RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1475946 - ipactl restart command fails to start named-pkcs11 service for ipa-server-docker image after IPA upgrade
Summary: ipactl restart command fails to start named-pkcs11 service for ipa-server-doc...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa-server-container
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Petr Vobornik
QA Contact: Nikhil Dehadrai
URL:
Whiteboard:
Depends On: 1476156
Blocks: 1405325
TreeView+ depends on / blocked
 
Reported: 2017-07-27 15:24 UTC by Nikhil Dehadrai
Modified: 2017-08-01 13:20 UTC (History)
3 users (show)

Fixed In Version: rhel7/ipa-server:4.5.0-8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 13:20:32 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:2373 0 normal SHIPPED_LIVE Red Hat Enterprise Linux 7.4 Atomic Identity Management Server Container Image 2017-08-01 17:38:49 UTC

Description Nikhil Dehadrai 2017-07-27 15:24:45 UTC 
Description of problem:
ipactl restart command fails to start named-pkcs11 service for ipa-server-docker image after IPA upgraded from RHEL 7.3.z to RHEL 7.4.z.

Version-Release number of selected component (if applicable):
bind-9.9.4-51.el7.x86_64
bind-dyndb-ldap-11.1-4.el7.x86_64
ipa-server-4.5.0-21.el7.x86_64

IPA-DOCKER image: 4.5.0.7
atomic host version:
-bash-4.2# atomic host status
State: idle
Deployments:
● atomic-host:rhel-atomic-host/7/x86_64/standard
                Version: 7.4.0 (2017-07-26 21:02:12)
                 Commit: 59c94e1776ecc877c59ca22c1a3f655b40ce13b67187284b733372b44a655211



How reproducible:
Always

Steps to Reproduce:
1. Setup IPA using IPA docker image from RHEL 7.3.z.
# atomic install --name ipadocker rhel7/ipa-server net-host --hostname=`hostname` --setup-dns --ip-address=x.x.x.x --forwarder=x.x.x.x -r TESTRELM.TEST -a Secret123 -p Secret123 --no-ntp -U
2. Start the IPA container and run ipactl restart command.
# atomic run --name ipadocker rhel7/ipa-server
# docker exec -it ipadocker ipactl restart
3. Now load the latest ipa-server-docker image to atomic host
# docker load -i <ipa-server-docker image>
4. Run the following command to initiate the upgrade process
# atomic run --name ipadocker rhel7/ipa-server
5. Re-run the ipactl restart command
# docker exec -it ipadocker ipactl restart

Actual results:
1. After step2, the ipactl restart command runs successfully.
2. After step5, the ipactl restart command fails to restart.


Expected results:
The ipactl restart command should run successfully after ipa-docker image upgrade.
Comment 4 Martin Bašti 2017-07-28 07:28:40 UTC 
Root cause is that bind-dyndb-ldap package does update in RPM post scriptlet which is not done in containers. This causes invalid /etc/named.conf for newer bind (in RHEL7.4). Upgrade must be extracted from RPM to executable binary that must be called explicitly in IPA container.
Comment 5 Martin Bašti 2017-07-28 08:35:36 UTC 
Proposed fix: add bind-dyndb-ldap package to ipa-server-configure-first:upgrade_server function
Comment 7 Nikhil Dehadrai 2017-07-28 13:16:59 UTC 
ipa-docker image: 4.5.0.8

BIND:
bind-dyndb-ldap-11.1-4.el7.x86_64
bind-9.9.4-51.el7.x86_64
IPA-VERSION:
ipa-server-4.5.0-21.el7.x86_64
Atomic host version:
-bash-4.2# atomic host status
State: idle
Deployments:
● atomic-host:rhel-atomic-host/7/x86_64/standard
                Version: 7.4.0 (2017-07-28 00:26:01)
                 Commit: 846fb0e18e65bd9a62fc9d952627413c6467c33c2d726449a1d7ad7690bbb93a


Verified the bug on the basis of following observations:
1. Verified that IPA server and REPLICA server setup using ipa-docker image can be successfully upgraded to latest version using latest ipa-docker image. (In my case from rhel 7.3.z to rhel 7.4.z)
2. Verified that "ipactl restart" command runs successfully both on IPA master and Replica setup using ipa-docker image after the upgrade.

Thus on the basis of above observations marking status of bug to "VERIFIED".
Comment 10 errata-xmlrpc 2017-08-01 13:20:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2373
Note You need to log in before you can comment on or make changes to this bug.