Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1475946

Summary: ipactl restart command fails to start named-pkcs11 service for ipa-server-docker image after IPA upgrade
Product: Red Hat Enterprise Linux 7 Reporter: Nikhil Dehadrai <ndehadra>
Component: ipa-server-containerAssignee: Petr Vobornik <pvoborni>
Status: CLOSED ERRATA QA Contact: Nikhil Dehadrai <ndehadra>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: fbarreto, mbasti, slaznick
Target Milestone: rcKeywords: Extras, Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rhel7/ipa-server:4.5.0-8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 13:20:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1476156    
Bug Blocks: 1405325    

Description Nikhil Dehadrai 2017-07-27 15:24:45 UTC 
Description of problem:
ipactl restart command fails to start named-pkcs11 service for ipa-server-docker image after IPA upgraded from RHEL 7.3.z to RHEL 7.4.z.

Version-Release number of selected component (if applicable):
bind-9.9.4-51.el7.x86_64
bind-dyndb-ldap-11.1-4.el7.x86_64
ipa-server-4.5.0-21.el7.x86_64

IPA-DOCKER image: 4.5.0.7
atomic host version:
-bash-4.2# atomic host status
State: idle
Deployments:
● atomic-host:rhel-atomic-host/7/x86_64/standard
                Version: 7.4.0 (2017-07-26 21:02:12)
                 Commit: 59c94e1776ecc877c59ca22c1a3f655b40ce13b67187284b733372b44a655211



How reproducible:
Always

Steps to Reproduce:
1. Setup IPA using IPA docker image from RHEL 7.3.z.
# atomic install --name ipadocker rhel7/ipa-server net-host --hostname=`hostname` --setup-dns --ip-address=x.x.x.x --forwarder=x.x.x.x -r TESTRELM.TEST -a Secret123 -p Secret123 --no-ntp -U
2. Start the IPA container and run ipactl restart command.
# atomic run --name ipadocker rhel7/ipa-server
# docker exec -it ipadocker ipactl restart
3. Now load the latest ipa-server-docker image to atomic host
# docker load -i <ipa-server-docker image>
4. Run the following command to initiate the upgrade process
# atomic run --name ipadocker rhel7/ipa-server
5. Re-run the ipactl restart command
# docker exec -it ipadocker ipactl restart

Actual results:
1. After step2, the ipactl restart command runs successfully.
2. After step5, the ipactl restart command fails to restart.


Expected results:
The ipactl restart command should run successfully after ipa-docker image upgrade.
Comment 4 Martin Bašti 2017-07-28 07:28:40 UTC 
Root cause is that bind-dyndb-ldap package does update in RPM post scriptlet which is not done in containers. This causes invalid /etc/named.conf for newer bind (in RHEL7.4). Upgrade must be extracted from RPM to executable binary that must be called explicitly in IPA container.
Comment 5 Martin Bašti 2017-07-28 08:35:36 UTC 
Proposed fix: add bind-dyndb-ldap package to ipa-server-configure-first:upgrade_server function
Comment 7 Nikhil Dehadrai 2017-07-28 13:16:59 UTC 
ipa-docker image: 4.5.0.8

BIND:
bind-dyndb-ldap-11.1-4.el7.x86_64
bind-9.9.4-51.el7.x86_64
IPA-VERSION:
ipa-server-4.5.0-21.el7.x86_64
Atomic host version:
-bash-4.2# atomic host status
State: idle
Deployments:
● atomic-host:rhel-atomic-host/7/x86_64/standard
                Version: 7.4.0 (2017-07-28 00:26:01)
                 Commit: 846fb0e18e65bd9a62fc9d952627413c6467c33c2d726449a1d7ad7690bbb93a


Verified the bug on the basis of following observations:
1. Verified that IPA server and REPLICA server setup using ipa-docker image can be successfully upgraded to latest version using latest ipa-docker image. (In my case from rhel 7.3.z to rhel 7.4.z)
2. Verified that "ipactl restart" command runs successfully both on IPA master and Replica setup using ipa-docker image after the upgrade.

Thus on the basis of above observations marking status of bug to "VERIFIED".
Comment 10 errata-xmlrpc 2017-08-01 13:20:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2373