Created attachment 1292340 [details]
Full install log
Description of problem:
IPA server installation command fails almost finishing with this error:
The ipa-server-install command failed, exception: Error: Error at open session: 0x3
Version-Release number of selected component (if applicable):
How reproducible: Suposedly always (I did it 2 times in a row in clean F26 virtual machines)
Steps to Reproduce:
1. I am using this script for installation: https://github.com/olivergs/fleet-commander-freeipa-environment/blob/master/ipamaster.sh
2. Configured IPA server installation leaving default values except the DNS forwarding that I set to NO
3. Installation begins and fails when it is almost finishing.
Server not installed. Failing with error: The ipa-server-install command failed, exception: Error: Error at open session: 0x3
Las part of log:
full log file in attachments.
IPA server install finishing
I noticed resol.conf got modified and shows the following contents:
Thank you for reporting this.
Tomas we have to backport this patch to FreeIPA in F26 07df61b7814db08d81e1ff92f58b24e5d852fdf8
Proposed as a Blocker for 26-beta by Fedora user ogutierrez using the blocker tracking app because:
Latest FreeIPA server in F26 Beta is not installable. During the execution of freeipa-server-install it fails the installation with a reproducible error.
Beta is out, if you want this to be a blocker it has to be against F26 Final.
Thanks for fixing the mistake Andre.
freeipa-4.4.4-3.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-1dabaf8ee1
Tested in a clean/updated Fedora 26 and seems working now.
The openQA FreeIPA server test has been working fine for weeks; is there some specific circumstance which triggers this bug?
Ah, now I see what the issue is:
"ipa-dnskeysyncd: is failing with softhsm 2.2.0"
softhsm 2.2.0 is in updates-testing, not in stable. So the openQA nightly test is passing because it doesn't use u-t.
That means this doesn't need to be a release blocker unless softhsm 2.2.0 gets pushed stable for some reason (it doesn't seem to be proposed for a blocker or FE bug, so there's no reason why it would at present).
Note that softhsm 2.2.0 is queued for F25 as well as F26:
Instead of having separate freeipa updates (as is currently the case), the fixed freeipa packages should be added to the softhsm updates, as per the packaging guidelines (so softhsm doesn't get pushed without freeipa, resulting in freeipa breaking until the freeipa update is pushed). I'm trying to do this at present, but running into Bodhi issues; trying to get releng to help with that.
freeipa-4.4.4-4.fc26 softhsm-2.2.0-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-12359c53e8
Discussed at 2017-06-29 blocker review meeting: https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-06-29/f26-blocker-review.2017-06-29-16.00.html . Rejected as a blocker, as the update that causes the problem is not in stable and is not queued as a blocker or FE fix, so the frozen package set should not have the problem.
I've now edited the F25 and F26 updates such that the softhsm and freeipa updates are together, so it should not be possible for the softhsm update to go to stable without the freeipa build that works with it.
Thanks, Adam. This should work fine.
freeipa-4.4.4-4.fc26, softhsm-2.2.0-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-12359c53e8
freeipa-4.4.4-4.fc26, softhsm-2.2.0-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.