Bug 1286635 - IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using "yum update ipa* sssd"
Summary: IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using "yum update ipa* sssd"
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
Aneta Šteflová Petrová
Depends On: 1293340 1364071 1365572 1373910
Blocks: 1298097
TreeView+ depends on / blocked
Reported: 2015-11-30 11:47 UTC by Nikhil Dehadrai
Modified: 2016-11-04 05:41 UTC (History)
10 users (show)

Fixed In Version: ipa-4.2.0-16.el7
Doc Type: Known Issue
Doc Text:
Upgrading the ipa packages fails if the required openssl version is not installed When the user attempts to upgrade the *ipa* packages, Identity Management (IdM) does not automatically install the required version of the *openssl* packages. Consequently, if the 1.0.1e-42 version of *openssl* is not installed before the user runs the "yum update ipa*" command, the upgrade fails during the DNSKeySync service configuration. To work around this problem, update *openssl* manually to version 1.0.1e-42 or later before updating *ipa*. This prevents the upgrade failure.
Clone Of:
: 1298097 (view as bug list)
Last Closed: 2016-11-04 05:41:37 UTC
Target Upstream Version:

Attachments (Terms of Use)
Workaround patch (834 bytes, patch)
2015-11-30 11:59 UTC, Martin Bašti
no flags Details | Diff
Workaround patch update 1 (868 bytes, patch)
2016-01-04 11:39 UTC, Martin Bašti
pspacek: review+
Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Nikhil Dehadrai 2015-11-30 11:47:29 UTC
Description of problem:
IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using "yum update ipa* sssd"

Version-Release number of selected component (if applicable):

How reproducible: Always

Steps to Reproduce:
1. Setup RHEL7.0 host with IPA master
2. Add RHEl7.2 and RHEL 7.2 update repos on the system.
3. run yum update ipa* sssd
4. Verify the logs for yum update process along with ipaupgrade process.
# tail -f /var/log/messages
# tail -f /var/log/ipaupgrade.log
# tail -f /var/log/yum.log

Actual results:
1. After step4, Following error message is displayed during yum update process:
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: Command ''/usr/bin/softhsm2-util' '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' XXXXXXXX '--so-pin' XXXXXXXX' returned non-zero exit status 1

2. ipa-upgrade is successful (rpm -qa | grep ipa-server*)
3. openssl version is not updated (remains as openssl-1.0.1e-34.el7.x86_64 in my case)

Expected results:
ipa-server upgrade should be successful without any errors.

Additional info:
1. When the server is upgraded using "yum update" command, no error messages are observed and the server is upgraded successfully. 
2. Also openssl is upgraded to latest version.(openssl-1.0.1e-42.el7_1.9.x86_64)

Comment 2 Martin Bašti 2015-11-30 11:59:35 UTC
Created attachment 1100487 [details]
Workaround patch

Comment 3 Petr Vobornik 2015-11-30 12:09:34 UTC
Workaround: update openssl package first to version at least 1.0.1e-42. Then update ipa package.

Comment 4 Martin Kosek 2015-11-30 12:43:52 UTC
(In reply to Martin Bašti from comment #2)
> Created attachment 1100487 [details]
> Workaround patch

Please just note that "Requires(pre)" does not supersede "Requires". You can for example delete such package after upgrade. So it may make sense to keep both Requires in the spec file.

Comment 6 Petr Spacek 2015-11-30 13:10:55 UTC
Okay, so we may want to add Requires to softhsm.spec and Requires(pre) to ipa.spec. Is it a reasonable idea? Should I open a bug against softhsm?

Comment 7 Martin Bašti 2016-01-04 11:39:14 UTC
Created attachment 1111451 [details]
Workaround patch update 1

Comment 8 Petr Spacek 2016-01-04 11:46:49 UTC
Comment on attachment 1111451 [details]
Workaround patch update 1

Looks good, but we can stick with the old version if bug 1293340 is solved at the same time.

Comment 9 Martin Bašti 2016-01-07 15:31:08 UTC
The patch has been acked

Comment 15 Nikhil Dehadrai 2016-08-10 13:03:35 UTC
IPA server version: ipa-server-4.4.0-7.el7.x86_64

Tested the bug on the basis of following steps:
1. Tested that IPA server configured on RHEL 7.0 is upgraded from 7.0 to 7.3.
2. Noticed that ipaupgrade.log file is created at /var/log/ipaupgrade.log.
3. Noticed that var/log/ipaupgrade.log file is not updated.

