1368604 – HE_APPLIANCE_ENGINE_SETUP_FAIL - Setup found legacy kerberos/ldap directory intergration

Bug 1368604 - HE_APPLIANCE_ENGINE_SETUP_FAIL - Setup found legacy kerberos/ldap directory intergration

Summary: HE_APPLIANCE_ENGINE_SETUP_FAIL - Setup found legacy kerberos/ldap directory i...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-hosted-engine-setup
Classification:	oVirt
Component:	General
Sub Component:
Version:	2.0.1.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium vote
Target Milestone:	ovirt-4.0.4
Target Release:	2.0.2
Assignee:	Simone Tiraboschi
QA Contact:	Jiri Belka
Docs Contact:
URL:
Whiteboard:
Depends On:	1369747
Blocks:
TreeView+	depends on / blocked

Reported:	2016-08-19 22:31 UTC by Jiri Belka
Modified:	2021-08-30 13:36 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	With this update, Red Hat Virtualization no longer supports legacy directory integration. A check has been added to the upgrade procedure as the migration to a new aaa provider can only be performed on Red Hat Virtualization 3.6.
Clone Of:
Environment:
Last Closed:	2016-09-26 12:37:38 UTC
oVirt Team:	Integration
Dependent Products:
Flags:	rule-engine: ovirt-4.0.z+ rule-engine: blocker+ mgoldboi: planning_ack+ sbonazzo: devel_ack+ mavital: testing_ack+

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1369747	unspecified	CLOSED	Add an option '--mode=verify' to 'engine-backup' that also checks and fails if "found legacy kerberos/ldap directory int...	2021-02-22 00:41:40 UTC
Red Hat Issue Tracker	RHV-36133	None	None	None	2021-08-30 13:36:09 UTC
Red Hat Knowledge Base (Solution)	2579561	None	None	None	2016-08-29 06:05:39 UTC
oVirt gerrit	62763	master	ABANDONED	upgrade: Verify using engine-backup	2020-07-09 20:42:56 UTC
oVirt gerrit	62857	master	MERGED	upgrade: enforcing current aaa mechanism	2020-07-09 20:42:56 UTC
oVirt gerrit	62947	ovirt-hosted-engine-setup-2.0	MERGED	upgrade: enforcing current aaa mechanism	2020-07-09 20:42:56 UTC

Internal Links: 1369747

Description Jiri Belka 2016-08-19 22:31:36 UTC

Description of problem:

There's no check for legacy kerberos/ldap directory intergration and thus migration fails almost in the end.

This is annoying, I spent an hour while waiting for 'dd', 'qemu-img convert' to finish and such thing caused failure.

Version-Release number of selected component (if applicable):
ovirt-hosted-engine-setup-2.0.1.4-1.el7ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. have 3.6 with legacy kerberos/ldap directory intergration
2. hosted-engine --upgrade-appliance
3.

Actual results:
time spent and it fails in the end

Expected results:
setup obviously does not do enough checks before it runs real action and thus fails almost in the end (again)

Additional info:

Comment 2 Jiri Belka 2016-08-19 22:59:26 UTC

Can be problematic if legacy kerberos/ldap directory servers run as VMs and were shutted down during this migration process :/ Thus another rollback-upgrade, start IPA and AD, and then I would try to use https://github.com/machacekondra/ovirt-engine-kerbldap-migration

Comment 3 Yedidyah Bar David 2016-08-21 09:06:18 UTC

(In reply to Jiri Belka from comment #0)
> Description of problem:
> 
> There's no check for legacy kerberos/ldap directory intergration and thus
> migration fails almost in the end.

From engine-setup's POV, it fails right when it should have failed, during stage "Validation".

From appliance upgrade tool POV, this is indeed late into the game.

Perhaps we should allow asking the user whether to try running engine-setup again, after the user hopefully manually fixes things.

Comment 4 Yaniv Lavi 2016-08-21 12:32:22 UTC

We should add this validation before we start appliance upgrade like other checks we do.

Comment 5 Yedidyah Bar David 2016-08-21 14:02:55 UTC

(In reply to Yaniv Dary from comment #4)
> We should add this validation before we start appliance upgrade like other
> checks we do.

We ask the user to manually backup the engine and provide the backup file. Then we do some verification on this backup file. We can add something there for current bug.

If we find there a new aaa setup, fine. Otherwise we should probably tell the user to manually handle this (upgrade to new aaa), backup again and provide new backup.

This will not save all of the spent time but some of it.

We can also provide a new, unrelated tool which we didn't introduce so far, say "check-migration-to-4.0-readiness" to run on the engine (not host). Either package in 3.6.9 or provide it as an independent tool to be copied and ran. Such a tool can also help bug 1368589 and similar stuff.

Comment 7 Sandro Bonazzola 2016-08-22 07:01:11 UTC

Didi please work with Simone on this.

Comment 10 Jiri Belka 2016-09-16 14:22:24 UTC

ok, ovirt-hosted-engine-setup-2.0.2.2-2.el7ev.noarch

...
[ INFO  ] Connecting to the Engine
[ ERROR ] ['ad-w2k8r2.example.com']: such AAA domains are still configured in a deprecated way that is not compatible with the current release; please upgrade them to ovirt-engine-extension mechanism before proceeding.
[ ERROR ] Failed to execute stage 'Environment customization': Unsupported AAA mechanism
[ INFO  ] Stage: Clean up
[ INFO  ] Stage: Pre-termination
[ INFO  ] Stage: Termination
[ ERROR ] Hosted Engine upgrade failed
          Log file is located at /var/log/ovirt-hosted-engine-setup/ovirt-hosted-engine-setup-20160916161859-1x9wnl.log

Note You need to log in before you can comment on or make changes to this bug.