Bug 1475946 - ipactl restart command fails to start named-pkcs11 service for ipa-server-docker image after IPA upgrade
ipactl restart command fails to start named-pkcs11 service for ipa-server-doc...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa-server-docker (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Petr Vobornik
Nikhil Dehadrai
: Extras, Regression
Depends On: 1476156
Blocks: 1405325
  Show dependency treegraph
 
Reported: 2017-07-27 11:24 EDT by Nikhil Dehadrai
Modified: 2017-08-01 09:20 EDT (History)
3 users (show)

See Also:
Fixed In Version: rhel7/ipa-server:4.5.0-8
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 09:20:32 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nikhil Dehadrai 2017-07-27 11:24:45 EDT
Description of problem:
ipactl restart command fails to start named-pkcs11 service for ipa-server-docker image after IPA upgraded from RHEL 7.3.z to RHEL 7.4.z.

Version-Release number of selected component (if applicable):
bind-9.9.4-51.el7.x86_64
bind-dyndb-ldap-11.1-4.el7.x86_64
ipa-server-4.5.0-21.el7.x86_64

IPA-DOCKER image: 4.5.0.7
atomic host version:
-bash-4.2# atomic host status
State: idle
Deployments:
● atomic-host:rhel-atomic-host/7/x86_64/standard
                Version: 7.4.0 (2017-07-26 21:02:12)
                 Commit: 59c94e1776ecc877c59ca22c1a3f655b40ce13b67187284b733372b44a655211



How reproducible:
Always

Steps to Reproduce:
1. Setup IPA using IPA docker image from RHEL 7.3.z.
# atomic install --name ipadocker rhel7/ipa-server net-host --hostname=`hostname` --setup-dns --ip-address=x.x.x.x --forwarder=x.x.x.x -r TESTRELM.TEST -a Secret123 -p Secret123 --no-ntp -U
2. Start the IPA container and run ipactl restart command.
# atomic run --name ipadocker rhel7/ipa-server
# docker exec -it ipadocker ipactl restart
3. Now load the latest ipa-server-docker image to atomic host
# docker load -i <ipa-server-docker image>
4. Run the following command to initiate the upgrade process
# atomic run --name ipadocker rhel7/ipa-server
5. Re-run the ipactl restart command
# docker exec -it ipadocker ipactl restart

Actual results:
1. After step2, the ipactl restart command runs successfully.
2. After step5, the ipactl restart command fails to restart.


Expected results:
The ipactl restart command should run successfully after ipa-docker image upgrade.
Comment 4 Martin Bašti 2017-07-28 03:28:40 EDT
Root cause is that bind-dyndb-ldap package does update in RPM post scriptlet which is not done in containers. This causes invalid /etc/named.conf for newer bind (in RHEL7.4). Upgrade must be extracted from RPM to executable binary that must be called explicitly in IPA container.
Comment 5 Martin Bašti 2017-07-28 04:35:36 EDT
Proposed fix: add bind-dyndb-ldap package to ipa-server-configure-first:upgrade_server function
Comment 7 Nikhil Dehadrai 2017-07-28 09:16:59 EDT
ipa-docker image: 4.5.0.8

BIND:
bind-dyndb-ldap-11.1-4.el7.x86_64
bind-9.9.4-51.el7.x86_64
IPA-VERSION:
ipa-server-4.5.0-21.el7.x86_64
Atomic host version:
-bash-4.2# atomic host status
State: idle
Deployments:
● atomic-host:rhel-atomic-host/7/x86_64/standard
                Version: 7.4.0 (2017-07-28 00:26:01)
                 Commit: 846fb0e18e65bd9a62fc9d952627413c6467c33c2d726449a1d7ad7690bbb93a


Verified the bug on the basis of following observations:
1. Verified that IPA server and REPLICA server setup using ipa-docker image can be successfully upgraded to latest version using latest ipa-docker image. (In my case from rhel 7.3.z to rhel 7.4.z)
2. Verified that "ipactl restart" command runs successfully both on IPA master and Replica setup using ipa-docker image after the upgrade.

Thus on the basis of above observations marking status of bug to "VERIFIED".
Comment 10 errata-xmlrpc 2017-08-01 09:20:32 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2373

Note You need to log in before you can comment on or make changes to this bug.