See below:
[root@vm-idm-011 log]# rpm -q ipa-server
[root@vm-idm-011 log]# ls -al ipaupgrade.log 
-rw-r--r--. 1 root root 0 Aug 10 17:59 ipaupgrade.log
[root@vm-idm-011 log]# cat ipaupgrade.log 
[root@vm-idm-011 log]# 

Thus on the basis of above observations, marking the status of bug to "ASSIGNED".

Comment 16 Martin Bašti 2016-08-10 13:36:58 UTC
Can you provide more info?

Any output from yum upgrade?
Can you re-run ipa-server-upgrade?

Comment 17 Nikhil Dehadrai 2016-08-10 14:01:33 UTC
Hi Martin,

Please find the details as below:

[root@vm-idm-011 log]# cat yum.log | grep ipa-server
Aug 10 13:25:33 Installed: ipa-tests-ipa-server-rhel70-shared-sgoveas.20150107141511-0.noarch
Aug 10 13:26:21 Installed: ipa-tests-ipa-server-rhel70-quickinstall-spoore.20140812195047-0.noarch
Aug 10 13:28:29 Installed: ipa-server-3.3.3-28.el7.x86_64
Aug 10 17:59:03 Installed: ipa-server-common-4.4.0-7.el7.noarch
Aug 10 17:59:05 Installed: ipa-server-4.4.0-7.el7.x86_64
Aug 10 17:59:06 Installed: ipa-server-dns-4.4.0-7.el7.noarch

On running ipa-server-upgrade I notice following:
[root@vm-idm-011 ~]# ipa-server-upgrade
Traceback (most recent call last):
  File "/usr/sbin/ipa-server-upgrade", line 10, in <module>
    from ipaserver.install.ipa_server_upgrade import ServerUpgrade
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 9, in <module>
    from ipaserver.install import server
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 5, in <module>
    from .install import Server
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 35, in <module>
    from ipaserver.install import (
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 9, in <module>
    from ipaserver.install import cainstance, dsinstance, bindinstance
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 72, in <module>
    from ipaserver.install.dogtaginstance import (export_kra_agent_pem,
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 30, in <module>
    from pki.client import PKIConnection
  File "/usr/lib/python2.7/site-packages/pki/client.py", line 28, in <module>
    from requests.packages.urllib3.exceptions import InsecureRequestWarning
ImportError: No module named packages.urllib3.exceptions

Let me know if you need access to the machine.

Comment 18 Martin Bašti 2016-08-10 14:15:55 UTC
This is a dogtag issue

  File "/usr/lib/python2.7/site-packages/pki/client.py", line 28, in <module>
    from requests.packages.urllib3.exceptions import InsecureRequestWarning
ImportError: No module named packages.urllib3.exceptions

There are already several bugs for that.

Comment 19 Martin Bašti 2016-08-10 14:30:56 UTC
here: https://bugzilla.redhat.com/show_bug.cgi?id=1364071

I don't know how to handle this, but we cannot fix it on IPA side :)

Comment 20 Martin Kosek 2016-08-11 06:34:25 UTC
If this is fixed with pki-core-10.3.3-5.el7, you can simply bump Requires in ipa and move this bug to ON_QA. No?

Comment 21 Martin Bašti 2016-08-11 07:20:33 UTC
I don't know if it was fixed, bz1364071 is still ON_QA

Comment 23 Petr Vobornik 2016-08-23 12:04:52 UTC
The issue will be fixed in bug 1364071 and bug 1365572. Temporary workaround: update:  python-requests to version >= 2.6.0

Comment 24 Petr Vobornik 2016-09-05 14:51:54 UTC
Both bug 1364071 and bug 1365572  are on QA which should fix the issue in comment 17.

Comment 25 Nikhil Dehadrai 2016-09-22 13:30:25 UTC
IPA server version: ipa-server-4.4.0-12.el7.x86_64
Bind-ldap: bind-dyndb-ldap-10.0-5.el7.x86_64

Verified the bug on the basis of following points:
1. Verified that IPA server upgrade is successful for path RHEL 7.0 to RHEL 7.3.
2. "DNS timed out error" message is not displayed at the console.
3. "httpd.service" error message is not observed in ipaupgrade.log.
4.  No errors related to import of urllib3.exceptions are noticed in ipaupgarde.log
5. The dummy dns forwardzone details created at 7.0 are reflected after upgrade.

Thus on the basis of observations above, marking the status of bug to "VERIFIED".

Comment 28 errata-xmlrpc 2016-11-04 05:41:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.