Bug 1376043 - certmap.conf file is not backedup during ipa-server-upgrade
Summary: certmap.conf file is not backedup during ipa-server-upgrade
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Nikhil Dehadrai
Depends On:
TreeView+ depends on / blocked
Reported: 2016-09-14 13:51 UTC by Sudhir Menon
Modified: 2017-08-01 09:39 UTC (History)
4 users (show)

Fixed In Version: ipa-4.5.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-08-01 09:39:54 UTC
Target Upstream Version:

Attachments (Terms of Use)
ipa-server-upgrade (2.64 KB, text/plain)
2016-09-14 13:51 UTC, Sudhir Menon
no flags Details
ipa server upgrade log (1.19 KB, application/x-gzip)
2016-09-14 14:01 UTC, Sudhir Menon
no flags Details
ipaupgrade.log (213.15 KB, application/x-gzip)
2016-09-14 16:27 UTC, Sudhir Menon
no flags Details

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Sudhir Menon 2016-09-14 13:51:57 UTC
Created attachment 1200827 [details]

Description of problem: certmap.conf file is not backedup during ipa-server-upgrade

Version-Release number of selected component (if applicable):

How reproducible:Always

Steps to Reproduce:
1. Install ipa-server
2. Run ipa-server-upgrade
3. Check the message displayed on the console.

Actual results:
/etc/dirsrv/slapd-TESTRELM-TEST/certmap.conf is now managed by IPA. It will be overwritten. A backup of the original will be made.  <======

[root@master slapd-TESTRELM-TEST]# ls -l
total 1464
-rw-------. 1 dirsrv root    65536 Sep 14 18:01 cert8.db
-rw-rw----. 1 dirsrv dirsrv  65536 Sep 14 16:03 cert8.db.orig
-r--r-----. 1 dirsrv dirsrv   1623 Sep 14 15:59 certmap.conf
-rw-------. 1 dirsrv dirsrv 185075 Sep 14 18:02 dse.ldif
-rw-------. 2 dirsrv dirsrv 185075 Sep 14 18:02 dse.ldif.bak
-rw-------. 1 dirsrv root   185075 Sep 14 17:57 dse.ldif.ipa.0c9848ee71a223f7
-rw-------. 1 dirsrv root   158036 Sep 14 16:03 dse.ldif.ipa.6caae511ef006046
-rw-------. 1 dirsrv root   185075 Sep 14 18:01 dse.ldif.ipa.9e97b50e5209c89f
-rw-r--r--. 1 dirsrv root   185144 Sep 14 18:01 dse.ldif.modified.out
-rw-------. 2 dirsrv dirsrv 185075 Sep 14 18:02 dse.ldif.startOK
-r--r-----. 1 dirsrv dirsrv  36163 Sep 14 15:59 dse_original.ldif
-rw-------. 1 dirsrv root    16384 Sep 14 18:01 key3.db
-rw-rw----. 1 dirsrv dirsrv  16384 Sep 14 16:03 key3.db.orig
-r--------. 1 dirsrv dirsrv     66 Sep 14 16:03 pin.txt
-rw-------. 1 dirsrv dirsrv     40 Sep 14 16:03 pwdfile.txt
drwxrwx---. 2 dirsrv dirsrv   4096 Sep 14 18:02 schema
-rw-------. 1 dirsrv root    16384 Sep 14 18:02 secmod.db
-rw-rw----. 1 dirsrv dirsrv  16384 Sep 14 15:59 secmod.db.orig
-r--r-----. 1 dirsrv dirsrv  15142 Sep 14 15:59 slapd-collations.conf

Expected results: The message displayed during the ipa-server-upgrade on the console says that '/etc/dirsrv/slapd-TESTRELM-TEST/certmap.conf' is now managed by IPA. It will be overwritten. A backup of the original will be made.

Backup of the original file i.e certmap.conf is not present.

Additional info:

Comment 1 Sudhir Menon 2016-09-14 14:01:49 UTC
Created attachment 1200831 [details]
ipa server upgrade log

Comment 2 Petr Vobornik 2016-09-14 14:36:22 UTC
It may be possible that there is "issue" only in debug messages.

If the file doesn't exists then it will not be backed up.

Could you check if the file exists before step 2.

Also what is the IPA version in step 1? ipa-server-4.4.0-11.el7.x86_64?

btw, attachment 1200831 [details] contains the same file as attachment 1200827 [details] I.e. upgrade log is missing.

Comment 4 Sudhir Menon 2016-09-14 16:27:07 UTC
Created attachment 1200910 [details]


I tried this with fresh install of IPA server and here are the observations.

1. certmap.conf is placed in /etc/dirsrv/slapd-TESTRELM-TEST post IPA server install. i.e file does exist before ipa-server-upgrade

2. ipa-server-4.4.0-11.el7.x86_64 is the version used.

3. Attaching the upgrade logs for reference.

Comment 5 Petr Vobornik 2016-09-23 16:49:33 UTC
both certmap file and template doesn't contain "VERSION" string. So upgrade.find_version will always return 0. 

In such case upgrade.upgrade_file logs the message above but given that 

it is called as:
          if subject_base:
                os.path.join(ds_dirname, "certmap.conf"),
                os.path.join(ipautil.SHARE_DIR, "certmap.conf.template")

I.e without "add=True", then the file is not backed up/upgraded:

    if old < new or (add and old == 0):
        backup_file(filename, new)
        update_conf(sub_dict, filename, template)
        root_logger.info("Upgraded %s to version %d", filename, new)

This also means that the file won't upgraded unless a VERSION is set in it in next update.

certmap file is created in DS instance since 2007 and lasted update of the template was in commit ffb9a09a0d63f7edae2b647b5c1d503d1d4d7a6e That commit removed the VERSION line - assuming by accident because it was changing license text.

Conclusion: it is a bug which doesn't cause any harm but the version string MUST be changed back

Comment 6 Petr Vobornik 2016-09-23 16:52:18 UTC
Upstream ticket:

Comment 7 Petr Vobornik 2017-04-06 16:56:12 UTC
Should be fixed in

Comment 8 Petr Vobornik 2017-04-06 17:02:09 UTC

Meaning IPA 4.5, ipa-4.5.0-1.el7

Comment 10 Sudhir Menon 2017-05-25 12:45:30 UTC
Tested on RHEL7.4
1. The below line is no more seen when ipa-server-upgrade is run
'/etc/dirsrv/slapd-TESTRELM-TEST/certmap.conf is now managed by IPA. It will be overwritten. A backup of the original will be made'
2. certmap.conf contains the below lines now.
[root@master]# cat certmap.conf
# This file is managed by IPA and will be overwritten on upgrades.
3. If we remove the VERSION info from the file and try ipa-server-upgrade it is been added to the file after the command gets completed. The below message is displayed on the console.
root@master slapd-TESTRELM-TEST]# ipa-server-upgrade
Upgrading IPA:. Estimated time: 1 minute 30 seconds
      [1/10]: stopping directory server
      [2/10]: saving configuration
      [3/10]: disabling listeners
      [4/10]: enabling DS global lock
      [5/10]: starting directory server
      [6/10]: updating schema
      [7/10]: upgrading server
      [8/10]: stopping directory server
      [9/10]: restoring configuration
      [10/10]: starting directory server
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
/etc/dirsrv/slapd-TESTRELM-TEST/certmap.conf is now managed by IPA. It will be overwritten. A backup of the original will be made.
Upgraded /etc/dirsrv/slapd-TESTRELM-TEST/certmap.conf to version 3

Comment 11 errata-xmlrpc 2017-08-01 09:39:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.