Red Hat Bugzilla – Bug 1466093
Decommissioning domain controller role fails when role deployed on Fedora 25 then system upgraded to Fedora 26
Last modified: 2017-06-28 22:16 EDT
I recently implemented an openQA test which does the following:
* Starting from a clean Fedora 25 Server install, deploy the domain controller role
* On another system, starting from a clean Fedora 25 Server install, enrol as a client in the domain (using realmd)
* Once the client is enrolled, upgrade the Server system to Fedora 26, then upgrade the client system to Fedora 26
* Run through the usual server and client tests on Fedora 26
The server part of this test always fails right at the end, when the role is decommissioned with `rolectl decommission domaincontroller/domain.local`. In contrast, when a similar test is run entirely on Fedora 26 (and, indeed, entirely on Fedora 25) the decommissioning works successfully. It's only when an upgrade is involved that the decommissioning fails.
The failure seems to be related to something done to the firewall configuration during decommissioning, as the system journal contains these lines at the relevant time:
Jun 25 11:49:32 ipa001.domain.local firewalld: WARNING: '/usr/sbin/iptables-restore --wait=2 -n' failed:
Jun 25 11:49:32 ipa001.domain.local firewalld: WARNING: '/usr/sbin/ip6tables-restore --wait=2 -n' failed:
Jun 25 11:49:32 ipa001.domain.local firewalld: ERROR: COMMAND_FAILED
/var/log/rolekit doesn't provide anything useful, though - the last message in it is:
2017-06-25 14:49:31 ERROR: b'Client uninstall complete.'
which I believe is passed along from the FreeIPA client uninstallation process.
I will attach a tarball containing the complete contents of /var/log from the server to this report. You can use 'journalctl --file' to read the journal files under /var/log/journal .
Created attachment 1292752 [details]
/var/log from an affected case