Bug 1466093 - Decommissioning domain controller role fails when role deployed on Fedora 25 then system upgraded to Fedora 26
Decommissioning domain controller role fails when role deployed on Fedora 25 ...
Status: NEW
Product: Fedora
Classification: Fedora
Component: rolekit (Show other bugs)
26
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Stephen Gallagher
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-28 22:15 EDT by Adam Williamson
Modified: 2017-06-28 22 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/var/log from an affected case (5.93 MB, application/x-gzip)
2017-06-28 22:16 EDT, Adam Williamson
no flags Details

  None (edit)
Description Adam Williamson 2017-06-28 22:15:57 EDT
I recently implemented an openQA test which does the following:

* Starting from a clean Fedora 25 Server install, deploy the domain controller role
* On another system, starting from a clean Fedora 25 Server install, enrol as a client in the domain (using realmd)
* Once the client is enrolled, upgrade the Server system to Fedora 26, then upgrade the client system to Fedora 26
* Run through the usual server and client tests on Fedora 26

The server part of this test always fails right at the end, when the role is decommissioned with `rolectl decommission domaincontroller/domain.local`. In contrast, when a similar test is run entirely on Fedora 26 (and, indeed, entirely on Fedora 25) the decommissioning works successfully. It's only when an upgrade is involved that the decommissioning fails.

The failure seems to be related to something done to the firewall configuration during decommissioning, as the system journal contains these lines at the relevant time:

Jun 25 11:49:32 ipa001.domain.local firewalld[654]: WARNING: '/usr/sbin/iptables-restore --wait=2 -n' failed:
Jun 25 11:49:32 ipa001.domain.local firewalld[654]: WARNING: '/usr/sbin/ip6tables-restore --wait=2 -n' failed:
Jun 25 11:49:32 ipa001.domain.local firewalld[654]: ERROR: COMMAND_FAILED

/var/log/rolekit doesn't provide anything useful, though - the last message in it is:

2017-06-25 14:49:31 ERROR: b'Client uninstall complete.'

which I believe is passed along from the FreeIPA client uninstallation process.

I will attach a tarball containing the complete contents of /var/log from the server to this report. You can use 'journalctl --file' to read the journal files under /var/log/journal .
Comment 1 Adam Williamson 2017-06-28 22:16 EDT
Created attachment 1292752 [details]
/var/log from an affected case

Note You need to log in before you can comment on or make changes to this bug.