vobornik 2015-04-14 15:41:17 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3448
Comment 6 Petr Vobornik 2015-04-14 15:41:23 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3560
Comment 7 Petr Vobornik 2015-04-14 15:41:27 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4834
Comment 8 Petr Vobornik 2015-04-21 14:43:46 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4984
Comment 9 Jan Cholasta 2015-05-04 11:18:09 UTC 
master:
https://fedorahosted.org/freeipa/changeset/39426966063b3f3deced90ef3f5d0a87801d7eab
https://fedorahosted.org/freeipa/changeset/9f049ca14403f3696d54d186e6b1b15181f055df
https://fedorahosted.org/freeipa/changeset/3debc7b2b54b7926dcd2b26a37b3dc0677c3bc61
Comment 10 Petr Vobornik 2015-05-05 09:49:28 UTC 
master:
https://fedorahosted.org/freeipa/changeset/81df7b501e9adca119f671a6466a52a9e38503f2
Comment 11 Jan Cholasta 2015-05-11 16:09:49 UTC 
master:
https://fedorahosted.org/freeipa/changeset/5783d0c832a430f0f3b1a9b5ba083cda934d3397
https://fedorahosted.org/freeipa/changeset/520bbd001b68bc51a79c2b4a9684fb1c12a582cd
Comment 12 Jan Cholasta 2015-05-19 12:44:39 UTC 
master:
https://fedorahosted.org/freeipa/changeset/7660f40e2bedf6dce5c569f1be64a80934a952a3
https://fedorahosted.org/freeipa/changeset/6c438fff337794ac168a9b8aa7269b9afff7c95f
https://fedorahosted.org/freeipa/changeset/f6e3088b87cce1e0aefa9afbfeaf00eaea02dff2
https://fedorahosted.org/freeipa/changeset/78baeeb77c867d00c9c1ceb41c58512e487abb0c
https://fedorahosted.org/freeipa/changeset/99c0b918a7cdf4ea6f24b4cbe687d9cafd21de24
Comment 13 Petr Vobornik 2015-05-22 13:58:00 UTC 
master:
https://fedorahosted.org/freeipa/changeset/c43c5d1e437cffacc64220935ee6dd83a8e72a89
Comment 14 Jan Cholasta 2015-05-25 16:36:24 UTC 
master:
https://fedorahosted.org/freeipa/changeset/027515230a93a7a60983d3eca26a97a0d9c3610e
Comment 15 Jan Cholasta 2015-05-26 11:32:19 UTC 
master:
https://fedorahosted.org/freeipa/changeset/f903c2d5bff3e420519f7bbf026b9bfcc5460fb0
Comment 16 Jan Cholasta 2015-05-26 11:34:07 UTC 
master:
https://fedorahosted.org/freeipa/changeset/9eedffdfa62b4fa64244f048969b45b27a995c7a
Comment 17 Martin Kosek 2015-07-07 07:41:17 UTC 
Upstream work on the upgrader were done. The list of major changes can be retrieved for example from FreeIPA 4.2 Alpha release notes:

http://www.freeipa.org/page/Releases/4.2.0.alpha1#Changes_to_upgrade
Comment 19 Namita Soman 2015-09-21 20:46:42 UTC 
Verified upgrading master server:
Installed 7.1 server (ipa-server-4.1.0-18.el7.x86_64)
added user on this server
yum installed 7.2 pkg - ipa-server-4.2.0-8.el7.x86_64
Ran ipa-server-upgrade to upgrade the server
Upgrading IPA:
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: starting directory server
  [6/10]: updating schema
  [7/10]: upgrading server
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server
Done.
Update complete
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
Failed to backup CS.cfg: Dogtag must be stopped when creating backup of /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating mod_nss protocol versions]
Protocol versions already updated
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Removing self-signed CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Setting up Firefox extension]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Enabling serial autoincrement in DNS]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
Changes to named.conf have been made, restart named
[Upgrading CA schema]
CA schema update complete (no changes)
[Verifying that CA audit signing cert has 2 year validity]
[Update certmonger certificate renewal configuration to version 3]
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Ensuring CA is using LDAPProfileSubsystem]
[Ensuring presence of included profiles]
[Add default CA ACL]
Default CA ACL already added
The IPA services were upgraded
The ipa-server-upgrade command was successful
Upgrading IPA services

and verified users added in 7.1 are available on upgraded server
Comment 20 errata-xmlrpc 2015-11-19 12:01:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html
Note You need to log in before you can comment on or make changes to this bug.