After upgrading a F21 VM to F22 during the weekend, FreeIPA fails to start. The pki-tomcat service is broken, and there are a number of dangling symlink to jars in the /var/lib/pki/pki-tomcat directory. Manually replacing those symlinks to point to newer versions of the jars seem to let pki-tomcat start, but it never responds to queries causing the ipactl service to eventually timeout and tear down all ipa services.
Proposed as a Blocker for 22-beta by Fedora user sgallagh using the blocker tracking app because: "The upgraded system must meet all release criteria." "The FreeIPA configuration web UI must be available and allow at least basic configuration of user accounts and permissions." (Core requirements)
For the record, I just confirmed that this issue happens only on upgrade. A fresh installation on either Fedora 21 or Fedora 22 with the latest packages does not experience this issue. Upgrading with fedup from a working Fedora 21 FreeIPA setup results in broken symlinks because the fedup tree includes some packages from the broken upgrade to tomcat 8.0 that we reverted. I'll coordinate with rel-eng to figure out why that happened.
OK, so this is mostly fallout from the fact that the tomcat 8->7 downgrade wasn't ready for Alpha release. The Alpha tree still had the tomcat 8 packages in it which were known to break FreeIPA. So once Beta is released, fedup will switch over to using that tree and this problem will magically go away. On the other hand, we still have an issue with getting out of this situation once we're in it. The problem is that tomcat 7 and tomcat 8 produce different package names for the API versions served by the subpackages (such as JSP 2.2 and 2.3). Dogtag needs to be updated to explicitly request the version of the API that it needs so that it pulls in the correct dependency, even if the tomcat 8 packages also happen to exist in the repo. This will assist people in using yum/dnf to get back to a working state. (I suspect that adding these deps once we're in this state will cause a conflict instead of cleaning the upgrade path, but it will at least give people more information on where the problem lies than the silent failure we have now).
Fixed in https://fedorahosted.org/pki/ticket/1332.
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.